How to Change the Default Login URL in WordPress (without a Plugin)

Recently, I changed the default login URL on all of my WordPress sites for one main reason: to improve security.

I prefer the manual method in doing so instead of using a plugin because I wanted to learn more about how the login process takes place in WordPress.

If you plan to change the default login URL on your WordPress sites too and are not interested in installing yet another plugin, then you can read my documentation below.

But first, let's find out why changing the default URL on a WordPress site is extremely recommended.

Shortcut ⤵️

• Why change the default login URL?
• Changing the login URL manually (in 4 simple steps)
• Recommended things to do after changing the login URL
• Summary

Why Change the Default Login URL?

I said that the main reason I changed the login URL on my WordPress sites was to improve the security. But what type of security?

The security I mean here is brute force attack.

Brute force attack is one of the most common cyber attacks launched to WordPress websites because in WordPress, the login page is extremely predictable.

Just by adding wp-login.php to the end of the site URL, everyone can access the login page of a WordPress website. Next, they can try different login credentials trying to login to your WordPress dashboard.

Never ever think that they try multiple combinations of usernames and passwords manually. A serious attacker could be using bot to launch the brute force attack to a site.

Not only can brute force attack open up an opportunity for an unauthorized user from accessing your site dashboard, it also adds extra workload to your server that causes high CPU usage which eventually leads to site performance interruption.

Changing the default URL is the bare minimum you need to do if you want to prevent brute force attacks from happening to your website.

There could be many other reasons to change the default WordPress login URL, but this is the most common one.

Changing the Login URL in WordPress Manually

Before you start, it's always recommended to backup your website just in case everything doesn't go as planned. You can confidently skip this step if your hosting service comes with a scheduled backup feature.

Or you can test the new changes on a staging site and push the changes to the live site once everything goes well.

If you have a local version of your website, you can directly edit the wp-login.php file using a code editor of your choice.

The process of changing the default URL itself is quite simple. You only need to edit the wp-login.php file and replace all wp-login.php strings in the file.

However, since the content of the wp-login.php file is long enough, I strongly recommend you to download it first and edit the file using a dedicated code editor like VS Code which has more advanced features. Including a "find and replace" feature which will be useful for this particular case.

Here are the steps to edit the file.

Step 1: Download the wp-login.php File

You can use any tool to download the wp-login.php file from your server. If your hosting service has a plugin manager feature, you can use it.

Or, you can use FTP to download the file if your hosting has no file manager plugin.

A plugin approach is also available. Here are some plugins that you can use to download a file from your WordPress site:

• WP File Manager
• Advanced File Manager
• Filester
• Bit File Manager
• WPIDE
• FileOrganizer

By the way, the wp-login.php file is located under the root directory of a WordPress installation.

Step 2: Edit the wp-login.php File

Once the wp-login.php file is downloaded, the next step is to edit it. Again, I strongly recommend you to use a code editor that has a "find and replace" feature. In this example, I use VS Code.

Start by opening VS Code. Go to the File menu and select Open to select the wp-login.php file you have just downloaded.

Once the file opens, you can start to edit it. Remember again, you need to replace all wp-login.php strings with a new string of your choice.

Make sure to include .php on your new string (e.g., my-custom-login-url.php).

To replace the wp-login.php strings, you can use the "find and replace" feature in VS Code.

Go to the left panel and type "wp-login.php" on the Search field. On the Replace field, you can type the new custom URL you want (e.g., my-custom-login-url.php). Click Replace All to replace all wp-login.php strings.

A little note. If you can't find the "find and replace" feature on your VS Code, you can go to the View menu and select Appearance. Make sure Primary Side Bar is enabled.

Step 3: Save the Edited File and Re-Upload

Once you have replaced all the wp-login.php strings in the wp-login.php file, you can save the file. But this time, you can't save it with the original name. Instead, you need to use a different file name.

To save the file with a different name, go to the File menu on VS Code and select Save As.

Give your file a new name. Make sure to use precisely the same file name as the string you used to replace the wp-login.php strings, complete with the .php extension.

For example, if your new string is my-custom-login-url.php, then your new file name should be my-custom-login-url.php.

This new file will become your new login URL.

Once done, re-upload the newly created file to the root directory of your WordPress installation and delete the wp-login.php file.

Step 4: Test the New Login URL

Once the new file is uploaded to the root directory of WordPress installation, you can test it. To do so, simply add the file name after the URL of your site (e.g., yoursite.com/my-custom-login.url.php).

If you see the WordPress login page after hitting enter, then everything is good and you can move on to the next step below.

Extra Steps After Changing the Login URL

Once you are done with the steps above, you will be able to login to your WordPress website using the new login URL.

However, you won't be able to log out once logged in since the logout process involves the wp-login.php file by default. To fix this issue, you can add a new logout action using the following code:

add_filter( 'logout_url', 'custom_logout_url', 10, 2 );
function custom_logout_url( $logout_url, $redirect ) {
    $logout_url = home_url( '/my-custom-login-url.php?action=logout' );
    return wp_nonce_url( $logout_url, 'log-out' );
}

The above code is a custom function that replaces the default WordPress logout URL to a custom path, which is /my-custom-login-url.php?action=logout in this case.

You can replace my-custom-login-url.php with the actual login URL you have just created.

Where to Add the Code?

There are at least three ways to add a new custom function in WordPress:

• By editing the functions.php file of the active theme
• Using a dedicated custom snippet plugin
• By creating a custom plugin dedicated to hosting custom functions

I personally prefer the third option because it is a future-proof solution.

You can read my article below to learn more about how to create a new function in WordPress.

How to Add Custom Functions in WordPress (3 Ways)

If you want, you can set a new redirection to redirect your users to for instance, homepage, after logout instead of login page.

Summary

Using the default login URL on your WordPress site is too risky because your website becomes vulnerable to brute force attacks. You can replace it with a custom login URL so that attackers have no idea where to access your login page.

Using a plugin is the easiest way to change the default login URL in WordPress. But if you prefer the manual method, you do it in four easy steps:

• Step 1: Download the wp-login.php file
• Step 2: Edit the wp-login.php file
• Step 3: Save the edited file and re-upload
• Step 4: Test the new login URL

Just make sure that the backup file of your site is ready before you make the first step.