How to Hide wp-admin on your WordPress Website

WordPress powers a significant portion of the web making it a prime target for hackers. One common security measure to protect your website is to hide the wp-admin login page. In the meantime, if attackers cannot find your login page easily it becomes harder for them to attempt brute-force attacks or unauthorized logins.

In this post, we will go through several methods to hide wp admin WordPress area of your website making it more difficult for unauthorized access.

Why Hide wp-admin?

Hide wp-admin login does not make it completely inaccessible. Instead, it prevents the standard login path adding an extra layer of security. The default WordPress login URL for example yourdomain.com/wp-admin is a well-known and secure wp admin login that can:

1. Reduce chances of brute-force attacks
2. Discourage bots and attackers
3. Lower server load by preventing unnecessary access attempts

Methods to Hide wp-admin

If you are comfortable editing files you can manually change the login URL using code snippets. However, plugins provide a more beginner-friendly approach. Some plugins offer additional security measures like login attempt limitation or two-factor authentication alongside URL masking. The following are the methods discussed to protect WordPress admin area:

1. Using Plugins

The easiest way to change WordPress login URL page is by using security plugins. There is a variety of security plugins available for WordPress such as:

• WPS Hide Login: This plugin allows for simple customization of the admin URL.
• iThemes Security: Offers a feature to change the login URL as part of its suite of security tools.

How to use WPS Hide Login

Login to your WordPress dashboard. Navigate to the plugin section and search WPS Hide Login, install and activate the plugin.

Go to Settings in WPS Hide Login. Type in a new login URL slug in the provided field then save changes.

2. Manual Method Using .htaccess

For advanced users who prefer not to use a plugin modifying the .htaccess file in your WordPress installation can achieve the same result. For this access your site’s root directory using FTP or File Manager then locate and backup the .htaccess file before editing. Add rewrite rules to redirect users from wp-admin to another URL or a 404 page.

RewriteRule ^new-login$ /wp-login.php?new-login=1 [L,QSA]

Test your new admin URL and ensure it works correctly before logging out.

3. Manual Method Using wp-config

Login to your cPanel, and navigate to the file manager section. Locate the wp-config.php file within the root directory.

Add the following code snippet before the /* That’s all, stop editing! Happy publishing. */ line:

define('AUTH_COOKIE', 'your_custom_cookie_name');
define('LOGININCOKEE', 'your_custom_cookie_name');
define('NONCE_KEY', 'your_very_long_random_string_here');
define('AUTH_KEY', 'your_very_long_random_string_here');
define('SECURE_AUTH_COOKIE', true);
define('FORCE_SSL_LOGIN', true);

Replace your_custom_cookie_name with a unique phrase for your cookies. Generate long, random strings for NONCE_KEY and AUTH_KEY using a secure password generator.

Then add the following code in your .htaccess file. Replace your_custom_slug it with your desired login slug for example “my-secure-login”.

RewriteEngine On;
RewriteBase /;
RewriteRule ^wp-admin/  index.php?your_custom_slug=$1 [L];

Save both files. Now, access your wp-admin using the new URL structure like http://yourwebsite.com/your_custom_slug/.

4. Change Admin Directory

Another method involves renaming the wp-admin directory itself but be warned; it’s risky and could break your site if not done correctly.

• Rename the wp-admin folder.
• Search and replace all instances of wp-admin in your site’s database with the new folder name.
• Update security keys in your wp-config.php file.

Best Practices

While hiding your admin page can improve security it should be part of a broader security strategy:

• Always keep WordPress and its components up-to-date.
• Use strong passwords and manage them with a password manager.
• Implement two-factor authentication for login.
• Regularly back up to your website.
• Limit login attempts to prevent brute-force attacks.

Conclusion

Hiding wp-admin is an important security measures to protect your WordPress website from potential threats but it must be done carefully either via plugins or manual methods. Remember while it adds a layer of security it should not be the only precautionary measure in place. Performing these changes can cause issues with your site if not done properly, especially when updating WordPress or its themes and plugins.

FAQ