How to Rename wp-admin and wp-login.php Without a Plugin for Better WordPress Security

Rename wp-admin to improve your WordPress site’s security and reduce the risk of brute-force attacks. By default, Securing your WordPress login page URLs like wp-login.php and wp-admin are common targets for hackers and bots. Renaming or hiding these URLs — even without using any plugins — is a smart, proactive way to protect your site and strengthen your WordPress security.

Why Change the WordPress Login URL?

Attackers and bots constantly scan websites for default login URLs like /wp-login.php or /wp-admin. These endpoints are predictable and make your site vulnerable to brute-force attacks.

By changing your login URL to something custom like /admin or /secure-login, you reduce automated attacks and improve your website’s overall security posture.

Before vs After Changing Login URL

• Before: yoursite.com/wp-login.php (easy target)
• After: yoursite.com/admin (hidden & more secure)

How to Rename wp-login.php Without Plugin

Add the following code to your theme’s functions.php file or a custom plugin:

add_action('init', function () {
    $custom_slug = 'admin';
    $request_uri = trim(parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH), '/');

    // Serve wp-login.php when hitting custom URL
    if ($request_uri === $custom_slug) {
        global $error, $user_login;
        $error = '';
        $user_login = '';

        if (isset($_GET['loggedout']) && $_GET['loggedout'] == 'true') {
            $_REQUEST['loggedout'] = true;
        }

        require_once ABSPATH . 'wp-login.php';
        exit;
    }

    // Block default wp-login.php access
    if (
        strpos($_SERVER['REQUEST_URI'], 'wp-login.php') !== false &&
        !is_user_logged_in() &&
        $_SERVER['REQUEST_METHOD'] === 'GET'
    ) {
        wp_redirect(home_url());
        exit;
    }
});

// Change login URL
add_filter('login_url', function($login_url, $redirect, $force_reauth) {
    return home_url('/admin/');
}, 10, 3);

// Redirect after login
add_filter('login_redirect', function($redirect_to, $requested_redirect_to, $user) {
    if (isset($user->roles) && in_array('administrator', $user->roles)) {
        return admin_url();
    }
    return home_url();
}, 10, 3);

// Restrict non-admin users
add_filter('authenticate', function ($user, $username, $password) {
    if (is_wp_error($user)) {
        return $user;
    }

    if (!in_array('administrator', (array) $user->roles)) {
        return new WP_Error('permission_denied', __('ERROR: Access denied.'));
    }

    return $user;
}, 30, 3);

What This Code Does

• Replaces default login URL with /admin
• Blocks direct access to wp-login.php
• Redirects users after login
• Restricts login access to admin users only

Pro WordPress Security Tips

• Enable Two-Factor Authentication (2FA)
• Limit login attempts
• Disable XML-RPC if unused
• Use strong passwords
• Keep WordPress core, themes, and plugins updated

🔒 Limitations of Renaming wp-login

• This does not fully secure your website
• Advanced bots can still detect login endpoints
• Requires additional security layers

Comparison Table

❓ FAQs

Is it safe to rename wp-login.php?

Yes, as long as you use hooks and avoid modifying core files directly.

Will this stop brute-force attacks?

It reduces automated attacks but should be combined with other security practices.

Can I still access wp-admin?

Yes, after logging in through your custom login URL.

What if I forget the custom login URL?

You can disable the code via FTP or hosting file manager to restore default login access.

Looking for complete WordPress security or custom development solutions? Visit our WordPress services or contact us today.