Note: The Lockdown WP Admin plugin is no longer supported in newer versions of WordPress.
Because WordPress brute force attacks are on the rise, using a WordPress plugin like Lockdown WP Admin can help by allowing you to change the WordPress default login URL. This way attackers won’t have access to your admin login form, so they can’t continually try to guess your password and break in.
If you’re curious if your WordPress site has already had malicious users trying to login to your admin dashboard, you can check out my guide on reviewing WordPress login attempts for easy steps on how to find out.
You also want to make sure after you install Lockdown WP Admin, be sure to hide the secret URL from the Meta widget so that an attacker can’t discover your new server admin address.
Install and configure the Lockdown WP Admin WordPress plugin
Using the steps below you can quickly install the Lockdown WP Admin plugin and configure it so that your normal WordPress login URLs of /wp-admin and wp-login.php are changed.
- Login to WordPress admin dashboard
- For this plugin to function correctly your site must first be be using WordPress permalinks
- Hover over Plugins, then click on Add New

- Type in Lockdown WP Admin, then click on Search Plugins

- Click on Install Now beside the Lockdown WP Admin plugin

- Click OK on the confirmation pop-up window

- Click Activate Plugin

- Hover over the new Lockdown WP, then click on Lockdown WP

- Place a check beside Yes, please hide WP Admin from the user…

- Change your WordPress Login URL to something like secret-admin
Leave Disable HTTP Auth selected, click Save Options
If you use the HTTP Auth options the plugin will let you also create a secondary WordPress admin .htaccess password. This secondary password would have to be entered in, even if someone guessed your secret login URL.
Selecting WordPress Login Credentials will prompt you for your normal WordPress admin username and password, prior to gaining access to the actual WordPress admin login page.
If you instead use Private Usernames/Passwords you can configure a new secondary login from the Lockdown WP > Private Users section.
In my testing of this plugin I didn’t have great success with the secondary password protection, which is why I’ve recommended to leave it disabled as is default.
- Hover over Howdy, User, then click on Log Out

- You should see the secret-admin URL you set

- Try to directly access /wp-admin or wp-login.php, you get a 404 page

- Access the /secret-admin URL and you get your WordPress login page

Prevent WordPress Meta widget from exposing secret login URL
Unfortunately while the Lockdown WP Admin plugin does a great job securing your site from bots that might continually try to hit the default login URLs, it also updates the Meta widget in WordPress with the new updated URL as seen below:

There are two ways in which you can prevent your secret login URL from being shown like this.
Remove Meta widget from WordPress
- Login to WordPress admin dashboard
- Hover over Appearance, then click on Widgets

- Click on the Meta widget, then click on Delete

Edit WordPress general-template.php file to hide Log In link
- You can also simply edit the Log in link from displaying on your WordPress site by editing your template file. Although note that if you are doing it this way, future WordPress updates might override the files in your /wp-includes and revert your changes, so keep that in mind.
- Use the cPanel File Manager Code Editor
- Navigate to your /wp-includes directory

- Right-click on general-template.php, then click Edit

- Look for this line of code:
$link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '</a>';

Comment out the line above with two forward slashes //
On the line below it, set the $link variable to be blank with this code:
$link = '';

You should end up with the final code looking like this, with your changes in red:
function wp_loginout($redirect = '', $echo = true) { if ( ! is_user_logged_in() ) //$link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '</a>'; $link = ''; else
- You should now see that the Log in link is gone from the Meta widget

You should now know how to add an extra level of security to your WordPress site by making sure that bots and malicious users can’t easily get to your admin log in anymore.