Security Blog

Custom login page for WordPress

How to rename wp-login.php, create a custom login URL, and protect WordPress from automated brute-force and bot attacks.


The custom login page feature is a great tool for reducing the attack surface and eliminating automatic and spam registrations. It’s the first thing you should enable on a newly installed WordPress. Another highly recommended security measure is renaming WordPress’s plugins folder.

Why it matters and why it works

According to our studies at Cerber Lab, most hacker tools and attacks are based on assumptions that a victim WordPress powered website has the default login page, and plugins are located in the default folder. Although it’s recommended not to use default values on any website, many website owners ignore these simple principles, allowing hackers to attack them with success. And that’s why hackers so love WordPress, and at any given time, we see hundreds of thousands of hacked websites.

Enabling your custom login page

WP Cerber Security enables you easily and safely change the default WordPress login page wp-login.php to whatever you need. In other words, you can set up your own custom login page (a custom login URL means the same in this context) and hide wp-login.php from automated attacks. You don’t need to edit the .htaccess file manually or rename your actual wp-login.php file. With WP Cerber Security you can get it in several clicks.

  1. Go to the plugin Main Settings admin page.
  2. Enter your new desired login URL into the Custom login URL field and saves settings. That’s it.
  3. If you use a caching plugin, add your new login URL to the list of pages not to cache.
  4. Make sure that your new login URL works correctly and you can use it to log in. Do that in an incognito browser window. Do not log out from your website until you make sure that your new login URL works well.
  5. Once you’ve made sure that your new login URL works, turn on Block direct access to wp-login.php and return HTTP 404 Not Found Error and save settings.
  6. It’s recommended to turn on Disable automatic redirection to the login page when /wp-admin/ is requested by an unauthorized request
Custom login page for WordPress

Custom login page settings

Important notes

  • If you use a caching plugin like W3 Total Cache or WP Super Cache you have to add the slug of the new Custom login URL to the list of pages not to cache.
  • For a WordPress multisite installation, the new login URL is set for all sites globally.
  • Never rename wp-login.php file directly. After updating your WordPress to a newer version, wp-login.php will be accessible for intruders again.

Get it more secure with Two-Factor Authentication

Consider enabling 2FA to protect admins’ accounts. Two-Factor Authentication provides an additional layer of security requiring a second factor of identification beyond just a username and password.

Know more: How to enable Two-Factor Authentication for WordPress

Troubleshooting the Custom login URL feature

If you’ve set up your Custom login URL and after a while forgot it, first of all, check the site admin email box for a notification email about your new login URL or any email weekly report. In those emails, you can see your Custom login URL. If you are unable to find them, you need to reinstall the plugin manually following the steps below.

  1. Delete the plugin folder /wp-cerber/ manually by using FTP or any File Manager in your hosting control panel.
  2. Log into your WordPress dashboard as usual by using default /wp-login.php URL or another way that you used to use prior enabling the Custom login URL.
  3. Install and activate the WP Cerber Security plugin as usual.
  4. Go to the plugin Main Settings page.
  5. Check the Custom login URL field. It displays your Custom login URL that you have to use. Remember it.

Next steps that’ll strengthen your WordPress security

Have any questions?

If you have a question regarding WordPress security or WP Cerber, leave them in the comment section below or get them answered here: G2.COM/WPCerber.


I'm a team lead in Cerber Tech. I'm a software & database architect, WordPress - PHP - SQL - JavaScript developer. I started coding in 1993 on IBM System/370 (yeah, that was amazing days) and today software engineering at Cerber Tech is how I make my living. I've taught to have high standards for myself as well as using them in developing software solutions.

View Comments

Leave a Reply to Gregory
Cancel Reply