Hiding your WordPress login page will protect your website from brute force attacks.
In this article, we will show you two methods to hide the WordPress login page without the need to install any new plugins.

Change wp-admin url without Plugins

First Method: Hiding the WordPress Login Page Using Code

Step 1: Activating the Login Shortcode

Add this code snippet to your child theme’s functions.php file:

You must create a child theme before making any changes to functions.php file. Otherwise, the applied changes will be lost after each update.
Create child theme in WordPress step by step [without plugin]

As an alternative method, you can use the Code Snippets plugin to insert your codes into WordPress.

 * login shortcode by WPCookie [wpcookie-login]
 * https://redpishi.com/wordpress-tutorials/change-admin-url-without-plugins/
add_shortcode( 'wpcookie-login', 'drlogin_shortcode' );
function drlogin_shortcode($atts) {
	$atts = shortcode_atts( array(
	'num' => '0',
	), $atts, 'drlogin' );
	$num = $atts["num"];

	if (  is_user_logged_in() ) { return "<p class='wpcookie-logged-user'>You are logged in.</p>"; }
$style= '
$buffer = '<div style="max-width:350px; margin:10px auto; ">'.get_Ajax_login_form(0).get_Ajax_login_form(1).'</div><script>'.get_Ajax_login_form(2).'</script>'.$style;

	return $buffer;

// // Handle Ajax login requests
add_action('wp_ajax_nopriv_ajax_login', 'ajax_login');

function ajax_login() {
	// first form (get user & pass)
	if ( !isset( $_POST['password'] ) || !isset( $_POST['username'] ) ) {
		echo json_encode(array('loggedin' => '0', 'message' =>'<p style="color: #b30e0e;font-size: 0.9em;">Username and password cannot be empty.</p>' ));

	$username = $_POST['username'];
	$password = $_POST['password'];
	$user = wp_authenticate($username, $password);
	$id = $user->ID;

	if (is_wp_error($user)){
		$err = $user->get_error_message();
		echo json_encode(array('loggedin' => '0', 'message' =>'<p style="color: #b30e0e;font-size: 0.9em;">'.$err.'</p>' ));
	} else {
		$is_admin = $admin_url = '';
		if ( user_can( $id, 'manage_options' ) ) {
			$is_admin = 1;
			$admin_url = get_admin_url();
		echo json_encode( array( 'loggedin' => '2', 'message' => '<p style="color: #005500;font-size: 0.9em;">Login was successful, please wait...</p>', 'admin' => $is_admin , 'admin_url' => $admin_url  ) );
// get ajax login form

function get_Ajax_login_form($n) {

	$form_logo = '
	<div class="logo_wrapper" style="display: grid; justify-content: center;"></div>

    $form = '
    <div id="ajax-login-form">
	<form id="login-form"  class="login-form" enctype="multipart/form-data" onsubmit=" return false;">
	<span id="status"> </span>
		<div class="inside_form">

			<input type="text" name="username" id="login-username" placeholder="Username" required>
			<input type="password" name="password" id="login-password" placeholder="Password" required>

		<input type="hidden" name="action" value="ajax_login">
		<input type="submit" id="submit_login_btn" name="login" value="Login" >

		<div class="lost_pass" style=" margin-top: 10px; font-size: 0.9em; ">
		<a href="'.esc_url( wp_lostpassword_url() ).'" style="margin-left: 0px;">Forgot your password?</a></div>
:root {
    --post-table-color: #4682b4;
div#ajax-login-form input {
    height: 2.5rem;
    border: none;
    border-radius: 3px;
div#ajax-login-form input[type="text"], div#ajax-login-form input[type="password"] {
    border: 1px solid #d8d6d6;
    padding: 2px 11px;
div#ajax-login-form a {
    text-decoration: none;
max-width: 330px;
form#login-form div.inside_form {
    max-width: 330px;
    display: flex;
    flex-direction: column;
    gap: 18px;
input#submit_login_btn {
    background-color: var(--post-table-color);
    transition: all 0.3s ease;
    cursor: pointer;
	color: #fff;
input#submit_login_btn:hover {
    transform: translateY(-1px);
input#submit_login_btn:disabled {
    background-color: gray;
input#resend_mail {
	width: 180px;
    color: var(--post-table-color);
    border: 1px solid var(--post-table-color);
    border-radius: 3px;
    background-color: white;
    cursor: pointer;
input#resend_mail:disabled {
    color: gray;
    border: 1px solid gray;
form#login-form #status {
	max-width: 330px;;
	display: block;
	margin-top: 15px;
.\32 -col-r {
    display: flex;
    justify-content: space-between;
    flex-direction: row;
    flex-wrap: nowrap;
input#code::placeholder {
    text-align: center;
    margin: 0 -30px 0 0px;
input#code {
    padding-left: 30px;


$js = '
document.querySelector("form#login-form").addEventListener("submit", function(e) {

    let currentForm = e.target;
    currentForm.querySelector("#submit_login_btn").disabled = true;
    currentForm.querySelector("#status").innerHTML = `<p style="font-size: 0.9em;">Please wait ...</p>`;
    let myForm = currentForm;
    var formdata = new FormData(myForm);
    var xhr = new XMLHttpRequest();
    xhr.open("POST", "'.admin_url( "admin-ajax.php" ).'", true);
    xhr.onreadystatechange = function() {
        if (xhr.readyState === 4) {
            if (xhr.status === 200) {
                var result = JSON.parse(xhr.responseText);
                currentForm.querySelector("#status").innerHTML = result.message;
                currentForm.querySelector("#submit_login_btn").disabled = false;
                if (result.loggedin == "2") {
                    if (result.admin == "1") {
                        window.location.href = result.admin_url;
                    } else {

