Because WordPress brute force attacks are on the rise, using a WordPress plugin like Lockdown WP Admin can help by allowing you to change the WordPress default login URL. This way attackers won't have access to your admin login form, so they can't continually try to guess your password and break in.

If you're curious if your WordPress site has already had malicious users trying to login to your admin dashboard, you can check out my guide on reviewing WordPress login attempts for easy steps on how to find out.

You also want to make sure after you install Lockdown WP Admin, be sure to hide the secret URL from the Meta widget so that an attacker can't discover your new server admin address.

Install and configure the Lockdown WP Admin WordPress plugin

Using the steps below you can quickly install the Lockdown WP Admin plugin and configure it so that your normal WordPress login URLs of /wp-admin and wp-login.php are changed.

  1. Login to WordPress admin dashboard
  2. For this plugin to function correctly your site must first be be using WordPress permalinks
  3. hover over plugins click on add new

    Hover over Plugins, then click on Add New

  4. type in lockdown wp-admin click search plugins

    Type in Lockdown WP Admin, then click on Search Plugins

  5. click install now beside lockdown wp-admin

    Click on Install Now beside the Lockdown WP Admin plugin

  6. click ok on pop up

    Click OK on the confirmation pop-up window

  7. click activate plugin

    Click Activate Plugin

  8. hover over lockdown wp click lockdown wp

    Hover over the new Lockdown WP, then click on Lockdown WP

  9. configure lockdown wp admin plugin click save options

    Place a check beside Yes, please hide WP Admin from the user...

    Change your WordPress Login URL to something like secret-admin

    Leave Disable HTTP Auth selected, click Save Options

    If you use the HTTP Auth options the plugin will let you also create a secondary WordPress admin .htaccess password. This secondary password would have to be entered in, even if someone guessed your secret login URL.

    Selecting WordPress Login Credentials will prompt you for your normal WordPress admin username and password, prior to gaining access to the actual WordPress admin login page.

    If you instead use Private Usernames/Passwords you can configure a new secondary login from the Lockdown WP > Private Users section.

    In my testing of this plugin I didn't have great success with the secondary password protection, which is why I've recommended to leave it disabled as is default.

  10. hover over howdy user click log out

    Hover over Howdy, User, then click on Log Out

  11. after lockdown wp-admin plugin installed wp-login url changed

    You should see the secret-admin URL you set

  12. after lockdown wp-admin plugin installed 404 errors for login

    Try to directly access /wp-admin or wp-login.php, you get a 404 page

  13. after lockdown wp-admin plugin installed login with secret url

    Access the /secret-admin URL and you get your WordPress login page

Prevent WordPress Meta widget from exposing secret login URL

Unfortunately while the Lockdown WP Admin plugin does a great job securing your site from bots that might continually try to hit the default login URLs, it also updates the Meta widget in WordPress with the new updated URL as seen below:

wordpress meta log in link still links to secret admin

There are two ways in which you can prevent your secret login URL from being shown like this.

Remove Meta widget from WordPress

  1. Login to WordPress admin dashboard
  2. hover over appearance click on widgets

    Hover over Appearance, then click on Widgets

  3. click on meta then on delete

    Click on the Meta widget, then click on Delete

Edit WordPress general-template.php file to hide Log In link

    You can also simply edit the Log in link from displaying on your WordPress site by editing your template file. Although note that if you are doing it this way, future WordPress updates might override the files in your /wp-includes and revert your changes, so keep that in mind.

  1. Use the cPanel File Manager Code Editor
  2. cpanel file manager edit general template

    Navigate to your /wp-includes directory

    Right-click on general-template.php, then click Edit

  3. cpanel file manager edit general template before

    Look for this line of code:

    $link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '</a>';
    cpanel file manager edit general template after

    Comment out the line above with two forward slashes //

    On the line below it, set the $link variable to be blank with this code:

    $link = '';

    You should end up with the final code looking like this, with your changes in red:

    function wp_loginout($redirect = '', $echo = true) {
    if ( ! is_user_logged_in() )
    //$link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '</a>';
    $link = '';
            else
  4. log in link gone from meta widget

    You should now see that the Log in link is gone from the Meta widget

You should now know how to add an extra level of security to your WordPress site by making sure that bots and malicious users can't easily get to your admin log in anymore.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve this article:
Email Address
Name

new! - Enter your name and email address above and we will post your feedback in the comments on this page!

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question
n/a Points
2014-05-27 9:48 am
Now the meta widget is gone. How does the admin sign in? And how do join the site and sign in?
Staff
20,848 Points
2014-05-27 10:53 am
Hello Kumi,

Your admin login area is now the new 'slug' you created in the plugin, such as 'http://example.com/secret'. Any members that need to log in will also need to use that URL.

If the membership plugin you use does use the meta widget, then simply re-enable it and use the other method described above that removes the login link from the page but still allowing all other links.

Kindest Regards,
Scott M
n/a Points
2014-05-28 12:56 am

How about creating a link to the new path using the Text Widget? I am also worried about those who want to register or join the site for the first time.

Staff
9,942 Points
2014-05-28 7:54 am
Placing an HTML link within a text widget would indeed be a good solution to direct those users to the correct page.

Post a Comment

Name:
Email Address:
Phone Number:
Comment:
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

4 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!