These days it's common for brute force attacks against the WordPress admin dashboard. Partly because WordPress uses /wp-admin and wp-login.php to handle admin logins by default.

Using the HC Custom WP-Admin URL plugin you can very easily hide these default WordPress admin login URLs, and instead create a custom address that only you will know about.

If you think your WordPress site is under attack you can always review WordPress login attempts, and if you see any malicious attempts you can block unwanted users with .htaccess to prevent further access.

Install and setup HC Custom WP-Admin URL plugin

The HC Custom WP-Admin URL plugin works by simply adding a rule to your WordPress .htaccess file to redirect requests using the custom URL you've configured.

Following the steps below you should have the plugin configured to provide extra security for your WordPress site in just a few minutes.

  1. Login to WordPress admin dashboard.
  2. hover over plugins click on add new

    Hover over Plugins, then click on Add New

  3. fill out hc custom wp-admin click search plugins

    Fill out HC Custom WP-Admin and click Search Plugins

  4. click on install now beside hc custom wp-admin url

    Click on Install Now beside HC Custom WP-Admin URL

  5. click ok on confirmation pop up

    Click OK on the plugin install confirmation pop-up

  6. after plugin installs click activate plugin

    After the plugin installs, click on Activate Plugin

  7. hover over settings click on permalinks

    Hover over Settings and click on Permalinks

  8. fill in wp-admin slug click save changes

    The HC Custom WP-Admin URL plugin adds a WP-Admin slug setting to the bottom of your Permalinks page.

    Fill in the URL you'd like to change your WordPress login pages to. I've simply used secret and then clicked on Save Changes.

    The WP-Admin URL slug is convered to all lowercase as pointed out in the comment below.

  9. hover over howdy user click log out

    At the top-right, hover over Howdy, User and click on Log Out

  10. admin urls updated showing front page

    Now if you try to access your WordPress admin dashboard with the default /wp-admin or wp-login.php URLs, you'll simply see your WordPress front page instead of the dashboard.

  11. access secret admin url

    If we instead use the new WP-ADMIN slug that we setup of secret we are then presented with the normal WordPress admin login form.

  12. wp-admin access allowed after using secret url

    After you login using the WP-ADMIN slug that you setup, you'll be presented with your normal WordPress admin dashboard again.

 

You should now have successfully added an extra level of security to your WordPress site that should help prevent malicious users from gaining access to your website.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve this article:
Email Address
Name

new! - Enter your name and email address above and we will post your feedback in the comments on this page!

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question
n/a Points
2014-03-06 4:07 pm

This plugin is NOT compatible with Wordpress 3.8!!!

Staff
9,968 Points
2014-03-06 4:40 pm
Hello ZoD Gaudette,

While this plugin doesn't officially support WordPress 3.8 in terms of having it on the WordPress plugin page as a compatible release yet. It does indeed function with WordPress 3.8 which is the version of WordPress this article was written using.

I just installed a fresh copy of the latest WordPress 3.8.1 and tested it out and this plugin still functions.

If you've installed this plugin and are having issues accessing your WordPresss dashboard afterwards, you might want to try clearing your local web-browser's cache. We've seen instances where the server's .htaccess file which contains the redirect code that this plugin uses, gets cached on a users computer, and they can't see the updated changes.

If you're having another specific problem at all using this plugin with the newer versions of WordPress, please let us know!

- Jacob
n/a Points
2014-03-06 6:53 pm

I've completely lost access to my Admin... how do I get it back?... 

I added slug at the end of the URL, like this: .com/wp-admin slug

Was that the right way to do it?

 

 

Staff
9,684 Points
2014-03-07 11:23 am
Hello Richard Keith,

Thank you for your question. You should add the slug with no spaces like this:
example.com/wp-admin/slug

You may have to clear your browser cache before it will work.

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
n/a Points
2014-03-07 1:17 pm

Hi John-Paul,  

I am able to get to the URL/website search reply, not the admin... how do I proceed to the WP admin to edit the website? Is there a way to undo this?

Thanks, Richard

Staff
9,968 Points
2014-03-07 1:58 pm
Hello Richard,

Sorry for the confusion, your WordPress admin area should still be accessible after you installed the HC Custom WP-Admin URL plugin. You just need use the WP-admin slug that you set from step #8.

If your WordPress dashboard was available at:

http://example.com/wp-admin

If you set your WP-admin slug to secret like my example in this guide. You would then be able to get to your dashboard from:

http://example.com/secret.

Essentially the WP-admin slug you set with this plugin, becomes your new URL for accessing the dashboard going forward.

If you did want to undo the changes made by the plugin, you could edit your .htaccess file in your WordPress directory. Just comment out by placing a # symbol at the front of the line, the one that reads something like:

RewriteRule ^secret/?$ /wp-login.php [QSA,L]


Then save your .htaccess file, clear your browser's cache, then try to access the admin dashboard normally again from:

http://example.com/wp-admin

If you're still having any issues accessing your dashboard after installing, or disabling this plugin, please let us know!

