A Quick Guide to Hiding the WordPress Login Page

Want to frustrate hackers with a good ‘ole fashioned game of hide and seek? If so, hiding your WordPress login page is a great way to secure your site from both targeted hacks and automated brute-force attacks.

In this post, I’ll dig into two different ways to hide your login page:

  • The easy way – using a plugin
  • The harder, but better, way – using .htaccess

Let’s get into it.

Why Should You Care About Hiding the WordPress Login Page, Anyway?

Two words (and a hyphen):

Brute-force attacks.

In a brute-force attack, hackers basically try to guess your username and password over and over. And over. And over.

They’re hoping that, with enough tries, they’ll find the magic combination. Now I think you’re seeing where hiding the login page comes into it…if you hide your login page, there’s nowhere for hackers to run their brute-force attack.

But it’s not just about brute-force attacks. The .htaccess methods that I’ll discuss at the end also protect you from the situation where a hacker actually gets their hands on your username/password from the start.

Hiding the WordPress Login Page With a Plugin

The quick and dirty way to hide your login page is to use a plugin. And for this purpose, WPS Hide Login is the gold standard.

It lets you specify a new custom login URL and blocks all traffic to the default wp-admin and wp-login pages.

It’s the quick and dirty way because setup pretty much takes two seconds. All you need to do is specify your new login URL by going to Settings —> WPS Hide Login and the plugin takes care of the rest.

guide to hiding the wordpress login page

If you’re using a caching plugin, you’ll also need to add your new login page to the list of pages excluded from caching. But other than that, you’re all set.

So is WPS Hide Login all you need to protect your login page?

Well…maybe not. See, it will block the majority of automatic brute-force attacks. But if a singularly focused hacker wanted to brute force your login page, the support threads at wordpress.org have uncovered a few backdoors by which someone could still find the original login page. Those are:

  • Using an encoded URL (only in Firefox)
  • Trying to access …/wp-admin/customize.php

Now, most brute-force attackers are going after low-hanging fruit. So it’s unlikely to ever become a serious issue. But unlikely is not never. So to go one step further, you can manually restrict access to your login page using .htaccess.

Using .htaccess To Hide the WordPress Login Page

To add additional security, you can hide your WordPress login page using your site’s .htaccess file. The two common ways to hide your login page with .htaccess are:

  • Using .htpasswd to require a password to access wp-admin.
  • Restricting access to wp-login by IP address.

Both methods come straight from the WordPress codex entry on brute-force attacks, so you can rest easy knowing that they’re WordPress approved!

How to Hide WordPress Login With .htpasswd

With this method, anyone trying to access your wp-admin panel will get smacked with this prompt:

No username/password, no login page!

It’s super easy to set up. Just follow these three steps:

Step 1: Go to Htpasswd Generator and enter your desired username and password. Then, click Create .htpasswd file. The tool will automatically encode your password and give you the text to add to your .htpasswd file:

Step 2: Add that text to a file named “.htpasswd” and upload it to the root directory of your WordPress site. You can use something like Notepad to create the file. Just make sure to save it using the All Files option:

Step 3: Add the following code to the top of your existing .htaccess file (also located in the root directory of your site):

# Stop Apache from serving .ht* files
<Files ~ "^.ht">
Order allow,deny
Deny from all
</Files>

# Protect wp-login
<Files wp-login.php>
AuthUserFile ~/.htpasswd
AuthName "Private access"
AuthType Basic
require user yourusername
</Files>

Just make sure to replace “yourusername” with the actual username you used in your .htpasswd file.

And that’s it! Enjoy your new security.

Note, this may not work with all hosting platforms. Some companies (Like Pagely!) have other ways to hide the login page by contacting support.

How to Hide WordPress Login by IP Address With .htaccess

Another way you can use .htaccess to hide your WordPress login is restricting by IP address. Anyone with an authorized IP address will see your normal WordPress login page, but everyone else will see this:

This is a good method if you have a static IP address and not many other people need to access your site. Otherwise, you’re better off going with the .htpasswd approach.

To set it up, all you need to do is add the following bit of code to the top of your .htaccess file. Again, you can find your .htaccess file in the root directory of your WordPress site:


<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123.123.123.123$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Just make sure to replace “!^123.123.123.123$” with the numbers of your IP address. You can find your IP address by Googling “What is my IP”.

Need to allow multiple IP addresses access to your site? No problem! Just add a new line for each address. For example, to give a second IP address access, it would look like this:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123.123.123.123$
RewriteCond %{REMOTE_ADDR} !^223.223.223.223$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

And that’s it. Your login page is now hidden from anyone with a non-authorized IP address.

Is all this talk of .htaccess giving you a headache? If you don’t want to deal with the complicated nature of WordPress security, why not get a host that protects your site for you?

If you’re interested, click to learn more about Pagely’s approach to WordPress security.

New Posts in your inbox

  1. Hi Colin,

    Personally I use a plugin I wrote to protect my WP from intrusions (login page + XMLRPC).

    It’s called wp login door, available in the WordPress plugins directory.

    Kind regards,

    Nico

  2. Already Bookmarked this page on my browser, Hope it will help me in my development . Thanks for writing such a nice article . carry on

  3. Personally, I like the no plugin method way. I’m very big on optimization…well at least nowadays. The less plugins the better…

  4. The line:

    AuthUserFile ~/.htpasswd

    Needs to be changed to where you put your .htpasswd file, in this case the root of your WP install

  5. nice and very informative…im just curious though, what if you forgot the newly customized login URL? is there a way to recover it? perhaps via email…?

  6. Just a quick question about hiding by IP address(es). I have a number of DHCP LAN IP addresses that may need to access. Can I use a /23 desiginator?

    Thanks for the help… really cool last name, by the way.

  7. Hi Colin,

    The article is very helpful. Thank you.

    We have implemented the .htpasswd method. Just letting you know that the password generator link doesn’t work anymore.

    For those users getting 500 Internal Server Error,check the permissions to .htpasswd after uploading it. They should be set to 744 to allow read access.

    Tried it on our website:https://codedb.net/

    Works 100%!

    If you are on a Mac, use Textedit to save .htpasswd. Then Click Format->Make Plain Text. Save file as .htpasswd. Deselect the ‘If no extension is provided’ checkbox. Since by default macOS hides files beginning with periods, you may not be able to see the file on your computer. You should, however, be able to see the file when using an SFTP client, such as Filezilla.

    Any issues, get in touch with me on support@codedb.net

  8. Hi Colin,

    I have just set up the .htpasswd version, but when I try to log in the box keep popping up… it does not let me in.

    Any idea why it might be happening?

    Cheers, Pete

  9. Very nice article. But I have a query that is how can I add password protection for particular URL. For example admin pages section or post section. Can you please advise me how can I do it.

  10. The .htaccess method is not working for me. I did everything as said but when I go to the wp-admin page I am shown a 404 Page not found instead of the above said username and password promp. Is it something to do with Jetpack plugin?

  11. Hi ,
    I have used WPS Hide login plugin to change the default url, so first i made login end point /x/ in environment A after 1-2 days i change the login end point to /y/ in same environment A and merged that env A code to env B.
    Main issue come after this that env B is picking up the login end point as /x/ instead of /y/ whereas env A working /y/.
    Has anyone idea about it why it is behaving like this ? Is WPS Hide login stores these end points in some cache memory or something change in code.