Sometimes the smallest of changes can make a huge impact when it comes to performance as well as security. By default, WordPress uses
https://yourdomain.com/wp-admin/ for your login URL. The problem with this is that bots, hackers, etc. all scan for these when looking for vulnerabilities and entry points into your site. We’ve worked with many sites that see 10,000+ failed attempts per day trying to gain access.
By simply changing the login to something more obscure, you can combat this. It’s also great for performance as it decreases bots scraping common areas of your site.
Change WordPress login URL
Follow the steps below to change your WordPress login URL.
Important: If you have another plugin already changing your WordPress login URL, make sure to disable it first before changing it in the Perfmatters plugin.
Click into the Perfmatters plugin settings.
Under the “Options” tab and “General” sub-navigation menu, input a new login URL under “Change Login URL.” You can change this to whatever you want. We recommend getting creative!
Important: Only add characters, no forward slashes.
Scroll down and click “Save Changes.”
When set, this will change your WordPress login URL to the provided string (
https://yourdomain.com/yourstring) and will block wp-admin and wp-login endpoints from being directly accessed.
Remember to bookmark your new login URL. After you change your WordPress login URL, the old default login URL
https://yourdomain.com/wp-admin/ will no longer be accessible and will result in a “This has been disabled.” There is no need to redirect this as it will mainly be hit by bots, and bots don’t care whether or not it’s a disabled message or 403.
403 HTTP status code
In terms of the browser request (not the user), a 403 HTTP status code is sent when someone hits the old default login URL. This means the requested resource is forbidden. This is a better approach than using say a 404 error.
Troubleshooting login URL problems
If you are experiencing problems with your login URL, here are a few common things to try.
Exclude login URL from caching
We highly recommend that you exclude your custom login URL from caching as this can sometimes cause conflicts with other plugins. If you’re running on a WordPress host such as Kinsta, simply reach out to their support team and ask them to exclude your new login URL from caching.
If you’re utilizing a caching plugin like WP Rocket, simply add your custom URL under “Advanced → Never cache (URLs):”
Forgot login URL
Forget your WordPress login URL? Follow these steps.
If you are experiencing problems logging in and still have access to your WordPress admin dashboard, you can try to re-save your permalinks. Click into “Permalinks” and click on “Save Changes.” This will flush out any permalink cache.
If you are using a custom login URL, any two-factor plugin that does the authentication on your own site should work fine. Here are just a couple we’ve personally tested:
Perfmatters doesn’t support Jetpack’s two-factor authentication feature at this time. This is due to how they authenticate externally with WordPress.com.