- Jacob
n/a Points
2014-05-25 9:41 pm

Hi,

I used the HC Custom WP-Admin URL procedure but did not notice that in step #8 I needed to add the entire URL for my site and instead just entered a set of letters and numbers. Now I cannot access my WP admin page. Step #8 could have been made more clear if instead of showing the word "secret" you showed an entire URL with /secret at the end. What can I do now?

Thanks for any help you can give me,

Rich

 

 

Staff
19,557 Points
2014-05-26 2:50 pm
Hello Richard,

In step #8 you only have to add the 'slug', not the entire URL. What type of error are you getting?

Kindest Regards,
Scott M
n/a Points
2014-03-06 11:12 pm

Fantastic. Thank you for the steps and pictures.  It helps!

n/a Points
2014-03-16 12:19 pm

Hi Jacob, 

As embarassing as it is, I can't remember what word I selected in step 8. I have tried what I remember it to be but I am not getting to my dashboard.

Any suggestions?

Thanks, 

Aaron

Staff
9,684 Points
2014-03-17 9:10 am
Hello Aaron,

Thank you for your question. You can view your slug in your .htaccess file; which is located in the root folder where your Wordpress is installed.

For example: If you chose test as your slug it will look like this in the .htaccess file:

RewriteRule ^test/?$ /wp-login.php [QSA,L]

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
n/a Points
2014-03-21 1:06 pm

Hi Jacob,

I've followed the steps given and it worked on the login page. Once logged in, I want to change the wp-admin url to slug that I set before ( http://www.inmotionhosting.com/support/images/stories/wordpress-plugins/hc-custom-wp-admin-url/wp-admin-access-allowed-after-using-secret-url.png )

How to do that?Thank you.

Staff
9,684 Points
2014-03-21 1:56 pm
Hello Handy,

Thank you for your question. Since you are using "HC Custom WP-Admin" to mask your wp-admin folder from the outside, there is no need to rename your wp-admin folder.

The Wordpress community recommends using a plugin to accomplish this, as can be seen in this forum post.

I did find a possible solution through google search here.

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
n/a Points
2014-03-23 12:33 pm

IN installed the plub in but am getting an error message after changing my slug name and saving the name.  now allowing me to write that slug name for some reason.  It then asks me to copy some code.  I'm not sure what do do here. 

Staff
9,162 Points
2014-03-24 9:56 am
This would be caused by your .htaccess file not being writable. You would need to either copy the code provided into your .htaccess file, or adjust the permissions of your .htaccess file to allow writing to it, which would typically be permissions of 644.
n/a Points
2014-03-24 9:46 am

This plugin actually doesn't work with WP 3.8.1.  Using it caused me to lose access to WP as the slug does not work for login.  Additionally, there are much better security plugins that do work.  The WP help is mostly out of date and your support staff seems to not know that.

Staff
9,162 Points
2014-03-24 10:02 am
We have tested and confirmed that the plugin is operating correctly within WordPress 3.8.1. Be sure that you fully clear your browser cache after changing the WordPress admin URL.
n/a Points
2014-03-27 7:46 pm

Definitely doesn't work with current wordpress install. Installed...says this when I try to access the new slug I set up:

Not Found

Sorry, but you are looking for something that isn't here.

 

Lost access to both wp-admin and wp-login. Tried clearing cache...different browsers...and different computers.

Now off to find my .htcaccess file and try and figure out how to fix.

Cheers

Staff
9,968 Points
2014-03-27 7:59 pm
Hello J,

As discussed in the comments above, this plugin does indeed function with the latest version of WordPress and has been tested many times. Make sure that you clear your web-browser's cache prior to attempting to access your dashboard over the new secret URL.

If you're having a specific problem accessing your WordPress dashboard now, you should simply be able to find your .htaccess file, and look for this line:

RewriteRule ^secret/?$ /wp-login.php [QSA,L]


That should be the secret slug you want to use to attempt to access your dashboard now. Unfortunately I was unable to find any account information with us to check on this for you. So if you're hosting with us and still having any issues getting it working please submit a ticket in order for us to investigate what might be wrong with your install.

You can manually disable WordPress plugins in bulk which should disable the custom admin URL plugin and allow you back in regardless. It's also possible you have another plugin that could be interfering with the HC Custom WP-Admin URL plugin, so you could try re-enabling your plugins one at a time till you find an issue.

- Jacob
n/a Points
2014-04-05 2:15 am

Hi,

This is nice plugin and works fine with my WP 3.4.2.

But I have comments enabled in blog. If I am not looged in, it shows a text "Please log in or register to post a comment and join the discussion." on main blog page. Login link here does not work now. Because it points to wp-login.php and it redirects user to home page.

Do you have a fix for this?

