For almost all the WordPress users, the login page security can be one of their top concerns, for this special page is the last barrier to have the website back-end and the sensitive information well protected against the hackers. However, no matter how hard you work on this aspect, you may still encounter the brute force attempts and the malicious login actions all the times. In this case, you’d better do something to avoid this situation effectively and one of the best methods is to hide this crucial webpage against the public.
Here, we need to mention that if your website is not a membership one and your website only allows a few login attempts from you and some of your website co-workers, you can check the following parts to learn how to hide WordPress login page for the better security. However, if your site allows the common user login from your subscribers, you’d better consider some other tips to better protect the WordPress login page.
Install the WordPress Core In Its Own Directory
Firstly, you can choose to install WordPress in the subdirectory. Frankly speaking, this is not a complex task if you deal with the new WordPress installation.
When installing this script using the 1-click installer offered by the hosting provider, you need to focus on the Software Setup step, from which you can find the Choose Domain field. Here, if you are looking to install WordPress on the main directory, you can leave this empty. However, if you want to install in the subdirectory, you can enter the name of this directory.
Next, you can finish the installation process as usual, and then, enter the Permalinks settings page from the WordPress dashboard. After deciding the permalink structure based on your needs, you should save the setting to have the .htaccess file generated. Make sure that the file permission is set with the value of 644.
Now, you can navigate to the General settings screen to target the fields of WordPress Address as well as the Site Address. By default, these two fields should be the same. But this time, you should add the name of the subdirectory behind the URL entered for the option of WordPress field, for it indicates where the WordPress is installed.
The last step is to copy and paste the created .htaccess file and the index.php from the subdirectory to the domain root. You can do this using the File Manager or your preferred FTP. Note that you can only copy them but not move them entirely.
In addition, do not forget to change the below line of code to the one that has the name of the subdirectory. In our example, we name it as “wp_install”.
These are all the things you should do for the brand new installation. Also, you can move your WordPress site to a subdirectory, but before everything, you should make a backup of your site.
Frankly speaking, this is the first step for you to hide your WordPress login page effectively. After all, it is a common sense that people can enter your login page by adding the term of “wp-login.php” or the term of “wp-admin” behind your site URL in the browser bar. With this step, however, you can prevent your login page to be opened easily by adding your subdirectory name between your domain and these two special terms.
There is a minor tip that when deciding your subdirectory name, you’d better avoid some predictable term just like our example. Instead, you should adopt one that no one will ever use.
Redirect the wp-login.php Link and Use the Custom Login URL
Only having your WordPress installed in the subdirectory is far less enough for hiding your login page. In addition, you also need to lock down the normal wp-login.php page. Also, you can choose to redirect it to a 404 page or any other webpage other than the login one.
This is because we have found that even if you have added the subdirectory name into the login URL, but in some special occasions, people can be redirected automatically from “http://www.example.com/wp-login.php” to “http://www.example.com/subdirectory/wp-login.php”.
To do this, you can choose to use the related WordPress plugin. This time, we think the WPS Hide Login plugin is a great tool to try.
Actually, this plugin is a lightweight option, with which you can safely and easily change the link of your default login page to anything you prefer. The best part is that it will not change or rename the files of your WordPress core, and also, it does not rewrite the rules to affect your website performance.
Once this plugin is installed, the “http://www.example.com/wp-login.php” link and the wp-admin directory will become inaccessible automatically. This means unless people enter the right login link that contains your subdirectory name, they cannot access your login page.
Even, you can navigate to the General settings page of your site and scroll down to the WPS Hide Login part. Here, you can even customize your login page URL by entering your wanted suffix.