These days it's very common for WordPress brute force attacks to take place against your WordPress admin dashboard. This is because WordPress is very popular, and uses /wp-admin and wp-login.php to handle your admin login attempts by default.

Using the HC Custom WP-Admin URL plugin you can very easily hide these default WordPress admin login URLs, and instead create a custom address that only you will know about.

If you think your WordPress site is under attack you can always review WordPress login attempts, and if you see any malicious attempts you can block unwanted users with .htaccess to prevent further access.

Install and setup HC Custom WP-Admin URL plugin

The HC Custom WP-Admin URL plugin works by simply adding a rule to your WordPress .htaccess file to redirect requests using the custom URL you've configured.

Following the steps below you should have the plugin configured to provide extra security for your WordPress site in just a few minutes.

  1. Login to WordPress admin dashboard.
  2. hover over plugins click on add new

    Hover over Plugins, then click on Add New

  3. fill out hc custom wp-admin click search plugins

    Fill out HC Custom WP-Admin and click Search Plugins

  4. click on install now beside hc custom wp-admin url

    Click on Install Now beside HC Custom WP-Admin URL

  5. click ok on confirmation pop up

    Click OK on the plugin install confirmation pop-up

  6. after plugin installs click activate plugin

    After the plugin installs, click on Activate Plugin

  7. hover over settings click on permalinks

    Hover over Settings and click on Permalinks

  8. fill in wp-admin slug click save changes

    The HC Custom WP-Admin URL plugin adds a new section at the bottom of your Permalinks for WP-ADMIN slug.

    Fill in this field with the URL you'd like to have your WordPress admin dashboard accessed from, in this case I've simply used secret and then clicked on Save Changes

  9. hover over howdy user click log out

    At the top-right, hover over Howdy, User and click on Log Out

  10. admin urls updated showing front page

    Now if you try to access your WordPress admin dashboard with the default /wp-admin or wp-login.php URLs, you'll simply see your WordPress front page instead of the dashboard.

  11. access secret admin url

    If we instead use the new WP-ADMIN slug that we setup of secret we are then presented with the normal WordPress admin login form.

  12. wp-admin access allowed after using secret url

    After you successfully login using the WP-ADMIN slug that you setup, you'll be presented with your normal WordPress admin dashboard again.

 

You should now have successfully added an extra level of security to your WordPress site that should help prevent malicious users from gaining access to your website.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve our Support Center:
Email Address
Optional, but our team may contact you for more information.
Like this Article?

Comments

Post a comment
n/a Points
2014-03-06 4:07 pm

This plugin is NOT compatible with Wordpress 3.8!!!

Staff
5,603 Points
2014-03-06 4:40 pm
Hello ZoD Gaudette,

While this plugin doesn't officially support WordPress 3.8 in terms of having it on the WordPress plugin page as a compatible release yet. It does indeed function with WordPress 3.8 which is the version of WordPress this article was written using.

I just installed a fresh copy of the latest WordPress 3.8.1 and tested it out and this plugin still functions.

If you've installed this plugin and are having issues accessing your WordPresss dashboard afterwards, you might want to try clearing your local web-browser's cache. We've seen instances where the server's .htaccess file which contains the redirect code that this plugin uses, gets cached on a users computer, and they can't see the updated changes.

If you're having another specific problem at all using this plugin with the newer versions of WordPress, please let us know!

- Jacob
n/a Points
2014-03-06 6:53 pm

I've completely lost access to my Admin... how do I get it back?... 

I added slug at the end of the URL, like this: .com/wp-admin slug

Was that the right way to do it?

 

 

Staff
5,444 Points
2014-03-07 11:23 am
Hello Richard Keith,

Thank you for your question. You should add the slug with no spaces like this:
example.com/wp-admin/slug

You may have to clear your browser cache before it will work.

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
n/a Points
2014-03-07 1:17 pm

Hi John-Paul,  

I am able to get to the URL/website search reply, not the admin... how do I proceed to the WP admin to edit the website? Is there a way to undo this?

Thanks, Richard

Staff
5,603 Points
2014-03-07 1:58 pm
Hello Richard,

Sorry for the confusion, your WordPress admin area should still be accessible after you installed the HC Custom WP-Admin URL plugin. You just need use the WP-admin slug that you set from step #8.

If your WordPress dashboard was available at:

http://example.com/wp-admin

If you set your WP-admin slug to secret like my example in this guide. You would then be able to get to your dashboard from:

http://example.com/secret.

Essentially the WP-admin slug you set with this plugin, becomes your new URL for accessing the dashboard going forward.