Thanks,

John

Staff
9,968 Points
2014-04-05 3:19 am

Hello John,

After changing your wp-login.php URL with the HC Custom WP-Admin URL plugin, you can modify your /wp-includes/general-template.php file to reflect this change as well in your Meta widget.

If you edit that file, look for this section of code:
function
wp_loginout($redirect = '', $echo = true) {
if ( ! is_user_logged_in() )
$link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '</a>';
else
$link = '<a href="' . esc_url( wp_logout_url($redirect) ) . '">' . __('Log out') . '</a>';

The line that I've highlighted is the way WordPress creates the Log in link. You could instead change this to the following if your WP-Admin slug was set to wp-secret:
//$link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '</a>';
$link = '<a href="wp-secret">Log in</a>';

You don't need to modify the Log Out link, because once you're logged into WordPress you can send requests to wp-login.php as normal.

Please let me know if that works for you. If you're still having issues, and would like us to take a closer look please let us know the site you're having these problems on.

- Jacob
n/a Points
2014-04-05 6:40 am

Thank you very much for quick reply Jacob!

Yes, the fix you provided worked fine for me. I ended up changing following 4 files for login links based on your direction.

corelight/wp-includes/general-template.php

corelight/wp-content/themes/Corelight/category.php

corelight/wp-content/themes/Corelight/index.php

corelight/wp-content/themes/Corelight/archives.php

Cheers!

John

Staff
19,557 Points
2014-04-06 7:39 pm
Hello John,
We are happy to hear Jacob was able to get things squared away for you. Please do not hesitate to contact us again if you have any further questions.

Kindest Regards,
Scott M
n/a Points
2014-04-16 4:15 pm

Your customer support team gave me this article link, and I installed the plugin (great instructions, btw) ... however, because I have a custom login button, it just disabled the login. Of couse I was able to log in by putting the correct slug in ....

Are you able to help me modify the custom login so that it works?

I have had a very bad day with a full site restore needed because of hackers. I would really like to prevent this in the future.

Thanks for your help!

Gillian

 

Staff
9,968 Points
2014-04-16 4:30 pm
Hello Gillian,

You should be able to simply edit your custom login button to reflect the new secret admin URL slug that you used. You can look at my comment a few responses up talking about modifying the WordPress login link and see if that works for you.

If not, please let us know how you are adding the custom login button, either with a plugin or theme.

- Jacob
n/a Points
2014-04-16 4:55 pm

Hi Jacob,

Actually Inmotion did my design for the website cognitiveresults.com ... it's based on a Twenty-Eleven theme and they coded in the button...

Are you able to look at the code from your end to help me out?

I just don't want to mess anything up after today's challenges!

Thanks,

Gillian

 

Staff
17,351 Points
2014-04-16 6:12 pm
Hello Gillian,

I reviewed the suggestions that Jacob suggested above and made the changes for you. Your login link for admin is now based on slug you set up for it. I verified that it's working. Check it out and let us know if you have any further questions.

Regards,
Arnel C.
n/a Points
2014-04-16 7:18 pm

Thanks so much Arnel!!

I appreciate it so much that you helped out. 

My next question is the Login button is riding along in the header on every page, so it's confusing for customers because they get an error when they try to log in on a page other than the Home page. Is there a way to move this Login button into the Home page sidebar instead so it only shows on the Home page?

I appreciate so much the help because I don't want to mess it up. I don't know how to remove the login button from the header.

THANKS!

Gillian

Staff
17,351 Points
2014-04-16 7:49 pm
Hello Gillian,

Sorry for the problem there. What was happening was the re-write was trying to load the slug you specified earlier for each page, meaning the URL was being loaded incorrectly. I have corrected it so the error does not appear when you click on the login button. This was a site created by InMotion Web Design, so if you're asking changes to the design it really should go back to them, unless you intend to modify it yourself. You can change what's in the header by simply editing the theme editor so that the LOGIN button is longer at the top. Moving it to another location would require more some design consideration, especially you'd have to either move or resize elements that are already in place.

Apologies that I can't make all of the changes, but I hope this helps to provide a workable solution.

Regards,
Arnel C.
n/a Points
2014-04-16 7:56 pm

That's perfect - you've fixed it :)

No need to move the login if it's loading right from any page.

Thank you so very much again!

Gillian

Staff
9,968 Points
2014-04-17 6:55 pm
Hello Gillian,

Arnel simply followed the steps that I previously mentioned further up in the comments about modifying the WordPress login link.

It doesn't look like you had sufficient protection setup, as both your wp-login.php script and /wp-admin directory were accessible to anyone because you had uninstalled the HC Custom WP-Admin URL plugin.

I went ahead and reinstalled that plugin for you and ensured things were setup correctly.

