Is there any way to rename or hide wp-login.php?

Any way to change the wp-login.php url? It seems insecure that everyone that’s ever used WordPress could easily see if your site is using it, and get right to the login page.

There used to be a plugin called “Stealth login,” but it wasn’t updated. (And hence our reluctance to rely on plugins).

Solutions Collecting From Web of "Is there any way to rename or hide wp-login.php?"

If you are doing this for your own site then using .htaccess might be the easiest way although it could get tricky if you want to make it work for a plugin as there would be lots of different subtle configuration differences to support.

Here are some articles that could help; not all are directly answering your question but they all address your security concern in one way or another:

  • Hide WordPress WP-Admin Login Page
  • How to prevent attacks on WordPress wp-login.php page
  • Secure Your WordPress, Playing With Your .htaccess File.
  • How to: change from wp-login.php to login
  • How to protect wp-login and wp-admin
  • Hardening WordPress with Mod Rewrite and htaccess

And of course that’s no blog expert on Apache and WordPress than the guy who writes AskApache. Be sure to check out these:

  • AskApache Password Protection, For WordPress
  • Security with Apache htaccess Tutorial
  • The list of “WordPress” tagged posts on AskApache

I ran into the same problem recently, and you’re right that the Stealth plugin is no longer supported. However, because I finally realized that the Stealth plugin was the best option, I did a clean install of WordPress to the last version of WordPress that the Stealth plugin supported to figure out how the plugin works. Turns out, the only thing that the plugin is doing is creating a .htaccess file with some magic. The .htaccess file will look a little something like this:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^logout wp-login.php?action=logout&_wpnonce=asdfasdf&stealth_out_key=asdfasdfasdfasdf [L]
RewriteRule ^login wp-login.php?stealth_in_key=asdfasdfasdf&redirect_to=http://example.com/login [R,L]
RewriteRule ^admin wp-admin/?stealth_admin_key=asdfasdfasdfasdf [R,L]
RewriteCond %{HTTP_REFERER} !^http://example.com/wp-admin
RewriteCond %{HTTP_REFERER} !^http://example.com/wp-login\.php
RewriteCond %{HTTP_REFERER} !^http://example.com/login
RewriteCond %{HTTP_REFERER} !^http://example.com/admin
RewriteCond %{QUERY_STRING} !^stealth_in_key=asdfasdfasdfasdf
RewriteCond %{QUERY_STRING} !^stealth_out_key=asdfasdfasdfasdfasd
RewriteCond %{QUERY_STRING} !^stealth_reg_key=asdfasdfasdfasdfasdf
RewriteCond %{QUERY_STRING} !^stealth_admin_key=asdfasdfasdfasdfasdf
RewriteRule ^wp-login\.php http://example.com [R,L]
RewriteCond %{QUERY_STRING} ^loggedout=true
RewriteRule ^wp-login\.php http://example.com [R,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

I have changed all of the keys to some variation of “asdfasdfasdf” — obviously you would need to create some secret keys for yourself.

Hope this helps!

or you could rename from wp-login.php to some-obscure-name.php, then when you want to login, type your url/some-obscure-name.php instead of going to wp-admin.php

Here’s what I did:

I simply renamed the wp-admin directory to some obscure name pfgkn for example.

going to http://your-domain.com/wp-admin/ redirects you to your home page at http://your-domain.com/ or whatever else your 404 not found redirects to.

When I need to login – I just rename the pfgkn directory to wp-admin, make my changes and then rename it back to pfgkn.