Want to frustrate hackers with a good ‘ole fashioned game of hide and seek? If so, hiding your WordPress login page is a great way to secure your site from both targeted hacks and automated brute-force attacks.
In this post, I’ll dig into two different ways to hide your login page:
- The easy way – using a plugin
- The harder, but better, way – using .htaccess
Let’s get into it.
Why Should You Care About Hiding the WordPress Login Page, Anyway?
Two words (and a hyphen):
Brute-force attacks.
In a brute-force attack, hackers basically try to guess your username and password over and over. And over. And over.
They’re hoping that, with enough tries, they’ll find the magic combination. Now I think you’re seeing where hiding the login page comes into it…if you hide your login page, there’s nowhere for hackers to run their brute-force attack.
But it’s not just about brute-force attacks. The .htaccess methods that I’ll discuss at the end also protect you from the situation where a hacker actually gets their hands on your username/password from the start.
Hiding the WordPress Login Page With a Plugin
The quick and dirty way to hide your login page is to use a plugin. And for this purpose, WPS Hide Login is the gold standard.
It lets you specify a new custom login URL and blocks all traffic to the default wp-admin and wp-login pages.
It’s the quick and dirty way because setup pretty much takes two seconds. All you need to do is specify your new login URL by going to Settings —> WPS Hide Login and the plugin takes care of the rest.
If you’re using a caching plugin, you’ll also need to add your new login page to the list of pages excluded from caching. But other than that, you’re all set.
So is WPS Hide Login all you need to protect your login page?
Well…maybe not. See, it will block the majority of automatic brute-force attacks. But if a singularly focused hacker wanted to brute force your login page, the support threads at wordpress.org have uncovered a few backdoors by which someone could still find the original login page. Those are:
- Using an encoded URL (only in Firefox)
- Trying to access …/wp-admin/customize.php
Now, most brute-force attackers are going after low-hanging fruit. So it’s unlikely to ever become a serious issue. But unlikely is not never. So to go one step further, you can manually restrict access to your login page using .htaccess.
Using .htaccess To Hide the WordPress Login Page
To add additional security, you can hide your WordPress login page using your site’s .htaccess file. The two common ways to hide your login page with .htaccess are:
- Using .htpasswd to require a password to access wp-admin.
- Restricting access to wp-login by IP address.
Both methods come straight from the WordPress codex entry on brute-force attacks, so you can rest easy knowing that they’re WordPress approved!
How to Hide WordPress Login With .htpasswd
With this method, anyone trying to access your wp-admin panel will get smacked with this prompt:
No username/password, no login page!
It’s super easy to set up. Just follow these three steps:
Step 1: Go to Htpasswd Generator and enter your desired username and password. Then, click Create .htpasswd file. The tool will automatically encode your password and give you the text to add to your .htpasswd file:
Step 2: Add that text to a file named “.htpasswd” and upload it to the root directory of your WordPress site. You can use something like Notepad to create the file. Just make sure to save it using the All Files option:
Step 3: Add the following code to the top of your existing .htaccess file (also located in the root directory of your site):
# Stop Apache from serving .ht* files
<Files ~ "^.ht">
Order allow,deny
Deny from all
</Files>
# Protect wp-login
<Files wp-login.php>
AuthUserFile ~/.htpasswd
AuthName "Private access"
AuthType Basic
require user yourusername
</Files>
Just make sure to replace “yourusername” with the actual username you used in your .htpasswd file.
And that’s it! Enjoy your new security.
Note, this may not work with all hosting platforms. Some companies (Like Pagely!) have other ways to hide the login page by contacting support.
How to Hide WordPress Login by IP Address With .htaccess
Another way you can use .htaccess to hide your WordPress login is restricting by IP address. Anyone with an authorized IP address will see your normal WordPress login page, but everyone else will see this:
This is a good method if you have a static IP address and not many other people need to access your site. Otherwise, you’re better off going with the .htpasswd approach.
To set it up, all you need to do is add the following bit of code to the top of your .htaccess file. Again, you can find your .htaccess file in the root directory of your WordPress site:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123.123.123.123$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
Just make sure to replace “!^123.123.123.123$” with the numbers of your IP address. You can find your IP address by Googling “What is my IP”.
Need to allow multiple IP addresses access to your site? No problem! Just add a new line for each address. For example, to give a second IP address access, it would look like this:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123.123.123.123$
RewriteCond %{REMOTE_ADDR} !^223.223.223.223$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
And that’s it. Your login page is now hidden from anyone with a non-authorized IP address.
Is all this talk of .htaccess giving you a headache? If you don’t want to deal with the complicated nature of WordPress security, why not get a host that protects your site for you?
If you’re interested, click to learn more about Pagely’s approach to WordPress security.
I’d suggest using social login. It’s more secured and can’t be hacked.