As far as the code Arnel edited for you, as the instructions for modifying the WordPress login link explain, you just open up your /wp-includes/general-template.php file and then add the highlighted code where example.com/custom-wp-link would be your domain followed by the custom URL you setup in the plugin:

function wp_loginout($redirect = '', $echo = true) {
if ( ! is_user_logged_in() )
//$link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '';
$link='<a href="http://example.com/custom-wp-link">Log in</a>';


Let us know if you have any further questions!

- Jacob
n/a Points
2014-04-17 7:15 pm

Hello Jacob,

I uninstalled the plugin because I could not log in to the site. It keeps returning me to the home page every time.

I have uninstalled the plugin again because I have 60 paid customers accessing the site and they must be able to login at any time.

I am not sure why we can't fix this issue. Would you please look into this further?

Thank you.

Gillian

p.s. your service people had originally altered the .htaccess file so that you could only log in from the home page, which is a good thing because it requires a manual click by the customer to login.

I am wondering if this plug in is competing with the alterations in the .htaccess file (it does say in the plugin's warnings that this can happen!!)

 

Staff
9,968 Points
2014-04-17 7:38 pm
Hello again Gillian,

Are you able to login now? I simply re-installed the plugin and was able to access the website as normal as well as the admin dashboard. You might have possibly had another .htaccess rule conflicting with the plugin, but I'm not sure what that would have been because it is not present now.

If you're having any issues at all accessing the WordPress admin from your login link, you will want to make sure to clear your web-browser cache to make sure that you are in fact loading up the latest rules.

- Jacob

n/a Points
2014-04-18 11:01 am

Hi Jacob,

Yes I am able to login from the site, and it redirects properly to best-customers-ever BUT I am also able to login from wp-login.php, which is what Larry W. in service was supposed to have changed for me.

To foil the Brute Force Attacks, the ability to login from the default login page for Wordpress was supposed to have been blocked, which was happening before we got into the plugin that messed everything up.

Can you please fix this?

This is what I need:

1) client not able to login from wp-login.php *** key for the Brute Force attacks

2) client only able to login by clicking the login button on the site, not through a cached wp-login.php page *** key for Brute Force

3) client able to login from any page on the website with the login button ** key for customer service

Hope that helps - it sure would be easier to talk on the phone rather than have 20 emails back and forth.

Thanks,

Gillian

 

Staff
9,968 Points
2014-04-18 3:29 pm
Hello Gillian,

I agree that reaching out to live tech support would probably help you resolve this issue better if you continue to have problems.

Unfortunately I've set things up for you and tested them to work, but then the HC Custom WP-Admin URL plugin gets disabled, which re-allows access to /wp-admin and wp-login.php once again which in turns triggers our ModSecurity rules when you have failed login attempts.

I have once again re-enabled this plugin for you, and I can confirm right now that trying to directly go to either of those URLs results in just your front page loading. Using the secret admin slug of best-customers-ever the normal WordPress login page is displayed. This is also still what your template that we edited is having your Login button going to.

If you are not seeing this behavior, then clear your web browser's cache. Or even better open a new Incognito or Private browsing window to ensure that your computer is not caching anything related to the WordPress login. You should see when trying to access either /wp-admin or wp-login.php that your main page will simply be loaded again, but if you click on the Log in link it should work.

If certain users are having issues, and you disable the plugin, it's just going to allow access back to the default admin URLs and possibly trigger a block again. So I'd recommend towards telling all your members to not attempt to log in if their browser happens to say /wp-login.php at the end and only if they are using the Log In button or the secret slug URL.

- Jacob
n/a Points
2014-04-18 3:48 pm

Hi Jacob,

At this point I am extremely frustrated because I cannot log in, nor can my 60 clients.

I do not want the plugin enabled, but I can't login to remove it.

What I want is what Larry W. in service did, which was change the .htaccess so that a client had to click on the login button manually to log in.

I do not want a secret login anymore, because it is NOT WORKING.

I have cleared all of the caches and used brand-new browsers and it is definitely NOT WORKING.

Please remove the plugin.

In the future, I need someone to phone before making changes to the site. I was kicked off the site when you went in to make changes and the only way I found out was through my cPanel. You can't just go in and boot off people.

Please fix this issue right now!

Gillian

n/a Points
2014-04-18 3:59 pm

Hi Jacob,

I am speaking with live support now - please leave the account alone. 

I sure hope they can let you know that they've made the changes.

Thanks,

Gillian

n/a Points
2014-04-19 10:54 am

Hello Arnel and Jacob,

Whatever coding got changed in this thread, live support cannot find and fix. Not happy, but more disappointed. Something in the Inmotion cog wheels need to be fixed - the left hand is not working with the right hand. 

They have referred me back to yourselves to fix it.

My customers have been unable to login for 2 days now.

The HT plugin has been disabled and removed and I do not want that plugin back in the system.

The problem is now that the login button keeps referring to best-customers-ever and there is no such thing so an error results.

Would you please REMOVE the coding that does this (Arnel I think put it in), and please KEEP the coding in the .htaccess file that was from the article Lock down Wordpress in the section: Dynamic IP address access, limit by referer.