                } else {

            } else {
                currentForm.querySelector("#status").innerHTML = `<p style="color: #b30e0e;font-size: 0.9em;">There seems to be an issue in establishing a connection with the server. Please inform the website administrator. </p>`;
                currentForm.querySelector("#submit_login_btn").disabled = false;
    if ( $n == '1' ){
        return $form;
    } else if ( $n == '2' ){
        return $js;
    } else if ( $n == '0' ){
        return $form_logo;

Now, create a new page in your WordPress dashboard and add a login form to it using the shortcode [wpcookie-login].
After hiding the default WordPress login page, we can use this page to log into WordPress.

Step 2: Redirecting the WordPress login page

Add this code snippet to your child theme’s functions.php file.
This code redirects the wp-admin page to your desired page, preventing anyone from logging in from there.

add_action('init', 'prevent_wp_login');
function prevent_wp_login() {
    global $pagenow;
    $action = (isset($_GET['action'])) ? $_GET['action'] : '';
    if( $pagenow == 'wp-login.php' && ( ! $action || ( $action && ! in_array($action, array('logout', 'lostpassword', 'rp', 'resetpass'))))) {
        $page = get_bloginfo('url');

The above code redirects the wp-admin page to the home page.
If you want users to be redirected to a different page, you can place the URL of that page in the $page variable.

Step 3: Hiding the New Login Page from Search Results

By using the code below, you can hide the page where you have placed the login shortcode from search results. Simply replace “0000000” with the ID of the new login page.

	if (is_admin()) { return $query;  }
	if ($query->is_search) {
		$query->set( 'post__not_in', array( 0000000 ) );
	return $query;

Now your login page is hidden and no one except you will be able to login. For added security, you can limit the number of login attempts on your website by following the steps outlined in the article below.

Limit login attempts in WordPress without plugin

If this article is difficult for you to read in text, you can watch the video version below.

Second Method: Changing the WordPress Login Page by Modifying File Names

One way to hide your WordPress login URL is to rename the wp-login.php file in your website’s hosting. This is the fastest way to do it, but you’ll need to remember to rename the file again after every WordPress update.

Step 1. Backup wp-login.php

Log in to your cPanel and enter the File Manager.
Download a copy of the wp-login.php file for backup purpose.

download wp-login.php in WordPress

Step 2. Rename wp-login.php

In cPanel Rename the wp-login.php file to your liking, I change its name to my-secret-login.php, you can name it your cat’s name, your postcode or etc.

Step 3. Edit wp-login.php

After renaming, right-click on the file and select ✏Edit.
In the editor, click on the text of the file once to activate the editor functionality, then press Ctrl-H (or Command-Option-F on Mac) buttons to open the Find/Replace window.

find and replace wp-login in wordpress file

In the “Search for” field put “wp-login.php” and in “Replace with” put “my-secret-login.php” or what ever name you have already chosen and click on All.

After renaming “wp-login” to “my-secret-login.php” click on Save Changes, and close the editor.

Done, now your website login address has changed to site.com/my-secret-login.php and if someone goes to the default WordPress login page they will get a 404 or page not find error.

If you want to change the appearance of your login page or use your favorite logo and background on this page, be sure to check out following tutorial.
How to create Custom login page in WordPress without plugin [fast and easy]

Custom login page WordPress without plugin template 2

Finally check the new login address of your website and make sure it works properly.

changed WordPress login page

If this article is difficult for you to read in text, you can watch the video version below.

Is changing the admin URL a foolproof way to protect my WordPress website from hackers?

Changing the admin URL can add an extra layer of security by making it more difficult for attackers to find your login page. However, it is not a foolproof method, as hackers can still use other techniques, such as brute force attacks, to gain unauthorized access. To ensure better security, it’s essential to use a combination of various security measures like using strong passwords, limiting login attempts, keeping WordPress core, themes, and plugins updated, and using two-factor authentication.

Can I change the admin URL back to the default (wp-admin) if I need to?

Yes, you can change the admin URL back to the default (wp-admin) by reversing the steps mentioned in the article. Remove the custom code added to your theme’s functions.php file and then access your WordPress website using the default wp-admin URL. However, it’s important to note that changing the admin URL frequently may confuse users and search engines, so it’s best to choose a secure and memorable URL from the beginning.

Will changing the admin URL affect my website’s SEO or break any existing links?

Changing the admin URL should not have a direct impact on your website’s SEO or break existing links, as the admin URL is typically not indexed by search engines. However, it’s crucial to ensure that you are only modifying the admin URL and not changing other permalink structures, as altering the permalink structure can impact your site’s SEO and cause broken links. Always back up your website before making any changes, and test your site thoroughly after implementing the new admin URL to ensure that everything is functioning correctly.

Share this post

Hi, my name is Maya and I’m a WordPress plugin developer. I created this website to share some of the helpful codes that I’ve used in my own projects.
If you’re looking for a custom plugin for your website, you can contact me by clicking on Hire a developer in the menu. I’d love to hear from you.

Articles: 53

Leave a Reply

Your email address will not be published. Required fields are marked *