Change WordPress admin login URL Without Plugin (Bad Idea!)

Change WordPress admin login URL Without Plugin can help reduce spam login attempts and brute-force attacks without using a plugin. In this guide, you’ll learn how to replace the default wp-login.php with a custom login URL like www.yoursite.com/my-secret-login.php. We’ll walk through both manual and .htaccess methods, discuss security implications, and share best practices.

Important: Always back up your site before making any changes to core files.

Step 1: Back Up wp-login.php

Before editing anything, create a full backup of your original wp-login.php file, located in the root of your WordPress installation. If your file has never been customized, you can restore it anytime from the official WordPress source.

Step 2: Rename the wp-login.php File

Rename wp-login.php to something unique like my-secret-login.php. This renamed file will serve as your new login entry point.

Tip: Use a name that’s hard to guess, such as aD6qq8Q83.php, for better security.

Step 3: Replace All References to wp-login

Open the renamed file in a code editor like Visual Studio Code and use the Find and Replace feature to update all instances of wp-login to your new file name (my-secret-login, for example).

Save the file once replacements are complete.

Step 4: Upload the Modified File

Use FTP or your hosting file manager to upload the newly renamed login file to your site’s root directory. Set its permissions to 644 or 640 to keep it secure.

Step 5: Update WordPress Logout and Lost Password URLs

By default, WordPress still uses wp-login.php for logout and password reset links. Add the following code to your theme’s functions.php file to redirect these actions to your new login file:

add_filter( 'logout_url', 'custom_logout_url', 10, 2 ); 

function custom_logout_url( $logout_url ) { 

    return home_url( '/my-secret-login.php' ); 

} 

add_filter( 'lostpassword_url', 'custom_lost_password_url', 10, 2 ); 

function custom_lost_password_url( $url ) { 

     return home_url( '/my-secret-login.php?action=lostpassword' );

 }

You can also use a plugin like Code Snippets to safely insert this code without modifying your theme files, or you can put it in your theme/child-theme functions.php file directly.

Step 6: Test the New Login URL

Visit your new login URL (e.g., www.yoursite.com/my-secret-login.php) and confirm you can log in and out successfully. Ensure the lost password functionality works as expected.

Step 7: Delete the Original wp-login.php

Once everything is working as final step of Change WordPress admin login URL Without Plugin, delete the original wp-login.php file from your server. This prevents access through the default URL.

Anyone trying to access /wp-login.php or /wp-admin/ will now see a 404 error.

Alternative: Change the Login URL Using .htaccess

If you’re using an Apache server, you can set up a login redirect using .htaccess. Add the following line before WordPress’s default rules:

RewriteRule ^login$ https://www.yoursite.com/my-secret-login.php [NC,L]

This allows users to access the login page via www.yoursite.com/login.

Be careful when editing .htaccess. Even a small syntax error can bring your site down. Always back it up first.

Why Change WordPress admin login URL Without Plugin is a Bad Approach?

Modifying WordPress core files is strongly discouraged—and for good reason. Every time WordPress updates, any changes you’ve made will be overwritten, forcing you to repeat the process again and again. This is not a sustainable or professional approach.

As a developer, editing WordPress core files should never be part of your workflow, especially on client projects. It introduces unnecessary risk, makes updates messy, and creates problems that are hard to reverse.

If you’re looking to change the WordPress login URL the right way, we’ve written a complete guide that walks you through the correct and safe method of Change WordPress Login URL—without touching core files.

A Word of Caution: Is Hiding the Login Page Enough?

WhileChange WordPress admin login URL Without Plugin (or with a plugin) adds a layer of obscurity, it is not a complete security solution. Leading security plugins like Wordfence and Solid Security have differing opinions:

• Wordfence does not include this feature, as it considers it ineffective.
• iThemes Security (AKA Solid Security)  offers it, but warns users not to rely on it as their main protection.

Brute force attacks often target other areas such as the REST API or xmlrpc.php. So, changing your login URL won’t stop determined attackers.

What I should Know About REST API or xmlrpc.php And Their Security Risks

WordPress offers powerful tools for external communication, two of which are the REST API and xmlrpc.php. Both are gateways that allow apps or external systems to interact with your WordPress website, but they come with their own security considerations.

REST API: The Modern Standard

The WordPress REST API allows developers to interact with WordPress using HTTP requests (like GET, POST, PUT). It’s used for:

• Headless WordPress setups
• Mobile apps
• Frontend frameworks like React or Vue

REST API Security Risks

• Data Exposure: By default, it exposes usernames and public post data, which can aid brute-force attacks.
• Authentication Vulnerabilities: Poorly implemented token or cookie-based authentication can be exploited.
• Plugin/Theme Exploits: If a plugin creates insecure REST endpoints, attackers may abuse them.
• Recommendation: Disable unused REST routes and limit user data exposure using plugins like Disable REST API or WordFence .

xmlrpc.php: The Legacy Connector

The xmlrpc.php file is an older protocol that enables external apps (like the WordPress mobile app or Jetpack) to interact with your site. It can:

• Allow remote publishing
• Manage content from mobile devices
• Enable trackbacks and pingbacks

xmlrpc.php Security Risks

• Brute Force Attacks: It allows multiple username/password combinations in a single request, making brute-force easier.
• DDoS Amplification: Can be used to send pingbacks to other sites, acting as a botnet.
• No Granular Control: You can’t easily limit access to certain functions without disabling it entirely.
• Recommendation: If you’re not using services that depend on xmlrpc.php, consider disabling it completely via .htaccess or a security plugin Like Solid Security.

as you can see Change WordPress admin login URL Without Plugin does not has direct impact on these areas, and still these things are the most important issues in WordPress Security. so Change WordPress admin login URL Without Plugin (or with a plugin) doesn’t guarantee you WordPress Security completely.

Final Thoughts

Changing your WordPress login URL can stop many low-level bots and add a layer of defense through obscurity. However, it’s not a foolproof solution. For the best protection, use a well-rounded security plugin, keep your site updated, and implement strong passwords and two-factor authentication.

If you’re looking for a simpler approach, consider using a plugin as we described in “change wordpress login url article” which offers the same functionality without code changes.

Thanks for reading!
— Koolak Team