Every WordPress site has its login at the same predictable address: /wp-admin or /wp-login.php. Automated attackers know this, so they hammer that URL with password guesses. Moving the login to a custom address makes their job much harder. Here’s how, and how to do it without locking yourself out.
Why this helps
Changing the login URL is security through obscurity — it won’t stop a determined targeted attack, but it stops the vast majority of automated bots that only know to knock on the standard door. Combined with a limit on login attempts and strong passwords, it dramatically cuts the noise hitting your login.
The safe way: a plugin
The reliable method is a small plugin designed to rename the login URL. After installing it, you choose a custom slug — something like /my-secret-entrance — and from then on, anyone visiting /wp-admin or /wp-login.php gets a 404 instead of the login form. Only the custom URL works.
Write down the new URL immediately
This is the one thing people forget, and it locks them out. The instant you set a custom login URL, save it somewhere safe — a password manager, a note, anywhere you won’t lose it. If you forget it, you can’t log in through the browser.
If you lock yourself out
Don’t panic — the fix is simple. Deactivate the plugin via File Manager by renaming its folder inside wp-content/plugins. That restores the default /wp-admin login so you can get back in, then reconfigure the plugin (and write the URL down this time).
Layer it with other login protection
A custom login URL works best alongside other measures: limit failed login attempts so brute-force bots get locked out, enable two-factor authentication, and never use the username “admin”. Together these make your login genuinely hard to crack.
Don’t rely on it alone
Renaming the login is a useful layer, not a complete defence. Keep everything updated, use a firewall, and maintain backups. Obscuring the door is helpful, but a strong lock matters more.
Our servers also run CSF/LFD, which blocks IPs that repeatedly fail logins at the firewall level — before they even reach WordPress. Ask us about additional login hardening for your account.