How to Rename wp-admin and wp-login.php Without a Plugin for Better WordPress Security

How to Rename wp-admin and wp-login.php Without a Plugin for Better WordPress Security

/ Blog / By Rajan Gupta

Rename wp-admin to improve your WordPress site’s security and reduce the risk of brute-force attacks. By default, WordPress login URLs like wp-login.php and wp-admin are common targets for hackers and bots. Renaming or hiding these URLs — even without using any plugins — is a smart, proactive way to protect your site.

⚠️ Why Change the Login URL?

Attackers often scan websites for yoursite.com/wp-login.php or yoursite.com/wp-admin to gain access. By changing this URL to something custom like yoursite.com/editor-login, you reduce the chance of automated attacks.

🛠️ How to Do It (Without a Plugin)

Add this code to your theme’s functions.php or in a custom plugin:

add_action('init', function () {
    $custom_slug = 'admin';
    $request_uri = trim(parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH), '/');

    // Serve wp-login.php manually when hitting custom login URL
    if ($request_uri === $custom_slug) {
        global $error, $user_login;
        $error = '';
        $user_login = '';

        // Set query vars expected by wp-login.php (like loggedout)
        if (isset($_GET['loggedout']) && $_GET['loggedout'] == 'true') {
            $_REQUEST['loggedout'] = true;
        }

        require_once ABSPATH . 'wp-login.php';
        exit;
    }
    if (
        strpos($_SERVER['REQUEST_URI'], 'wp-login.php') !== false &&
        !is_user_logged_in() &&
        $_SERVER['REQUEST_METHOD'] === 'GET'
    ) {
        wp_redirect(home_url());
        exit;
    }
});

// Change login form action URL
add_filter('login_url', function($login_url, $redirect, $force_reauth) {
    return home_url('/admin/');
}, 10, 3);

// Redirect after login based on role
add_filter('login_redirect', function($redirect_to, $requested_redirect_to, $user) {
    if (isset($user->roles) && is_array($user->roles) && in_array('administrator', $user->roles)) {
        return admin_url();
    }
    return home_url(); // Or custom redirect for blocked users
}, 10, 3);

// Block login for non-admin users
add_filter('authenticate', function ($user, $username, $password) {
    if (is_wp_error($user)) {
        return $user;
    }

    if (!in_array('administrator', (array) $user->roles)) {
        return new WP_Error('permission_denied', __('<strong>ERROR</strong>: You do not have permission to access this site.'));
    }

    return $user;
}, 30, 3);

✅ What This Does:

Replaces wp-login.php with your custom slug (e.g., editor-login).
Blocks direct access to wp-login.php and wp-admin.

📌 Important Notes:

Save the new login URL somewhere safe.
This only masks the login URL, it doesn’t change the core files.
Always back up your site before making changes to code.