Support article
How to hide the WordPress login safely
Learn why hiding the WordPress login can reduce automated attacks and how to do it safely on your website.
Introduction
WordPress uses well-known default login routes such as /wp-login.php or /wp-admin. This makes it easier for bots and attackers to try to log in automatically.
Hiding or changing the login URL does not replace a strong password, but it can reduce many automated attempts.
Why hide the WordPress login
The original content indicates that miHosting blocks many attacks against WordPress websites every day through the application firewall. Even so, hiding the login area can add an extra layer of security.
It can help:
- Reduce brute-force attempts.
- Avoid bots looking for
/wp-login.php. - Reduce noise in logs.
- Better protect the administration access.
- Complement other security measures.
Before changing the login URL
Keep this in mind:
- Save the new URL in a secure place.
- Inform other authorized administrators.
- Make a backup before installing plugins.
- Do not use an overly obvious URL such as
/login. - Check that it does not affect membership or store plugins.
How to hide the login with a plugin
The easiest option for non-technical users is to use a dedicated plugin.
General steps:
- Log in to the WordPress dashboard.
- Go to Plugins > Add New.
- Search for a reliable plugin to change the login URL.
- Install and activate it.
- Set a new custom URL.
- Save the changes.
- Test the new URL in an incognito window.
[Suggested image: screenshot of the plugin settings screen used to change the login URL]
After configuring it, /wp-login.php should stop showing the usual login access.
Which URL to choose
Choose a URL that you can remember but that is not obvious.
Avoid:
/login/admin/access/wp-admin2/enter
Use a custom path related to you, but difficult to guess.
Additional recommended measures
Hiding the login should be combined with:
- Strong passwords.
- Two-factor authentication.
- Limited login attempts.
- Updated WordPress, plugins and themes.
- Removal of unnecessary users.
- Regular backups.
- SSL usage.
What to do if you lose the new URL
If you do not remember the custom URL and cannot log in:
- Access the file manager or FTP.
- Temporarily disable the plugin by renaming its folder.
- Log in with the standard WordPress URL.
- Configure the plugin again.
If you are not sure how to do it, contact support.
Useful tips
- Do not install several plugins that do the same thing.
- Save the URL in a password manager.
- Do not share the path publicly.
- Check compatibility with caching and security tools.
- Keep the plugin updated.
- Do not rely only on hiding the login.
Common problems
The website redirects incorrectly after the change
There may be a conflict with caching, security or redirection plugins. Clear the cache and review the configuration.
Other users cannot log in
Send them the new URL only if they need administrative access.
I still see login attempts
There may be other entry points such as XML-RPC or forms. Strengthen security further.
Frequently asked questions
Does hiding the login stop all attacks
No. It reduces automated attacks, but it does not replace updates or secure passwords.
Is it safe to use a plugin for this
Yes, if you choose a reliable, updated plugin with a good reputation.
Can I change the URL manually
It is possible, but for most users it is safer to use a dedicated plugin.
Should I also hide XML-RPC
If you do not use it, it may be advisable to restrict or disable it using the appropriate measures.
Conclusion
Hiding the WordPress login is a simple measure that can reduce automated access attempts. Use it as one more layer together with strong passwords, 2FA, updates and backups.