Your WordPress website’s login page (/wp-login.php or /wp-admin) is the main gateway for administrators to access and manage the site. Unfortunately, it’s also the first target for bots, brute-force attacks, and malicious login attempts. Changing the default login URL is a powerful security technique and the best part is, you can do it manually without installing any plugins.

In this article, we’ll guide you step-by-step on how to change your WordPress login URL manually, understand why it matters, and make sure you don’t lock yourself out in the process.

Why Change the Default Login URL?

Before jumping into the how, let’s understand the why:

• Security through obscurity: While not foolproof, changing the login URL adds an extra layer of protection by making the login page harder to guess.

• Reduced brute-force attacks: Bots often target /wp-login.php. Changing it helps reduce login attempts and server load.

• Cleaner server logs: You avoid noise in your server logs from thousands of failed login attempts.

• More control: You control who sees the login page and when.

Note: This is not a replacement for strong passwords or two-factor authentication it’s an enhancement.

Pre-Requisites Before You Start

To safely change your WordPress login URL manually, you’ll need:

• Access to your hosting file manager or FTP

• Basic understanding of PHP

• A working backup of your site (files + database)

Step-by-Step: How to Manually Change the Login URL

Step 1: Create a New Login File

1. Access your WordPress root directory (usually /public_html/ or /htdocs/) via File Manager or FTP.

2. Locate the file named wp-login.php and download a copy to your computer as a backup.

3. Duplicate the file and rename it to something unique like mylogin.php or admin-access.php.

4. Upload the renamed file back into the root directory.

Step 2: Modify the New Login File

Open your newly renamed file (e.g., mylogin.php) in a code editor and make the following changes:

1. Replace all instances of wp-login.php inside the file with your new filename (mylogin.php).

   • Use the Find and Replace function in your editor for faster editing.

   • Save and upload the modified file.

Example: Replace

with

Step 3: Block Access to the Original Login File

To protect your site, you must now block access to the default wp-login.php so that bots can’t use it.

You can do this by adding the following code to your .htaccess file (if using Apache):

If you’re using LiteSpeed or another web server, make sure this is supported or consult with your hosting provider.

Step 4: Inform Trusted Users (If Any)

If you have other team members or clients who log in, share the new login URL with them. Make sure they bookmark it and delete any saved links to the old login page.

Optional (But Recommended) Enhancements

• Add IP whitelisting to allow only specific IPs to access your new login page.

• Enable rate limiting or fail2ban to block repeated login failures at the server level.

• Use CAPTCHAs for additional form protection.

Common Mistakes to Avoid

How to Revert Back (In Case of Error)

If something goes wrong:

1. Delete the newly created login file.

2. Remove or comment out the .htaccess block for wp-login.php.

3. Restore the original wp-login.php from your backup.

4. You’ll be able to access your site again via yoursite.com/wp-login.php.

Final Thoughts

Changing your WordPress login URL manually gives you better control and an additional line of defense against automated attacks. While plugins can make this easier, doing it manually keeps your site lean, secure, and plugin-bloat-free.

This method is particularly useful for small to mid-sized websites that want to boost login security without relying on third-party tools.

Pro Tip: Don’t stop here secure your admin area further by using strong passwords, disabling XML-RPC (if not needed), and setting file permissions correctly.