If you did want to undo the changes made by the plugin, you could edit your .htaccess file in your WordPress directory. Just comment out by placing a # symbol at the front of the line, the one that reads something like:

RewriteRule ^secret/?$ /wp-login.php [QSA,L]


Then save your .htaccess file, clear your browser's cache, then try to access the admin dashboard normally again from:

http://example.com/wp-admin

If you're still having any issues accessing your dashboard after installing, or disabling this plugin, please let us know!

- Jacob
n/a Points
2014-03-06 11:12 pm

Fantastic. Thank you for the steps and pictures.  It helps!

n/a Points
2014-03-16 12:19 pm

Hi Jacob, 

As embarassing as it is, I can't remember what word I selected in step 8. I have tried what I remember it to be but I am not getting to my dashboard.

Any suggestions?

Thanks, 

Aaron

Staff
5,444 Points
2014-03-17 9:10 am
Hello Aaron,

Thank you for your question. You can view your slug in your .htaccess file; which is located in the root folder where your Wordpress is installed.

For example: If you chose test as your slug it will look like this in the .htaccess file:

RewriteRule ^test/?$ /wp-login.php [QSA,L]

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
n/a Points
2014-03-21 1:06 pm

Hi Jacob,

I've followed the steps given and it worked on the login page. Once logged in, I want to change the wp-admin url to slug that I set before ( http://www.inmotionhosting.com/support/images/stories/wordpress-plugins/hc-custom-wp-admin-url/wp-admin-access-allowed-after-using-secret-url.png )

How to do that?Thank you.

Staff
5,444 Points
2014-03-21 1:56 pm
Hello Handy,

Thank you for your question. Since you are using "HC Custom WP-Admin" to mask your wp-admin folder from the outside, there is no need to rename your wp-admin folder.

The Wordpress community recommends using a plugin to accomplish this, as can be seen in this forum post.

I did find a possible solution through google search here.

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
n/a Points
2014-03-23 12:33 pm

IN installed the plub in but am getting an error message after changing my slug name and saving the name.  now allowing me to write that slug name for some reason.  It then asks me to copy some code.  I'm not sure what do do here. 

Staff
4,112 Points
2014-03-24 9:56 am
This would be caused by your .htaccess file not being writable. You would need to either copy the code provided into your .htaccess file, or adjust the permissions of your .htaccess file to allow writing to it, which would typically be permissions of 644.
n/a Points
2014-03-24 9:46 am

This plugin actually doesn't work with WP 3.8.1.  Using it caused me to lose access to WP as the slug does not work for login.  Additionally, there are much better security plugins that do work.  The WP help is mostly out of date and your support staff seems to not know that.

Staff
4,112 Points
2014-03-24 10:02 am
We have tested and confirmed that the plugin is operating correctly within WordPress 3.8.1. Be sure that you fully clear your browser cache after changing the WordPress admin URL.
n/a Points
2014-03-27 7:46 pm

Definitely doesn't work with current wordpress install. Installed...says this when I try to access the new slug I set up:

Not Found

Sorry, but you are looking for something that isn't here.

 

Lost access to both wp-admin and wp-login. Tried clearing cache...different browsers...and different computers.

Now off to find my .htcaccess file and try and figure out how to fix.

Cheers

Staff
5,603 Points
2014-03-27 7:59 pm
Hello J,

As discussed in the comments above, this plugin does indeed function with the latest version of WordPress and has been tested many times. Make sure that you clear your web-browser's cache prior to attempting to access your dashboard over the new secret URL.

If you're having a specific problem accessing your WordPress dashboard now, you should simply be able to find your .htaccess file, and look for this line:

RewriteRule ^secret/?$ /wp-login.php [QSA,L]


That should be the secret slug you want to use to attempt to access your dashboard now. Unfortunately I was unable to find any account information with us to check on this for you. So if you're hosting with us and still having any issues getting it working please submit a ticket in order for us to investigate what might be wrong with your install.

You can manually disable WordPress plugins in bulk which should disable the custom admin URL plugin and allow you back in regardless. It's also possible you have another plugin that could be interfering with the HC Custom WP-Admin URL plugin, so you could try re-enabling your plugins one at a time till you find an issue.

- Jacob
n/a Points
2014-04-05 2:15 am

Hi,

This is nice plugin and works fine with my WP 3.4.2.

But I have comments enabled in blog. If I am not looged in, it shows a text "Please log in or register to post a comment and join the discussion." on main blog page. Login link here does not work now. Because it points to wp-login.php and it redirects user to home page.

Do you have a fix for this?

Thanks,

John

Staff
5,603 Points
2014-04-05 3:19 am

Hello John,

After changing your wp-login.php URL with the HC Custom WP-Admin URL plugin, you can modify your /wp-includes/general-template.php file to reflect this change as well in your Meta widget.