Please test that:

1) customers can only login in via the cognitiveresults.com blue button on the main page

2) customers cannot login via wp-login.php in a cached form - they have to click on a blue button

Thank you in advance for considering this a priority.

Gillian

n/a Points
2014-04-19 7:16 pm

Hi Jacob,

I'm assuming you were off this weekend, as the comments did not post ... 

Just to let you know live support is doing a full site restore to the 16th, along with my database backups. The .htaccess file they are using will have the snippet of code at the top for the redirect in the case of multiple IP addresses. The plugin will not be on there.

I really hope this fixes everything ... my customers have been great about it and not given me grief for not being able to login.

I thought I would let you know so that you don't go in to the files and waste your time looking for code that won't be there. :)

Crossing my fingers now ... 

Thank you,

Gillian

n/a Points
2014-04-17 12:32 pm

I'm trying to get off the email notifications!

Staff
9,162 Points
2014-04-17 12:36 pm
We have now added an unsubscribe link within the email notification. Simply click this link to be removed from this article.
n/a Points
2014-04-19 1:41 am

How does this plugin affect the ability to access the backend using the WordPress mobile apps? I tend to write my blog using the Android app as opposed to logging in via web browser.

Staff
9,162 Points
2014-04-21 8:05 am
We have not fully tested the use of the WordPress mobile app after changing the admin URL, however, as it is just a rewrite, we assume it will work fine. If you have confirmed it working or not working, let us know so that we can report it to others.
n/a Points
2014-04-20 8:25 am

Hi Jacob,

I tried the instructions above serveral times but with no luck. I end up removing the script in .htaccess to be able to login again to the site. I have W3 Total Cache installed in the site, it might be the reason why the plugin is not working. Would it be possible to make HC Custom WP-Admin work with W3 Total Cache? If yes, do you have any instructions on how? 

Thank you in Advance!

 

 

Staff
9,162 Points
2014-04-21 8:07 am
We have tested this plugin alongside W3 Total Cache and have seen that it is working correctly, however, the cache will need to be purchased within the W3 Total Cache plugin as well as your browser cache will need to be cleared to access the WordPress admin correctly.
n/a Points
2014-04-22 1:43 am

I appreciate your support on this topic.

However, I would highly recommend against suggesting this particular plugin.  It has one of the lowest ratings, lowest download numbers, a four month back up in the support forums.

I know plugins are a ton of work to create and maintain and authors sometimes have other priorities.  So it's no ones fault, but "Rename wp-login.php" has a perfect score, double the downloads, excellent support and even identifies caching conflicts on activation and recommends the proper action.

 

I hope this helps.

n/a Points
2014-05-01 8:47 pm

This is not a good recommendation - If anyone is looking for the best Wordpress security plugin, it's "ithemes security", aka 'Better WP Security'.

You only have to look at the ratings to be convinced. It'll do what is suggested here and more.

Damn this is sounding super spammy, sorry but it's worth mentioning... ha ha. Seriously, this plugin is a winner.

 

B

Staff
17,351 Points
2014-05-01 9:50 pm
Thanks for the comment, Ben.

I can understand when you have a recommendation based on experience. Please bear in mind that any plugin that needs to be called up for any security event will have a resource cost on the server. If the server is being hit by a large brute force attack, then this may still cause downtime issues. The suggestions made by Jacob provide security changes that help to stop attacks BEFORE a WordPress plugin/process is running. This helps to provide security while also avoiding a large impact on server resources.

Kindest regards,
Arnel C.
n/a Points
2014-05-02 1:07 am

Hi Ben,

 

Thanks for the suggestion.

 

However, I would look closer at the ratings you're referencing.  

 

"WP Better Security", now known as "iThemes Security" had one of the best ratings history's PRIOR to being purchased by iThemes.  Since iThemes purchased the plugin around March of this year and made their changes, it has received approximately 90 Single Star Ratings and 37 Five Star Ratings.

 

So the current iThemes release of this plugin is about a 1.4 Star out of 5.

 

I do use iThemes Security on one of my sites and have been happy with it, but you need to look closely at the ratings and read the good and bad to get the full picture.  There's currently a lot of angry people at iThemes.

 

I'd also like to reiterate the Inmotion's support staff's suggestion relating to this article is a very effective and lightweight solution.

n/a Points
2014-05-02 10:20 pm

Hey Arn & Carl,

   Firstly, I do apologise!! You're absolutely right Carl.. it's a shame to think itheme's has butchered this plugin because 'Better WP Security' was (is) great.

Sounds like it could be a similar (although not as severe) situation as Nextgen gallery, man that was an epic fall from grace!

Arn your right, that's something I didn't consider.. again, apologies for providing an inferior option. Personal opinion can obviously be problematic when something works for you.. especially when you haven't considered all angles.

