Hiding Your WordPress Login Page from Hackers with Code
There are 40 million brute force attacks on websites every day, so it’s highly likely your site will succumb to an attack. One relatively easy way to protect your site is to hide your login page from hackers.
Making it harder for hackers to find the location of your login page file means there’s less chance they can attempt to guess your credentials and infiltrate your site.
So how do you do it? You can create a new login page URL and hide your login with code in a few simple steps, adding an extra layer of defense to your site.
You don’t need to install any plugins and it only takes a few minutes to implement.
Time’s a wastin’ and hackers aren’t letting up anytime soon so let’s get started.
Baby Back, Back, Back It Up
Since you need to make edits to your .htaccess file to hide your login, it’s important that you create a full backup of your site. Your .htaccess file is an important one where one teeny-tiny mistake could completely take down your site so it’s best not to live on the edge and take chances here.
If you scoff at the idea and insist that no one can slow down your rockin’ life, then at least backup your .htaccess file as well as the folder for whatever theme you’re using.
It’s also a good idea to try the code below in a test environment. It’s optional, but if you’re concerned that your site may go down for a minute or so, then it’s the best option for you. After all, it’s better that your test site implodes, rather than your live site – no matter how short-lived.
Once that’s out of the way, you can try one of the options for changing your login page’s slug based on your comfort zone. Once your new slug is created, you can hide the original wp-login.php page.
The first option requires you to only edit your .htaccess file whereas you need to edit your theme’s functions.php and .htaccess files with the second option.
Feel free to skip down to the option you are more comfortable with trying.
Call Me, Maybe by a Different Slug
No matter which option you choose, you can edit the necessary files directly in your favorite SSH client on the command line, with FTP using certain clients such as FileZilla or in cPanel.
1. Using Only .htaccess Rules
The code you need to add should ideally be included at the top of your .htaccess file for single installs of WordPress or after the following lines for Multisite installs:
RewriteEngine On |
RewriteBase / |
RewriteRule ^index\.php$ - [L] |
Here’s the code you need to add:
# BEGIN Hide login page |
RewriteRule ^mylogin$ https://%{SERVER_NAME}/wp-login.php?key=123&redirect_to=https://%{SERVER_NAME}/wp-admin/index.php [L] |
RewriteCond %{HTTP_REFERER} !^https://%{SERVER_NAME}/wp-admin |
RewriteCond %{HTTP_REFERER} !^https://%{SERVER_NAME}/wp-login.php |
RewriteCond %{HTTP_REFERER} !^https://%{SERVER_NAME}/login |
RewriteCond %{QUERY_STRING} !^key=123 |
RewriteCond %{QUERY_STRING} !^action=logout |
RewriteCond %{QUERY_STRING} !^action=lostpassword |
RewriteCond %{REQUEST_METHOD} !POST |
# END Hide login page |
Be sure to change mylogin
on line two to whatever you want your slug to be. If you don’t change it, you can find your login page at www.your-site.com/mylogin
. If you do change it, your URL structure should be the same, except with your slug in place of mylogin
.
It’s recommended that you change the slug since this post is available to the public which means hackers have access to it as well. If you do use it, they won’t have to guess your login URL since it’s printed here.
Also be sure to change 123
in lines two and seven to something else. This is a secret key that isn’t displayed to hackers. You should pick something that isn’t obvious so don’t change the secret key to “wordpress” or the title of your site. Your key should also only have letters and numbers.
Save your .htaccess file and check that your site is still up. If you get a 500, internal server error, it means that you have made a mistake somewhere, no matter how small. Restore the file and try again.
If your site is up but it’s not working for you, try clearing your browser’s cache.