Because WordPress brute force attacks are on the rise, using a WordPress plugin like Lockdown WP Admin can help by allowing you to change the WordPress default login URL. This way attackers won’t have access to your admin login form, so they can’t continually try to guess your password and break in.
If you’re curious if your WordPress site has already had malicious users trying to login to your admin dashboard, you can check out my guide on reviewing WordPress login attempts for easy steps on how to find out.
You also want to make sure after you install Lockdown WP Admin, be sure to hide the secret URL from the Meta widget so that an attacker can’t discover your new server admin address.
Install and configure the Lockdown WP Admin WordPress plugin
Using the steps below you can quickly install the Lockdown WP Admin plugin and configure it so that your normal WordPress login URLs of /wp-admin and wp-login.php are changed.
- Login to WordPress admin dashboard
- For this plugin to function correctly your site must first be be using WordPress permalinks
- Hover over Plugins, then click on Add New
- Type in Lockdown WP Admin, then click on Search Plugins
- Click on Install Now beside the Lockdown WP Admin plugin
- Click OK on the confirmation pop-up window
- Click Activate Plugin
- Hover over the new Lockdown WP, then click on Lockdown WP
- Place a check beside Yes, please hide WP Admin from the user…
- Change your WordPress Login URL to something like secret-admin
- Hover over Howdy, User, then click on Log Out
- You should see the secret-admin URL you set
- Try to directly access /wp-admin or wp-login.php, you get a 404 page
- Access the /secret-admin URL and you get your WordPress login page
Leave Disable HTTP Auth selected, click Save Options
Selecting WordPress Login Credentials will prompt you for your normal WordPress admin username and password, prior to gaining access to the actual WordPress admin login page.
If you instead use Private Usernames/Passwords you can configure a new secondary login from the Lockdown WP > Private Users section.
In my testing of this plugin I didn’t have great success with the secondary password protection, which is why I’ve recommended to leave it disabled as is default.
Prevent WordPress Meta widget from exposing secret login URL
Unfortunately while the Lockdown WP Admin plugin does a great job securing your site from bots that might continually try to hit the default login URLs, it also updates the Meta widget in WordPress with the new updated URL as seen below:
There are two ways in which you can prevent your secret login URL from being shown like this.
Remove Meta widget from WordPress
- Login to WordPress admin dashboard
- Hover over Appearance, then click on Widgets
- Click on the Meta widget, then click on Delete
Edit WordPress general-template.php file to hide Log In link
- You can also simply edit the Log in link from displaying on your WordPress site by editing your template file. