{"id":90070,"date":"2026-02-14T18:44:47","date_gmt":"2026-02-14T17:44:47","guid":{"rendered":"https:\/\/blaminhor.com\/p\/m\/news\/?p=90070"},"modified":"2026-02-14T18:46:28","modified_gmt":"2026-02-14T17:46:28","slug":"how-to-hide-your-wordpress-login-page-from-bots-and-brute-force-attacks","status":"publish","type":"post","link":"https:\/\/blaminhor.com\/p\/m\/news\/how-to-hide-your-wordpress-login-page-from-bots-and-brute-force-attacks\/","title":{"rendered":"How to Hide Your WordPress Login Page from Bots and Brute Force Attacks"},"content":{"rendered":"<p>Every WordPress site has the same login page: <code>wp-login.php<\/code>. Every bot knows this. Every brute force script targets it. And every time someone scans your site for vulnerabilities, that&rsquo;s the first URL they try.<\/p>\n<p>You can&rsquo;t change this behavior with default WordPress. The login page is hardcoded.<\/p>\n<h2>Why wp-login.php Is a Problem<\/h2>\n<p>WordPress doesn&rsquo;t offer any built-in way to:<\/p>\n<ul>\n<li>Change the login page URL.<\/li>\n<li>Block direct access to <code>wp-login.php<\/code>.<\/li>\n<li>Prevent non-logged-in users from reaching <code>\/wp-admin\/<\/code>.<\/li>\n<li>Redirect unauthorized access attempts to a custom page.<\/li>\n<\/ul>\n<p>This means bots can hammer your login page 24\/7. Even if they never guess the password, they waste server resources, fill your logs with failed attempts, and slow down your site.<\/p>\n<p>Security plugins often address this with rate limiting or CAPTCHAs. But the simplest approach is to remove the target entirely: if bots can&rsquo;t find your login page, they can&rsquo;t attack it.<\/p>\n<h2>How to Hide Your WordPress Login Page<\/h2>\n<p>Activate the <strong>Hide Login Page<\/strong> module in <a href=\"https:\/\/wp.blaminhor.com\">Blaminhor Essentials<\/a>.<\/p>\n<h3>Set a Custom Login URL<\/h3>\n<p>Replace <code>wp-login.php<\/code> with any URL you choose. Instead of <code>yoursite.com\/wp-login.php<\/code>, your login page becomes something like <code>yoursite.com\/my-secret-door\/<\/code>.<\/p>\n<p>Pick something memorable but not guessable. Avoid obvious slugs like <code>admin<\/code>, <code>login<\/code>, or <code>signin<\/code>.<\/p>\n<h3>Block Direct Access<\/h3>\n<p>Once enabled, anyone trying to access <code>wp-login.php<\/code> or <code>\/wp-admin\/<\/code> without being logged in gets redirected. They never see the login form. They never know it exists at that URL.<\/p>\n<p>Logged-in users continue to access the admin area normally. AJAX requests, REST API calls, and cron jobs are not affected.<\/p>\n<h3>Choose Where to Redirect<\/h3>\n<p>By default, unauthorized visitors are sent to your 404 page. You can change this to any URL on your site \u2014 your homepage, a custom page, or anything else.<\/p>\n<h2>What About Getting Locked Out?<\/h2>\n<p>This is the main risk with login page hiding: forget the custom URL and you&rsquo;re locked out.<\/p>\n<p>Two safeguards:<\/p>\n<ul>\n<li><strong>Bookmark the URL<\/strong>. The module shows a clear reminder before you enable it.<\/li>\n<li><strong>Enable Fatal Error Recovery<\/strong>. This companion module (also in Blaminhor Essentials) provides a secret recovery URL that always works, even if you forget the custom login URL. The module recommends enabling it before activating Hide Login.<\/li>\n<\/ul>\n<h2>A Practical Example<\/h2>\n<p>You manage a client site. The client doesn&rsquo;t need to know about <code>wp-login.php<\/code>. You want to reduce bot traffic and keep the login page invisible.<\/p>\n<ol>\n<li>Activate <strong>Hide Login Page<\/strong> in Blaminhor Essentials.<\/li>\n<li>Set the login URL to something like <code>client-access<\/code>.<\/li>\n<li>Set the redirect to <code>404<\/code>.<\/li>\n<li>Enable <strong>Fatal Error Recovery<\/strong> and save the recovery URL somewhere safe.<\/li>\n<li>Enable the protection.<\/li>\n<\/ol>\n<p>Now <code>yoursite.com\/wp-login.php<\/code> returns a 404. <code>yoursite.com\/wp-admin\/<\/code> returns a 404. The only way to log in is through <code>yoursite.com\/client-access\/<\/code>.<\/p>\n<p>Bots scanning for <code>wp-login.php<\/code> find nothing. Brute force scripts have no target. Your server logs stay clean.<\/p>\n<h2>Simple Security, No Overhead<\/h2>\n<p>Hiding the login page doesn&rsquo;t replace strong passwords or two-factor authentication. But it eliminates an entire category of automated attacks by removing the target they all rely on.<\/p>\n<p>No .htaccess edits. No server configuration. No performance impact. Just a different URL.<\/p>\n<p>Part of Blaminhor Essentials, free on <a href=\"https:\/\/wordpress.org\/plugins\/blaminhor-essentials\/\">WordPress.org<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Every WordPress site has the same login page: wp-login.php. Every bot knows this. Hide your login page by replacing wp-login.php with a custom URL and blocking direct access for non-logged-in users.<\/p>\n","protected":false},"author":1,"featured_media":90072,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[80],"tags":[],"class_list":["post-90070","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-projects"],"_links":{"self":[{"href":"https:\/\/blaminhor.com\/p\/m\/news\/wp-json\/wp\/v2\/posts\/90070","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blaminhor.com\/p\/m\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blaminhor.com\/p\/m\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blaminhor.com\/p\/m\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blaminhor.com\/p\/m\/news\/wp-json\/wp\/v2\/comments?post=90070"}],"version-history":[{"count":1,"href":"https:\/\/blaminhor.com\/p\/m\/news\/wp-json\/wp\/v2\/posts\/90070\/revisions"}],"predecessor-version":[{"id":90071,"href":"https:\/\/blaminhor.com\/p\/m\/news\/wp-json\/wp\/v2\/posts\/90070\/revisions\/90071"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blaminhor.com\/p\/m\/news\/wp-json\/wp\/v2\/media\/90072"}],"wp:attachment":[{"href":"https:\/\/blaminhor.com\/p\/m\/news\/wp-json\/wp\/v2\/media?parent=90070"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blaminhor.com\/p\/m\/news\/wp-json\/wp\/v2\/categories?post=90070"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blaminhor.com\/p\/m\/news\/wp-json\/wp\/v2\/tags?post=90070"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}