WordPress security explained
WordPress security explained

Why you need to use Custom login URL

Why is Custom login page a useful feature that saves your money and spare your nerves


The security through obscurity phrase is pretty popular among wordpress.org developers. It seems that those guys has small experience with real network security. Perhaps they don’t have such an experience at all? They think that a hidden or non-standard WordPress login page is intended to protect a website from hackers. They repeat like a mantra that security through obscurity is a stupid way to protect website and we should not use it. To be exact, they recently changed their mantra to a bit modified one “Security through obscurity is generally an unsound primary strategy”. But, guys, why do you think that someone wants to protect WordPress by using a Custom login page?

First of all, experienced network engineers or developers do not protect WordPress or any other website by hiding login page. I give an explanation.

Custom login page is intended to:

  1. Reduce surface of attack. It reduces the amount of server resources to handling malicious requests and human resources to maintain all those attempts to hack a website. Let’s save our money and spare our nerves?
  2. Create a trap for bots and inexperienced hackers. This is technique that WP Cerber uses to track all those bots and hackers and to lock them out. When some bot stupidly sends request to the default WordPress login URL wp-login.php, the WP Cerber plugin easily detects this malicious activity because legitimate users use the Custom login page instead. According to statistics of using WP Cerber with configured the Custom login page, about 90% of bots try to use mentioned default login URL.

How to configure Custom login page?

You can create your own Custom login page (rename default wp-login.php) in no time. After you have configured the Custom login URL, the plugin will display default wp-login.php page with a newly configured URL. Read more: How to rename wp-login.php.

Last posts from WordPress security blog




I’m a self-employed developer who builds software products and services using WordPress for more that seven years. I enjoy partnering with others for interesting and challenging projects. If you’re interested in, feel free to contact me.

View Comments
There are currently no comments.