How to find hidden login page on WordPress
Easy way to find hidden login page and dashboard on a WordPress powered website
Let’s assume you’ve decided to hide your WordPress login page and wp-admin dashboard from hackers by hiding these pages with a simple plugin or a trick. Do you think it works and nobody knows your secrets? Don’t be so naive.
Anyone can easily find out login and dashboard pages with the following simple tricks. Just try them on your “protected” website. It’s safe yet informative!
To find out the URL of a hidden WordPress login page, enter the following URL into the browser’s address bar:
- www.website.com/login
To find out the URL of the WordPress admin dashboard, use the following URLs:
- www.website.com/admin
- www.website.com/dashboard
Cheers! This is how hackers quickly discover and get access to your hidden stuff. And this is why they easily take over thousands of WordPress powered websites around the world.
How to fix that security issue? Protect your website with WP Cerber Security. It has all the necessary tools to create and protect your custom login page and WordPress dashboard from bad actors.
Have any questions?
If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.
Spotted a bug or glitch?
We’d love to fix it! Share your bug discoveries with us here: Bug Report.
How to safely reinstall WordPress
Optimizing export performance
I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.
There is a method to use, without a plugin, that stops any use of “\dashboard”, or “\admin” etc at the end of the domain URL.
Go here: https://themesgrove.com/change-wordpress-login-url-without-plugin/
I used the method at that URL and it worked.
If you choose to do it, ensure you change all entries of “wp-login.php” in the login PHP file to a totally different name. Ensure the word “login” is removed. For the example he changed it to “wp-new-tg.php”, where the word “login” was changed out.
Save the changes.
Then you have to rename the wp-login.php file to the same name you changed it to inside the login file.
If you do not rename the PHP file itself, WordPress will still work with “wp-login.php” and any attempt to use the URL extension of “/dashoard” will still go to “wp-login.php”.
Once all is done and the login file renamed as described, then any attempt to use “/dashboard” etc, will result in a 404 page.
The only downside is when you log out, you end up to a 404 page as a logout, which is not an issue because the method kills any hacker attempts to find the login page.
But, if it is important to you to be redirected as normal when logging out, then do the following,
– go to “…/wp-includes/general-template.php”.
In the “general-template.php” change all instances of “wp-login.php” to the same name you used, and save it. When you log out, WordPress redirects you as normal.
Cheers!
Update:
Don’t change anything in the “…/wp-includes/general-template.php”. In that file, leave “wp-login.php” references alone.
I just found out that changing it in the “general-template.php” file is what allows WordPress to do redirects to the login page when using the URL reference of “/dashboard” etc.
If you change “wp-login.php” as described above, then the “general-template.php” file will try to redirect “\dashboard” etc queries to the original “wp-login.php” file and that is what causes it to be a 404 page and makes it a security layer blocking hackers.
Do not do that ever. This is bad practice. Editing/changing WordPress code files is an absolutely non-professional and unsafe approach. Not to mention that all the files will be replaced with newer ones when you will update WordPress to a newer version. None of the mentioned PHP files (including files in the article) can be edited. Period.