Custom login page for WordPress
How to rename wp-login.php, create a custom login URL, and protect WordPress from automated brute-force and bot attacks.
The custom login page feature is a great tool for reducing the attack surface and eliminating spam registrations. It’s the first thing you should enable on a newly installed WordPress. Another highly recommended security measure is renaming WordPress’s plugins folder.
Why it matters and why it works
According to our studies at Cerber Lab, most hacker tools and attacks are based on assumptions that a victim WordPress-powered website has the default login page, and plugins are located in the default folder. Although it’s recommended not to use default values on any website, many website owners ignore these simple principles, allowing hackers to attack them with success. And that’s why hackers so love WordPress, and at any given time, we see hundreds of thousands of hacked websites.
Configure your custom login page
WP Cerber enables you easily and safely change the default WordPress login URL wp-login.php to any URL you need. In other words, you can configure your unique, known-to-you custom login page (a custom login URL means the same in this context) and hide wp-login.php from bad actors, scanners, and bots. You don’t need to edit the .htaccess file or rename the wp-login.php file. With WP Cerber you can configure it in several clicks.
- Go to the plugin Main Settings admin page.
- Enter your new desired login URL into the Custom login URL field and saves settings. That’s it.
- If you use a caching plugin, add your new login URL to the list of pages not to cache.
- Make sure that your new login URL works correctly and you can use it to log in. Do that in an incognito browser window. Do not log out from your website until you make sure that your new login URL works well.
Custom WordPress login page settings
How to hide wp-login.php from bots and scanners
Once you’ve enabled the customer login page, it makes sense to hide the default WordPress login page to prevent mounting brute-force attacks on it. To achieve this, set the Processing wp-login.php authentication requests setting to “Block access to wp-login.php”. When attempting to access the page, WP Cerber will render the standard “404 Not Found” page. There is only one downside you should think about. If an attacker is smart enough, they may continue scanning the website, searching for your real login page.
How to disable wp-login.php
Another more advanced option you should consider is disabling wp-login.php without blocking access to it. How does it work? This unique WP Cerber feature stops any attempt to authenticate through wp-login.php. When attempting to log in, WP Cerber mimics the default incorrect password error and aborts the user authentication process. It doesn’t matter what password is entered; nobody is allowed to log in even with the correct password. To enable this feature, set the Processing wp-login.php authentication requests setting to “Deny authentication through wp-login.php”.
A caution to remember
If you or your user forget that wp-login.php is disabled and cannot be used for logging in, you or your user will never be able to log into the website and will get locked after several attempts to use wp-login.php.
If you have set “Processing wp-login.php authentication requests” to any value other than the default one, you can only use your custom login URL. Neither /wp-login.php nor /wp-admin/ can be used for logging in anymore.
Important things you need to know
- If you use a caching plugin like W3 Total Cache or WP Super Cache you have to add the slug of the new Custom login URL to the list of pages not to cache.
- For a WordPress multisite installation, the new login URL is set for all sites globally.
- Do not delete or rename the wp-login.php file manually. After updating your WordPress to a newer version, wp-login.php will be restored and accessible for intruders again.
Get it more secure with Two-Factor Authentication
Consider enabling 2FA to protect admins’ accounts. Two-Factor Authentication provides an additional layer of security requiring a second factor of identification beyond just a username and password.
Know more: How to enable Two-Factor Authentication for WordPress
Troubleshooting the Custom login URL feature
Enabling the custom login page may cause some plugins to stop working. If you use a login page customization plugin or a social login plugin, it’s possible such a plugin doesn’t work anymore. To fix this issue, enable “Defer rendering the custom login page”. Read more about this setting.
If you’ve set up your Custom login URL and after a while forgot it, first of all, check the site admin email box for a notification email about your new login URL or any email weekly report. In those emails, you can see your Custom login URL. If you are unable to find such a email, you need to reinstall WP Cerber manually following the steps below.
- Delete the plugin folder /wp-cerber/ manually by using FTP or any File Manager in your hosting control panel.
- Log into your WordPress dashboard as usual by using default /wp-login.php URL or another way that you used to use prior enabling the Custom login URL.
- Install and activate the WP Cerber Security plugin as usual.
- Go to the plugin Main Settings page.
- Check the Custom login URL field. It displays your Custom login URL that you have to use. Remember it.
Next steps that’ll strengthen your WordPress security
- How to hide wp-admin and wp-login.php from possible attacks
- How to block spam user registrations
- How to block spam form submissions
- How to block access to WordPress REST API
- How to block specific usernames
Have any questions?
If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.
Spotted a bug or glitch?
We’d love to fix it! Share your bug discoveries with us here: Bug Report.
WP Cerber Security 1.7
WP Cerber Security 1.8
I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.
Hi, I am following your instruction but still can access wp-login.php directly, my WordPress using mu and version4.5.3.
