How to Safely Configure WordPress Login URL Changes Without Locking Out Users

Learn when and how to safely change your WordPress login URL, reduce automated attacks, and avoid accidentally locking yourself or your team out.

Why Changing Your WordPress Login URL Matters (and Its Limits)

By default, every WordPress site uses the same login paths: /wp-admin and /wp-login.php. Attackers and bots know this, so they constantly probe those URLs for weak passwords and exposed accounts. Changing the login URL is not a complete security solution, but it can:

• Reduce automated bot traffic and brute-force attempts
• Cut down on noise in your security logs
• Make it slightly harder for opportunistic attackers to find your login page

However, it does not replace strong passwords, two-factor authentication, or proper hardening. OWASP recommends layered controls such as rate limiting, lockouts, and MFA for authentication protection, not just obscuring URLs. Source

Before You Change the Login URL: Prerequisites

Before touching your login URL, make sure you have these basics in place:

• Admin access to WordPress and your hosting control panel
• File access via SFTP or your host’s file manager
• A recent full site backup (files and database)
• At least one secondary admin account you can use if your main account breaks

WordPress recommends regular backups before making configuration changes so you can quickly restore if something goes wrong. Source

Approach Overview: Plugin vs. Custom Code

There are two main ways to change your login URL:

• Security plugin that offers a “Hide/Change Login URL” feature
• Custom code using functions.php or a must-use plugin plus rewrite rules

For most business sites, a reputable security plugin is safer and easier to maintain. Custom code should only be used if you have development support and version control in place.

Step 1: Plan a Safe New Login URL

Choose a URL that is:

• Memorable to your team but not obvious (avoid /login, /admin, /secure)
• Short enough to type on mobile
• Not conflicting with existing pages or custom post type slugs

Examples of better patterns:

• /team-access-8742
• /office-portal-xyz

Write this URL down and share it securely with your team before making the change.

Step 2: Create a Restore Path in Case of Lockout

If something goes wrong, you need a way back in. Set up at least one of these safety nets:

• Hosting panel access so you can disable plugins or restore backups
• SFTP credentials to rename plugin folders or edit configuration files
• Documented steps for restoring from your latest backup

Many managed WordPress hosts provide one-click restore points; confirm where that is in your hosting dashboard before proceeding. Source

Step 3: Change the Login URL Using a Security Plugin

This is the recommended method for non-developers.

3.1 Enable the Login URL Feature

The exact labels differ by plugin, but the flow is similar:

1. Log in to WordPress at the default URL (usually /wp-admin).
2. Go to Dashboard ? Plugins ? Add New.
3. Install and activate a reputable security plugin that supports custom login URLs.
4. Open the plugin’s settings screen (often under Security or the plugin name).
5. Look for a section like Login Security, Brute Force Protection, or Hide Login.

3.2 Set Your New Login URL

1. Find the field labeled something like Custom Login URL or Login Slug.
2. Enter only the slug portion (for example, team-access-8742).
3. Confirm what the full URL will be (for example, https://example.com/team-access-8742).
4. Save or apply the settings.
5. Immediately open a new private/incognito browser window and test the new URL.

3.3 What You Should See

• Visiting the new URL should show the standard WordPress login form (possibly styled by your theme or security plugin).
• Visiting the old URLs (/wp-login.php and /wp-admin) should either redirect, show a 404, or display a generic message (depending on plugin settings).
• Logging in via the new URL should take you to Dashboard ? Home as usual.

If any of these do not work as expected, revert the change (see the troubleshooting section below) before logging out of your current session.

Step 4: Update Saved Links, Password Managers, and Team Docs

Once the new URL is confirmed working:

• Update any bookmarks in your browser.
• Update your password manager entry for the site.
• Update any internal documentation or onboarding checklists.
• Share the new URL with your team using a secure channel (never in public chat or email threads that might be forwarded widely).

Remind your team not to share the login URL publicly. While it’s not a secret in the cryptographic sense, keeping it semi-private reduces unnecessary probing.

Step 5: Verify Compatibility With Other Features

After changing the login URL, test any features that depend on authentication:

• Front-end login forms or membership portals
• Single sign-on (SSO) integrations
• XML-RPC or REST API-based tools that might trigger login redirects

WordPress core authentication relies on cookies and sessions; if your plugin changes how login redirects work, make sure it doesn’t interfere with legitimate API or app access. Source

How This Affects Security Logs and Rate Limiting

Changing the login URL can significantly reduce noise from automated bots hitting /wp-login.php. This makes it easier to:

• Spot targeted attacks against real usernames
• Configure more accurate rate limits and lockout thresholds
• Monitor for unusual login attempts from new IP ranges

Consider combining the custom login URL with:

• Rate limiting on login attempts
• CAPTCHAs for repeated failures
• Two-factor authentication for all admin accounts

Modern security guidance emphasizes strong authentication and monitoring over obscurity alone. Source

Troubleshooting: If You Get Locked Out

If you or a teammate can’t access the login page after the change, use these recovery paths.

Option 1: Disable the Security Plugin via File Access

1. Connect to your site via SFTP or your host’s file manager.
2. Navigate to wp-content/plugins.
3. Rename the folder of the security plugin (for example, from security-plugin to security-plugin-disabled).
4. Try visiting the default login URL again: /wp-login.php.
5. Once logged in, fix the plugin settings or choose a different approach.

WordPress will automatically deactivate a plugin whose folder has been renamed, allowing you to regain access. Source

Option 2: Restore From Backup

1. Log in to your hosting control panel.
2. Locate the backup or restore section.
3. Restore the most recent backup from before you changed the login URL.
4. Confirm that /wp-admin and /wp-login.php work again.
5. Repeat the change later, following this guide more cautiously.

When You Should Not Change the Login URL

In some cases, changing the login URL can cause more problems than it solves. Avoid or delay this change if:

• You rely on third-party integrations that expect the default login path.
• You have a large, non-technical team that frequently forgets URLs.
• Your site already uses SSO or identity providers that tightly control login flows.

In these situations, prioritize strong authentication, least-privilege user roles, and robust monitoring over hiding the login page.

Summary: Treat Login URL Changes as One Layer in Your Defense

Changing your WordPress login URL is a useful noise reduction measure, not a primary security control. Done carefully—with backups, a recovery plan, and clear team communication—it can reduce automated attacks and make your security logs more meaningful. Combine it with strong passwords, two-factor authentication, and regular maintenance to keep your site resilient over time.