If you edit that file, look for this section of code:
function
wp_loginout($redirect = '', $echo = true) {
if ( ! is_user_logged_in() )
$link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '</a>';
else
$link = '<a href="' . esc_url( wp_logout_url($redirect) ) . '">' . __('Log out') . '</a>';

The line that I've highlighted is the way WordPress creates the Log in link. You could instead change this to the following if your WP-Admin slug was set to wp-secret:
//$link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '</a>';
$link = '<a href="wp-secret">Log in</a>';

You don't need to modify the Log Out link, because once you're logged into WordPress you can send requests to wp-login.php as normal.

Please let me know if that works for you. If you're still having issues, and would like us to take a closer look please let us know the site you're having these problems on.

- Jacob
n/a Points
2014-04-05 6:40 am

Thank you very much for quick reply Jacob!

Yes, the fix you provided worked fine for me. I ended up changing following 4 files for login links based on your direction.

corelight/wp-includes/general-template.php

corelight/wp-content/themes/Corelight/category.php

corelight/wp-content/themes/Corelight/index.php

corelight/wp-content/themes/Corelight/archives.php

Cheers!

John

Staff
10,078 Points
2014-04-06 7:39 pm
Hello John,
We are happy to hear Jacob was able to get things squared away for you. Please do not hesitate to contact us again if you have any further questions.

Kindest Regards,
Scott M
n/a Points
2014-04-16 4:15 pm

Your customer support team gave me this article link, and I installed the plugin (great instructions, btw) ... however, because I have a custom login button, it just disabled the login. Of couse I was able to log in by putting the correct slug in ....

Are you able to help me modify the custom login so that it works?

I have had a very bad day with a full site restore needed because of hackers. I would really like to prevent this in the future.

Thanks for your help!

Gillian

 

Staff
5,603 Points
2014-04-16 4:30 pm
Hello Gillian,

You should be able to simply edit your custom login button to reflect the new secret admin URL slug that you used. You can look at my comment a few responses up talking about modifying the WordPress login link and see if that works for you.

If not, please let us know how you are adding the custom login button, either with a plugin or theme.

- Jacob
n/a Points
2014-04-16 4:55 pm

Hi Jacob,

Actually Inmotion did my design for the website cognitiveresults.com ... it's based on a Twenty-Eleven theme and they coded in the button...

Are you able to look at the code from your end to help me out?

I just don't want to mess anything up after today's challenges!

Thanks,

Gillian

 

Staff
10,582 Points
2014-04-16 6:12 pm
Hello Gillian,

I reviewed the suggestions that Jacob suggested above and made the changes for you. Your login link for admin is now based on slug you set up for it. I verified that it's working. Check it out and let us know if you have any further questions.

Regards,
Arnel C.
n/a Points
2014-04-16 7:18 pm

Thanks so much Arnel!!

I appreciate it so much that you helped out. 

My next question is the Login button is riding along in the header on every page, so it's confusing for customers because they get an error when they try to log in on a page other than the Home page. Is there a way to move this Login button into the Home page sidebar instead so it only shows on the Home page?

I appreciate so much the help because I don't want to mess it up. I don't know how to remove the login button from the header.

THANKS!

Gillian

Staff
10,582 Points
2014-04-16 7:49 pm
Hello Gillian,

Sorry for the problem there. What was happening was the re-write was trying to load the slug you specified earlier for each page, meaning the URL was being loaded incorrectly. I have corrected it so the error does not appear when you click on the login button. This was a site created by InMotion Web Design, so if you're asking changes to the design it really should go back to them, unless you intend to modify it yourself. You can change what's in the header by simply editing the theme editor so that the LOGIN button is longer at the top. Moving it to another location would require more some design consideration, especially you'd have to either move or resize elements that are already in place.

Apologies that I can't make all of the changes, but I hope this helps to provide a workable solution.

Regards,
Arnel C.
n/a Points
2014-04-16 7:56 pm

That's perfect - you've fixed it :)

No need to move the login if it's loading right from any page.

Thank you so very much again!

Gillian

Staff
5,603 Points
2014-04-17 6:55 pm
Hello Gillian,

Arnel simply followed the steps that I previously mentioned further up in the comments about modifying the WordPress login link.

It doesn't look like you had sufficient protection setup, as both your wp-login.php script and /wp-admin directory were accessible to anyone because you had uninstalled the HC Custom WP-Admin URL plugin.

I went ahead and reinstalled that plugin for you and ensured things were setup correctly.

As far as the code Arnel edited for you, as the instructions for modifying the WordPress login link explain, you just open up your /wp-includes/general-template.php file and then add the highlighted code where example.com/custom-wp-link would be your domain followed by the custom URL you setup in the plugin:

function wp_loginout($redirect = '', $echo = true) {
if ( ! is_user_logged_in() )
//$link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '';
$link='<a href="http://example.com/custom-wp-link">Log in</a>';


Let us know if you have any further questions!

