Every WordPress site comes with the same login URL by default. Anyone who knows WordPress — which includes every bot and brute-force tool targeting it — knows exactly where to go. They just add /wp-login.php to your domain and start trying combinations.
Changing that URL to something non-standard does not fix all security problems, but it eliminates the constant low-level noise of automated login attempts hitting a predictable address. It is one of the simpler steps you can take early in a WordPress build, and it takes about two minutes to set up.
What Changing Your Login URL Actually Does
When you change the login URL, the default /wp-login.php address and the /wp-admin/ directory become inaccessible to anyone who is not logged in. Requests to those addresses return a 404 or redirect elsewhere. Your actual login page moves to a custom URL that only you know.
This is a form of security through obscurity — it does not replace strong passwords or two-factor authentication, but it removes the easy target. Bots looking for /wp-login.php find nothing. That alone cuts out a significant volume of automated traffic trying to get into sites.
Quick Answer
Install the free WPS Hide Login plugin, set your custom login URL under Settings → General, save, and bookmark the new address. The default login URL becomes inaccessible immediately.
Why Automated Login Attacks Are Worth Taking Seriously
Brute-force attacks on WordPress login pages are extremely common. They work by sending hundreds or thousands of login attempts in rapid succession, using lists of common usernames and passwords. Most of this is automated — bots scan ranges of sites and try the default URL without any human involved.
Even if these attempts never succeed, they generate server load, appear in your logs, and can occasionally trigger false positives with caching plugins or security rules. Moving the login page removes the target entirely rather than just hardening it.
How to Change Your WordPress Login URL Using WPS Hide Login
Step 1: Install and activate WPS Hide Login
Go to Plugins → Add New in your WordPress dashboard. Search for WPS Hide Login. Install and activate it. The plugin is lightweight — it does not add database tables or modify WordPress core files. It works by intercepting requests to the default login addresses.
Step 2: Set your custom login URL
Once activated, go to Settings → General and scroll to the bottom. You will see a WPS Hide Login section with a field for your custom login URL.
Enter your chosen slug — for example, site-access or my-login. Avoid obvious choices like login, admin, or anything close to the original. The URL will become yourdomain.com/your-custom-slug/.
There is also a redirect URL field — this is where visitors will be sent if they try to access /wp-login.php or /wp-admin/ directly. The homepage is the default, which is fine.
Step 3: Save and bookmark immediately
Click Save Changes. The new login URL is active immediately.
Open a new browser tab and navigate to your custom URL before closing anything. Confirm the login page loads. Then bookmark it. If you lose the URL and get locked out, you can recover access by deactivating the plugin via FTP or your hosting file manager — but you want to avoid that situation.
Practical Tips for Using WPS Hide Login
Choose a memorable but non-obvious slug. You want something you will remember without writing it down in an obvious place, but not something guessable like /login or /admin-access.
Share the new URL with anyone who needs it. If other people log in to the site — editors, clients, developers — send them the updated URL before they go looking for it.
Check your password reset emails still work. WPS Hide Login is compatible with WordPress’s password reset flow, but it is worth testing once. Trigger a password reset from the login page and confirm the email link resolves correctly.
The plugin supports multisite. If you run a WordPress multisite network, you can set a network-wide default login URL from the network admin.
Common Mistakes
Not bookmarking the new URL. This is the most common issue. Once you save the new URL, the old one stops working. If you forget the new one and have no bookmark, recovery requires FTP access.
Choosing an obvious replacement slug. /login, /wp-login, /admin, and /dashboard are all guessable. Use something less predictable.
Treating this as a complete security solution. Moving the login URL reduces automated noise, but you still need a strong password, preferably two-factor authentication, and limited login attempts. See the guide to securing a WordPress website for a fuller security checklist.
When to Use Something More Than WPS Hide Login
WPS Hide Login is the right tool if you want a quick, lightweight change to the login URL and nothing else. It does one thing and does it reliably.
If you want a broader set of login protections — brute-force limiting, two-factor authentication, IP blocking — a plugin like Solid Security or Wordfence covers those features alongside the ability to rename the login page. Those are heavier installs, but worth considering for sites that handle payments, sensitive user data, or have multiple contributors.
For a standard informational or small business site, WPS Hide Login paired with a strong password and a reputable hosting environment is more than adequate.
Conclusion
Install WPS Hide Login, set a non-obvious login slug, and bookmark the result. It takes two minutes and removes one of the most targeted entry points on any WordPress site.
Etienne Basson works with website systems, SEO-driven site architecture, and technical implementation. He writes practical guides on building, structuring, and optimizing websites for long-term growth.