^^ Listen to these guys, they're the pros ^^^

Cheers B

Staff
17,351 Points
2014-05-05 1:38 pm
Ben,

Thanks for the comment - and the compliment! It's all good. We understand that many people have varying opinions and may come from a variety of backgrounds. We just try our best to be fair and open-minded to the opinions expressed. We try to avoid negativity and we hope to relay the best solution - whether it's from our staff or from any one willing to contribute. So, many thanks for your input!

Regards,
Arnel C.
Community Support Team
n/a Points
2014-05-01 11:16 pm

I followed the instructions and downloaded the plugin where this is the 2nd locked out I have had in past week after a mass attack. The plugin installed easily enough and it is working as described. Thanks.

n/a Points
2014-05-04 8:12 pm

I'm trying to find my htaccess in cPanel but do not know where to start - can someone help?  i need to reset the slug because it did not work for me even after clearing my cache. 

I have a blog deadline by tomorrow and any help would be great ASAP. 

Thanks!

Lisa

 

Staff
9,684 Points
2014-05-05 12:09 pm
Hello Lisa,

Thank you for contacting us. Here is a link to our helpful guide on how to manage files in your account.

The easiest option may be to use the File Manager in cpanel.

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
n/a Points
2014-05-21 1:57 pm

For the record, whatever "slug" you use, it will have to be converted to all lowercase letters when you use it to sign in.  Thus, if your slug is "BigMack", you will sign in using "/bigmack"  I found this out after a few hours of frustration over not being able to sign into my account!  (I kept getting 404 errors.)  Maybe everyone in the world already knows this, but I didn't.

Staff
9,968 Points
2014-05-21 2:27 pm
Hello BigMack, and thank you for your comment.

Thanks for pointing this out, it does look like when you create your WP-Admin Slug it does mention below it Allowed characters are a-z, 0-9, - and _ excluding any capital letters. That's an easy thing to miss though!

I'll go ahead and update this article as well to hopefully save anyone else from having the same issues.

Thanks again for commenting and letting us know!

- Jacob
n/a Points
2014-06-04 2:24 pm

Thank you very much for this explanation!

I just installed the plugin and changed the login link. When I logged out and clicked on the previous login link, it didn't work anymore, just as you mentioned above. However, shortly afterwards, the old login link worked again, meaning I now have to login links - the old one and the new WP slug one. 

Do you know why the old login link works again, and if there is anything I can do to only have the new WP slug login link work? 

Thank you very much in advance for your help!

Best, 

Christine

Staff
9,968 Points
2014-06-04 2:36 pm
Hello Christine,

Glad the steps helped you get the plugin installed. After logging in with your /secret WordPress admin slug, you can then access the normal URL as long as you are logged in.

After logging out of WordPress, if you are still able to directly access your WordPress admin login page from either /wp-admin or /wp-login.php then you might want to clear you web browser's cache. It sounds like possibly your computer is caching the old .htaccess file so it isn't requiring the redirect through the secret URL.

If that still isn't working, are you sure that the HC Custom WP Admin plugin is still enabled in WordPress under the Plugins section?

Please let us know if you're still having any problems, or if you have any other questions at all!

- Jacob
n/a Points
2014-06-04 3:18 pm

Hi Jacob, 

 

Thanks a lot! Clearing the cache seems to have worked! :) 

 

Best, 

Christine

n/a Points
2014-06-05 11:24 am

Same problem as others. Can't access log-in. Both mainpage/blog/wp-login.php/secret and mainpage/blog/wp-login.php take me to my site's home page. I've cleared cache, cookies and history multiple times.

Staff
9,968 Points
2014-06-05 7:04 pm
Hello Angelina,

It sounds like you might be attempting to access your WordPress admin incorrectly. If you've already setup your WP-Admin slug in the plugin settings you would get re-directed to your homepage using either of these URLs:

http://example.com/blog/wp-login.php
http://example.com/blog/wp-login.php/secret

With the HC Custom WP-Admin URL plugin, you are replacing the wp-login.php with what you set for the WP-Admin slug. So when the plugin is activated you need to access your WordPress admin dashboard with:

http://example.com/blog/secret

Please let us know if you're still having any issues at all getting it to work.

- Jacob
n/a Points
2014-06-05 7:50 pm

Tried that earlier. I just emptied my cache and tried that again. When I enter that, I get an Error 404 - Page Not Found message. I've tried every blog/secret or wp-login.php/secret or wp-admin/secret derivative I can think of.

Staff
9,968 Points
2014-06-05 8:09 pm
Hello Angelina,

If you open up your .htaccess file which in your case sounds like it should be located at /blog/.htaccess, do you see a line like this:

RewriteRule ^secret/?$ /wp-login.php [QSA,L]


This is the RewriteRule that converts your hidden WordPress admin slug to the normal wp-login.php script internally.

Are you sure that you're entering in the same slug that you've set with the plugin? You should be able to verify it with that line.