- Jacob
n/a Points
2014-04-17 7:15 pm

Hello Jacob,

I uninstalled the plugin because I could not log in to the site. It keeps returning me to the home page every time.

I have uninstalled the plugin again because I have 60 paid customers accessing the site and they must be able to login at any time.

I am not sure why we can't fix this issue. Would you please look into this further?

Thank you.

Gillian

p.s. your service people had originally altered the .htaccess file so that you could only log in from the home page, which is a good thing because it requires a manual click by the customer to login.

I am wondering if this plug in is competing with the alterations in the .htaccess file (it does say in the plugin's warnings that this can happen!!)

 

Staff
5,603 Points
2014-04-17 7:38 pm
Hello again Gillian,

Are you able to login now? I simply re-installed the plugin and was able to access the website as normal as well as the admin dashboard. You might have possibly had another .htaccess rule conflicting with the plugin, but I'm not sure what that would have been because it is not present now.

If you're having any issues at all accessing the WordPress admin from your login link, you will want to make sure to clear your web-browser cache to make sure that you are in fact loading up the latest rules.

- Jacob

n/a Points
2014-04-18 11:01 am

Hi Jacob,

Yes I am able to login from the site, and it redirects properly to best-customers-ever BUT I am also able to login from wp-login.php, which is what Larry W. in service was supposed to have changed for me.

To foil the Brute Force Attacks, the ability to login from the default login page for Wordpress was supposed to have been blocked, which was happening before we got into the plugin that messed everything up.

Can you please fix this?

This is what I need:

1) client not able to login from wp-login.php *** key for the Brute Force attacks

2) client only able to login by clicking the login button on the site, not through a cached wp-login.php page *** key for Brute Force

3) client able to login from any page on the website with the login button ** key for customer service

Hope that helps - it sure would be easier to talk on the phone rather than have 20 emails back and forth.

Thanks,

Gillian

 

Staff
5,603 Points
2014-04-18 3:29 pm
Hello Gillian,

I agree that reaching out to live tech support would probably help you resolve this issue better if you continue to have problems.

Unfortunately I've set things up for you and tested them to work, but then the HC Custom WP-Admin URL plugin gets disabled, which re-allows access to /wp-admin and wp-login.php once again which in turns triggers our ModSecurity rules when you have failed login attempts.

I have once again re-enabled this plugin for you, and I can confirm right now that trying to directly go to either of those URLs results in just your front page loading. Using the secret admin slug of best-customers-ever the normal WordPress login page is displayed. This is also still what your template that we edited is having your Login button going to.

If you are not seeing this behavior, then clear your web browser's cache. Or even better open a new Incognito or Private browsing window to ensure that your computer is not caching anything related to the WordPress login. You should see when trying to access either /wp-admin or wp-login.php that your main page will simply be loaded again, but if you click on the Log in link it should work.

If certain users are having issues, and you disable the plugin, it's just going to allow access back to the default admin URLs and possibly trigger a block again. So I'd recommend towards telling all your members to not attempt to log in if their browser happens to say /wp-login.php at the end and only if they are using the Log In button or the secret slug URL.

- Jacob
n/a Points
2014-04-18 3:48 pm

Hi Jacob,

At this point I am extremely frustrated because I cannot log in, nor can my 60 clients.

I do not want the plugin enabled, but I can't login to remove it.

What I want is what Larry W. in service did, which was change the .htaccess so that a client had to click on the login button manually to log in.

I do not want a secret login anymore, because it is NOT WORKING.

I have cleared all of the caches and used brand-new browsers and it is definitely NOT WORKING.

Please remove the plugin.

In the future, I need someone to phone before making changes to the site. I was kicked off the site when you went in to make changes and the only way I found out was through my cPanel. You can't just go in and boot off people.

Please fix this issue right now!

Gillian

n/a Points
2014-04-18 3:59 pm

Hi Jacob,

I am speaking with live support now - please leave the account alone. 

I sure hope they can let you know that they've made the changes.

Thanks,

Gillian

n/a Points
2014-04-17 12:32 pm

I'm trying to get off the email notifications!

Staff
4,112 Points
2014-04-17 12:36 pm
We have now added an unsubscribe link within the email notification. Simply click this link to be removed from this article.

Post a Comment

Name:
Email Address:
Comment:
Are you a bot?
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

Write New!
Do you want to publish a tutorial to our support center?

News / Announcements

SSL Certficate Warnings
Updated 2014-04-14 11:34 am EST
Hits: 2218
Heartbleed 0-day OpenSSL security bug
Updated 2014-04-14 04:43 pm EST
Hits: 5640

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!