How to Hide Your WordPress Login Page from Bots and Brute Force Attacks

Every WordPress site has the same login page: wp-login.php. Every bot knows this. Every brute force script targets it. And every time someone scans your site for vulnerabilities, that’s the first URL they try.

You can’t change this behavior with default WordPress. The login page is hardcoded.

Why wp-login.php Is a Problem

WordPress doesn’t offer any built-in way to:

• Change the login page URL.
• Block direct access to wp-login.php.
• Prevent non-logged-in users from reaching /wp-admin/.
• Redirect unauthorized access attempts to a custom page.

This means bots can hammer your login page 24/7. Even if they never guess the password, they waste server resources, fill your logs with failed attempts, and slow down your site.

Security plugins often address this with rate limiting or CAPTCHAs. But the simplest approach is to remove the target entirely: if bots can’t find your login page, they can’t attack it.

How to Hide Your WordPress Login Page

Activate the Hide Login Page module in Blaminhor Essentials.

Set a Custom Login URL

Replace wp-login.php with any URL you choose. Instead of yoursite.com/wp-login.php, your login page becomes something like yoursite.com/my-secret-door/.

Pick something memorable but not guessable. Avoid obvious slugs like admin, login, or signin.

Block Direct Access

Once enabled, anyone trying to access wp-login.php or /wp-admin/ without being logged in gets redirected. They never see the login form. They never know it exists at that URL.

Logged-in users continue to access the admin area normally. AJAX requests, REST API calls, and cron jobs are not affected.

Choose Where to Redirect

By default, unauthorized visitors are sent to your 404 page. You can change this to any URL on your site — your homepage, a custom page, or anything else.

What About Getting Locked Out?

This is the main risk with login page hiding: forget the custom URL and you’re locked out.

Two safeguards:

• Bookmark the URL. The module shows a clear reminder before you enable it.
• Enable Fatal Error Recovery. This companion module (also in Blaminhor Essentials) provides a secret recovery URL that always works, even if you forget the custom login URL. The module recommends enabling it before activating Hide Login.

A Practical Example

You manage a client site. The client doesn’t need to know about wp-login.php. You want to reduce bot traffic and keep the login page invisible.

1. Activate Hide Login Page in Blaminhor Essentials.
2. Set the login URL to something like client-access.
3. Set the redirect to 404.
4. Enable Fatal Error Recovery and save the recovery URL somewhere safe.
5. Enable the protection.

Now yoursite.com/wp-login.php returns a 404. yoursite.com/wp-admin/ returns a 404. The only way to log in is through yoursite.com/client-access/.

Bots scanning for wp-login.php find nothing. Brute force scripts have no target. Your server logs stay clean.

Simple Security, No Overhead

Hiding the login page doesn’t replace strong passwords or two-factor authentication. But it eliminates an entire category of automated attacks by removing the target they all rely on.

No .htaccess edits. No server configuration. No performance impact. Just a different URL.

Part of Blaminhor Essentials, free on WordPress.org.