How to change the URL of the WordPress admin panel

How to change the URL of the WordPress admin panel

For those who use WordPress platform, the question of a website security is still relevant. The main threat is hacking of the admin console. It is the most widespread type of attack, the so-called “brute force” – hacking of the account by means of sorting. The thing is that it is not necessarily your website’s visitors or your worst enemy who wants to hack your website. Different bots make such actions; these bots are created in order to place on your website their links or spam comments without the possibility to delete. Even if now your site is OK, you can look into the logs in the admin part of the hosting control, if your hosting company provides such a service. If you see that, some URL is trying a couple of times per second to log into:

your_website.com/wp-admin
your_website.com/wp-login.php

It means that it is likely that some bot is choosing passwords for the access to your website.

IMPORTANT!

Before making any changes on your site it is required to make a full copy of it, this will help you to recover the information in case of unsuccessful changings.

Ways of changing

One of the easiest but enough effective means of WP admin panel protection is changing the admin console URL from the known /wp-admin to something more difficult and only admins will know it. Of course, it is possible to give the access only from certain IP-addresses to the admin console, but it is not always convenient.

It is possible to change/to hide URL of WP admin console in different ways:

  • To change theme files or CMS (the renaming of the file wp-login.php and so on) – it is necessary to remember about all the “manual” changes, and the necessity to replicate them when updating.
  • To change the file .htaccess of the web-server (recommended).
    The last variant is a preferable one. That is why let us consider how it is necessary to modify the file .htaccess more thoroughly.
    It is necessary to add the following code to the .htaccess file:
1 # BEGIN Hide console URL
2 <IfModule mod_rewrite.c>
3 RewriteEngine On
4
5 RewriteRule ^custom_admin_url/?$ /wp-login.php?your_secret_key [R,L]
6
7 RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
8 RewriteRule ^custom_admin_url/?$ /wp-login.php?your_secret_key&redirect_to=/wp-admin/ [R,L]
9
10 RewriteRule ^custom_admin_url/?$ /wp-admin/?your_secret_key [R,L]
11
12 RewriteCond %{SCRIPT_FILENAME} !^(.*)admin-ajax\.php
13 RewriteCond %{HTTP_REFERER} !^(.*)yoursite.com/wp-admin
14 RewriteCond %{HTTP_REFERER} !^(.*)yoursite.com/wp-login\.php
15 RewriteCond %{HTTP_REFERER} !^(.*)yoursite.com/custom_admin_url
16 RewriteCond %{QUERY_STRING} !^your_secret_key
17 RewriteCond %{QUERY_STRING} !^action=logout
18 RewriteCond %{QUERY_STRING} !^action=rp
19 RewriteCond %{QUERY_STRING} !^action=postpass
20 RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
21 RewriteRule ^.*wp-admin/?|^.*wp-login\.php /not_found [R,L]
22
23 RewriteCond %{QUERY_STRING} ^loggedout=true
24 RewriteRule ^.*$ /wp-login.php?your_secret_key [R,L]
25 </IfModule>
26 # END Hide console URL

Where:
custom_admin_url – the new admin console URL
your_site.com – the name of your website without http://
your_secret_key – your secret key, the complex sequence of letters and numbers. For example, 2le0snq3oiqpkl7w2frc. It is necessary to come up the secret key yourself; there is no need to memorize it.

After adding such a fragment into .htaccess:

  • When trying reach to your_site.com/wp-admin the result will be page 404 error
  • When trying to reach to your_site.com/wp-login.php the result will be page 404 error

Now the page of logging in will be available in the next URL your_site.com/custom_admin_url and at the end, your new link, for example – your_site.com/myadmin.

There is another way, and its core is to change the name of the file itself. First, deny the access to wp-login.php. To perform this add the following code into .htaccess:

1 <Files wp-login.php>
2 Order Deny,Allow
3 Deny from all
4 </Files>

Now find the file wp-login.php in the root of your website and make a copy of it. It is necessary to rename the copy, for example, mylog.php. Then open a new mylog.php and inside of it everywhere, where the wp-login.php occurs, change it into mylog.php. Now in order to log in, it is necessary to type in the search line – your_site.com/mylog.php.
Now when someone will try to log in to your website using old URLs your_site.com/wp-admin and your_site.com/wp-login.php, they will get the result of 404 error page. It is possible to log in only using a new link.

Leave a Reply

Close Menu