Skip to content 📞 Book Free Call Now
Blog

How to Rename wp-admin and wp-login.php Without a Plugin for Better WordPress Security

By Rajan Gupta

⏱ 2 min read

Rename wp-admin to improve your WordPress site’s security and reduce the risk of brute-force attacks. By default, WordPress login URLs like wp-login.php and wp-admin are common targets for hackers and bots. Renaming or hiding these URLs — even without using any plugins — is a smart, proactive way to protect your site.

Rename wp-admin

Why Change the Login URL?

Attackers often scan websites for yoursite.com/wp-login.php or yoursite.com/wp-admin to gain access. By changing this URL to something custom like yoursite.com/editor-login, you reduce the chance of automated attacks.

🛠️ How to Do It (Without a Plugin)

Add this code to your theme’s functions.php or in a custom plugin:

add_action('init', function () {
    $custom_slug = 'admin';
    $request_uri = trim(parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH), '/');

    // Serve wp-login.php manually when hitting custom login URL
    if ($request_uri === $custom_slug) {
        global $error, $user_login;
        $error = '';
        $user_login = '';

        // Set query vars expected by wp-login.php (like loggedout)
        if (isset($_GET['loggedout']) && $_GET['loggedout'] == 'true') {
            $_REQUEST['loggedout'] = true;
        }

        require_once ABSPATH . 'wp-login.php';
        exit;
    }
    if (
        strpos($_SERVER['REQUEST_URI'], 'wp-login.php') !== false &&
        !is_user_logged_in() &&
        $_SERVER['REQUEST_METHOD'] === 'GET'
    ) {
        wp_redirect(home_url());
        exit;
    }
});

// Change login form action URL
add_filter('login_url', function($login_url, $redirect, $force_reauth) {
    return home_url('/admin/');
}, 10, 3);

// Redirect after login based on role
add_filter('login_redirect', function($redirect_to, $requested_redirect_to, $user) {
    if (isset($user->roles) && is_array($user->roles) && in_array('administrator', $user->roles)) {
        return admin_url();
    }
    return home_url(); // Or custom redirect for blocked users
}, 10, 3);

// Block login for non-admin users
add_filter('authenticate', function ($user, $username, $password) {
    if (is_wp_error($user)) {
        return $user;
    }

    if (!in_array('administrator', (array) $user->roles)) {
        return new WP_Error('permission_denied', __('<strong>ERROR</strong>: You do not have permission to access this site.'));
    }

    return $user;
}, 30, 3);

✅ What This Does:

  • Replaces wp-login.php with your custom slug (e.g., editor-login).
  • Blocks direct access to wp-login.php and wp-admin.

📌 Important Notes:

  • Save the new login URL somewhere safe.
  • This only masks the login URL, it doesn’t change the core files.
  • Always back up your site before making changes to code.
Rajan Gupta

Rajan Gupta

FullStack Web Developer

Rajan Gupta is a passionate web developer and digital creator who loves sharing insights on WordPress, modern web design, and performance optimization. When not coding, they enjoy exploring the latest tech trends and helping others build stunning, high-performing websites.