If you're still having issues, you can simply remove the line manually from your .htaccess file, and you should be able to access your WordPress admin normally again.

If you're still having issues and have your website hosted with us, feel free to comment back with your domain name and we can take a look for you. We can take your domain name out of your comment prior to approving it to be displayed to the public.

- Jacob
n/a Points
2014-06-05 9:28 pm

Jacob,

Thanks for the help. Our website has a home page that is served out of the root public-html directory, while the blog is served out of the /blog directory. The plugin seemed to have changed the root .htaccess file and not the .htaccess file in the /blog directory.

We manually updated the .htaccess file in the /blog directory, and that allowed us to get to the login screen.

Once logged in, it was redirecting us to the home page rather than the admin tool. So, as mentioned in an earlier comment, we removed the rewrite rule from the .htaccess file in the root public-html directory.

That fixed the issue, and everything is working properly. I wanted to let you know that's what we had to do, in case it helps other customers.

Good luck!

n/a Points
2014-06-17 11:58 pm

I get these warnings when I go to the login page at the slug:

Warning: file(/.htaccess) [function.file]: failed to open stream: No such file or directory in /home/geeksi5/public_html/thepeckfamily.us/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.php on line 137

Warning: implode() [function.implode]: Invalid arguments passed in /home/geeksi5/public_html/thepeckfamily.us/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.php on line 137

Then when I try to log in I get a page of errors. The plugin says it can't write to .htaccess but I've checked and the permissions on the file are 644.

If I disable the plugin you lock my site. If I have the plugin enabled my site is broken and I can't log in to it.

Staff
9,162 Points
2014-06-18 8:21 am
It looks like you may have removed the plugin. So that I can see what you are seeing, could you re-activate it?
n/a Points
2014-06-18 1:21 pm

I got a reply to my previous post though I don't see it here now. I have reactivated the plugin, so of course I can no longer access my site - so please let me know when you are done looking at it. I put in the slug loggins and when I saved I got a white page with just the following errors:

Warning: file(/.htaccess) [function.file]: failed to open stream: No such file or directory in /home/userna5/public_html/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.php on line 52

Warning: implode() [function.implode]: Invalid arguments passed in /home/userna5/public_html/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.phpon line 52

Warning: fwrite() expects parameter 1 to be resource, boolean given in /home/userna5/public_html/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.phpon line 68

Warning: Cannot modify header information - headers already sent by (output started at /home/userna5/public_html/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.php:52) in /home/userna5/public_html/wp-includes/pluggable.php on line 1121

If I go to the login page now I get the errors I mentioned before and loggin in fails.

Staff
9,968 Points
2014-06-18 4:20 pm
Hello JR,

If you can't access the WordPress dashboard with the plugin enabled you can find your .htaccess file, and look for this line:

RewriteRule ^secret/?$ /wp-login.php [QSA,L]


Then just remove or comment that line out with a # symbol at the front of the line and save the file.

You can disable WordPress plugins in bulk which should disable the custom admin URL plugin and allow you back in.

It could be that this plugin is interfering with another plugin or it is not properly working with your site not being in the main /public_html directory of the account.

This plugin installed on a fresh copy of WordPress doesn't run into the errors you've mentioned. So I might recommend instead using a secondary WordPress admin password to restrict access to the admin dashboard in your case.

Please let us know if you're still having issues.

- Jacob
n/a Points
2014-06-18 2:27 pm

Worked flawless!

Just remember to clear cache otherwise typing your new WP-URL or WP-ADMIN will both work or redirect you to the login.

Thanks again!

Staff
9,968 Points
2014-06-18 3:11 pm
Hello Ivan,

Glad to hear the plugin worked out for you. I will add a section to this guide about being sure to clear your cache because what you said about both being accessible is true.

Some users have also had problems with their new admin slug not working until they clear browser cache.

Thanks for your comment!

- Jacob
n/a Points
2014-07-10 8:10 am
it is no true. the plugin doesn't change anything at all, only thing: you now will be able to login with "/secret" a swell, beneath of normal "wp-login or wp-admin"
Staff
9,162 Points
2014-07-10 10:18 am
It will disallow login using wp-admin and wp-login.php. It seems you may have a caching issue in which you need to clear your browser cache.
n/a Points
2014-08-03 10:47 am

I have read through almost all the comments on this article. I think that most of the people who are having issues are maybe new to working with Wordpress and/or websites in general.

And, that's OK. Experience is a great teacher.

I'm fairly advanced as a Wordpress user and website builder.

I installed this plugin on three of my Wordpress sites in about five minutes. That included editing my RoboForm password manger and have had 'ZERO' issues with this plugin working.

I'm also running the latest version 3.9.1 of WP. Now we'll see what difference it makes in the brute force attacks that have started again over the past week.

Thanks for a great article and plugin,

Ernie Hodge

 

n/a Points
2014-08-11 2:44 pm

Just wanted to update what has happened on the WP sites that I installed this on. I also installed the security-protection2.0 plugin as well because I didn't think that would hurt.

