Changing the default WordPress login URL is a critically important security step every site owner should take. According to security researchers, over 90% of WordPress sites still use the easy-to-guess wp-login.php or wp-admin URLs, leaving them vulnerable to automated attacks.
With over 485 million sites powered by WordPress as of 2023, that‘s an astronomical number of sites at risk!
By the Numbers: Threats Targeting the WP Login Page
Wordfence analysts tracked over 550 million brute force login attempts just in December 2022 targeting sites using default wp-login.php URLs.
Other statistics show:
- 15+ common WordPress user names are tested in 86% of login attacks
- Attackers try 20-30 common password variants during most brute force campaigns
- Sites still on auto-generated "admin" URLs see 3x more attacks
By using an obscure, custom login URL, these threats can be virtually eliminated.
Let‘s compare two of the best methods to change your login URL using WordPress plugins.
Method #1: SeedProd
SeedProd is the most widely-used coming solution for creating full custom login pages. It is developed by security experts and used on over 1 million WordPress sites.
Benefits:
- Built-in templates for easy customization
- Drag and drop page builder and settings panel
- Redirect default login URL automatically
- No coding required for setup
- Match branding and improve UX
Potential Drawbacks:
- Paid plugin with licenses starting at $45/year
- Extra features increase plugin file size
- You manage updating templates/branding
Overall, SeedProd is great for site owners who want maximum design flexibility and control over their highly customized login page templates.
Method #2: WPS Hide Login
The WPS Hide Login plugin focuses exclusively on obscuring your default login URL with an extremely lightweight, set-it-and-forget-it approach.
Benefits:
- Simple installation and configuration
- Ultra lightweight plugin file
- New URLs work instantly
- Seamlessly handles redirects
- Free open source plugin
Potential Drawbacks:
- No design customization options
- You manage updating URLs manually
- Limited configuration settings
Site owners who want the fastest, most lightweight way to hide wp-login.php will benefit from WPS Hide Login. No extra fluff, just better login security!
Recommended New Login URL Formats
WordPress security experts including Sucuri‘s founder recommend using highly obscure URLs for maximum protection against brute force attacks.
Some ideal formats include:
yoursite.com/Bq38Fnn3G4dM(random string)yoursite.com/hidden-access/(custom slug)yoursite.com/blog/private/login(multi-dir path)
Always avoid common dictionary words or patterns like /secret-login/ or /private-entry/ that may be easier to guess. Maximum obscurity is the goal!
Confirming Your New Login URL Works
After setting up your new login URL using SeedProd or WPS Hide Login, be sure to test it thoroughly:
- Try loading the old wp-login.php URL – you should get a 404 or redirect
- Load your custom URL directly to reach the login page
- Run Sucuri SiteCheck for free initial security scan
- Check Google Webmaster Tools for crawl stats data
You want to confirm both that requests to wp-login get blocked while your custom URL works properly. This verifies all security redirect settings are working!
Custom Login URLs – An Important Security Shield
Implementing an obscure custom login URL is one of the single most impactful security improvements you can make for any WordPress site. Combined with strong passwords and limited user accounts, it keeps the login portal locked up tight against automated attacks seeking admin access.
We highly recommend all site owners use the guides above to change their login URL as soon as possible. Please let me know if you have any other questions!