Check your White IP Access List in the settings of the plugin. All IP addresses from this list are allowed to bypass this rule. Make sure that IP address of your computer is not in the list.
Just to be 100% clear, if an IP address is in the IP Whitelist, then it CAN still utilize the wp-login.php?
Even if you have “Block direct access to wp-login.php and return HTTP 404 Not Found Error” checked under “Disable wp-login.php”, Whitelisted IP’s can still login using wp-login.php?
Is there any way to completely disable wp-login.php for everyone (including Whitelisted IP’s)?
Yes, of course. Whitelisted IPs can do everything. You should trust those IPs completely. To completely disable wp-login.php you need to either use .htaccess file or, and that is better, add a single string to the NGINX config file: http://wpcerber.com/hardening-wordpress-with-wp-cerber-and-nginx/
Hi,
I have a 404 Not Found with the new wp-login slug.
Is it related to something required with the webserver (I’m using Apache) ?
What slug did you enter?
I choose “connexion” to remplace wp-login.php, there’s no page called this way so no conflict but I still have a 404 error.
I tried to change my permalinks parameters but it’s don’t change anything.
That slug is normal. Most likely some caching engine knows nothing about the new URL. It maybe a caching plugin you use or some shadow caching engine that your hosting provider uses.
In fact after some diging I found it was a misconfiguration with Apache (Allow override not defined).
Thanks anyway, WP-Cerber is a very interesting plugin. I’ll share it around me.
First, thanks for one of the most helpful WP plugins around. For the custom login feature, I’d just like to suggest the following:
What about an extra sentence in the Custom Login area such as “don’t forget about the /wp-admin/ redirect, see above”?
Reason:
In the current Cerber Dashboard, the switch to
> Disable automatic redirecting to the login page when /wp-admin/ is requested by an unauthorized request
is located a few entries above the custom login switches, no direct connection, and the German translation has “Anmeldeseite” there, as opposed to “Login-Seite” later, so you don’t necessarily make the connection.
(I only found out when checking the logs and wondering how some crooks managed to find my custom login page…)
Yes, I’m going to rearrange these settings and the whole section soon.
Hi, I am sorry if my question seems a bit thick, but I am a true beginner here 😉
“Enter your new desired login URL into the Custom login URL ” : is this url the one I will use instead of mywebsite/wp-admin/ ?
No. You may not change the /wp-admin/ URL. Your custom login URL is what you use instead of the default wp-login.php
Yes I understood, what i would like to know more precisely is what is the url supposed to look like? Does it have to include specific words, is there a template to use and customize? As i said previously i am a real beginner in this field.
The right approach is using any combination of alphanumeric characters, underscores, and hyphens.
I’m sorry for the dumb followup to Diane’s question: If I make my new login, for example: mysite.com/heresmyhiddenlogin is that page used only by me (as the administrator) or is it also the. page that I use to place a login form for users to login? If the latter, I don’t really understand how it’s “hidden” since any user (legitimate or otherwise) can just look at the URL (or click the menu link to “login” and know where the login page is? I’m sure I’m somehow missing the point.
Put differently to more clear: If I’m a hacker or malicious bot,, cant I just follow the “login’ menu link and try to login there, regardless of whatever URL is used?
Thanks for your patience.
If you use your custom login URL as a publicly available URL in a menu, it’s obviously not hidden. But even in this case, you can benefit from having it different than the default one because hacker tools and bots are not capable of detecting custom login URL in a menu and simply try to attack the default wp-login.php. For now, identifying the correct/custom login URL is a job for a human being. But again, in most cases, websites are attacked in bulk by bots that assume that a website owner uses the default login page, which is, unfortunately, true for many victim websites on the web. Thus, using a custom login URL (page) is a good tool that effectively protects websites from automated attacks in cases like you’ve described. Moreover, since WP Cerber has sophisticated security algorithms, it not only provides the custom login page feature but also uses it to identify suspicious and malicious IP addresses.
Hello,
I’ve set up a custom login URL for my development site some time ago + I set the WP-Cerber whitelist with only my IP and *.*.*.* in the blacklist. I neglected to update my whitelist before I added a new router. Now my IP is different and I can’t log in to my WordPress dashboard.
I deleted the WP-Cerber plugin folder and was able to get to my dashboard with wp-login.php However, I am able to install WP Cerber successfully but when I attempt to activate it, it kicks me out of the dashboard and sends me to the website, which implies a whitelist is still working somewhere. When I attempt to log in with WP-Cerber active, it tells me I’m not allowed and asks if I want to go to the website.
Am I missing a step prior to attempting to activating WP-Cerber?
Please make sure WP Cerber detects IP addresses correctly: https://wpcerber.com/wordpress-ip-address-detection/
Using your advice to clear out the Cerber tables, I was able to reinstall WP Cerber successfully. Thank you for your assistance.