I have had ZERO emails about any failed login attempts.

I'm a happy camper.

 

n/a Points
2014-08-11 3:25 am

yes this plugin is good and it satisfy my requirment but my requirment also includes likewp-admin should be accessible for certain ip addresss.For e.g http://localhost/wordpress-3.9.2/vc-login           xx.xx.xx.xx/wp-adminshould work

then what rule i should write in .htaccess file.

Staff
19,557 Points
2014-08-11 12:57 pm
Hello Narola,

If you want to deny all access from a specific area but allow specific IP addresses, you will want to use a format like the one below:
order deny,allow
deny from all
allow from 111.222.333.444


Kindest Regards,
Scott M
n/a Points
2014-08-12 12:32 am

Thanks for the reply

please understand my requiremnts what i want is that

(1) => Any user can login to dashboord using the url  http://localhost/wordpress-                 3.9.2/secret     with any IP address . Now what will hapeen my                   

            http://localhost/wordpress-3.9.2/wp-admin won't work right?

(2) => Now another requirment is that  only for specific IP address this url should work http://localhost/wordpress-3.9.2/wp-admin and no other IP can access this url.

 

please reply me asap.

 

Staff
19,557 Points
2014-08-12 9:31 am
Hello Narola,

That type of situation is beyond the scope of this article, so I'm sure it cannot be done via the plugin. You may want to look for a solution by custom coding it in the .htaccess file.

Kindest Regards,
Scott M
n/a Points
2014-08-13 12:00 am

yes I know its too difficult but can you help me in suggesting that what rule I should write in .htaccess file or how can I customize the plugin.

 

Please help me asap

Staff
9,162 Points
2014-08-13 11:32 am
Unfortunately, we are unable to provide custom development, but there are various developers out there that you could hire to write this code for you.
Staff
9,968 Points
2014-08-13 11:59 am
Hello narola,

It sounds like you might not need the HC Custom WP-Admin URL plugin to protect your WordPress installation. Instead you can simply lock down WordPress admin access by IP address which would look something like this in your .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.121$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.122$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>



This would just allow the IP addresses 123.123.123.121, 123.123.123.122, and 123.123.123.123 to access your WordPress admin section.

If the IP addresses change a lot, then I'd recommend that you setup a secondary WordPress admin password. This way you will be prompted for a username and password prior to even getting to the actual WordPress login screen.

Please let us know if you had any further questions at all.

- Jacob
n/a Points
2014-08-14 12:01 am

Thanks @Jacob for your kindiest suggestion but my client requirments is that

they want the custom url which HC Custom WP-Admin URL plugin provides and also the wp-admin should work for only 3 selected IP addresses.

 

Staff
19,557 Points
2014-08-14 10:26 am
Hello Narola,

You will want to use either the IP restriction or password protection of .htaccess. Using one of those hiding the /wp-admin doesn't matter because once a user successfully hits the secret URL and logs into WordPress they are hitting the normal /wp-admin anyways. So the masking is just an unnecessary step.

Kindest Regards,
Scott M
n/a Points
2014-09-03 12:45 am

Does this work with the Register Plus Redux plugin that allows you to customize your login and registration pages?

n/a Points
2014-09-03 1:00 am
Article is just fine! Very easy to follow, and hopefully no more WordPress brute force attack notices.
n/a Points
2014-09-09 6:49 pm

Finally sorted my issue.

 

I don't know why but the get_home_path function of hc-custom-wp-admin-url.php (starts on line 152 was returning '/' not the home directory for my site where the .htaccess file was actually located. Once I commented out the code and put the proper path to the file in - the plugin started to work.

 

If I have time later I'll try to figure out why it is broken.

n/a Points
2014-09-22 2:26 pm

Hi, I followed the instructions, installed the plugin and changed the URL for login-in into Wordpress. However, after login out, it didn't worked with the new slug I created. For some reasons, I need iThemes Security to login in Wordpress because I can't find the original slug to login into Wordpress. Could iThemes security block HC custom plugin and how can I find the original slug to login into Wordpress (it's not wp-admin, wp-login, ?)

Staff
17,351 Points
2014-09-22 4:16 pm
Hello Jessica,

Thanks for the question and sorry for problem you're having. The change to the slug should be happening within your .htaccess file. If it's not working, it could be because it's buried in the file and should be near the top of the file. However, you should be able to determine the slug change within the .htaccess file. You may need to remove or disable the plugins temporarily so that you can see things BEFORE you have added the plugins. If you removed the HC Custom WP Admin URL, then it's possible that the changes in the .htaccess file still exist. The notes above also add that the link change is added in the permalinks page. If it's still loaded, then you should be able to see the entry as noted in the instructions above.

Kindest regards,
Arnel C.

Post a Comment

Name:
Email Address:
Phone Number:
Comment:
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

88 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!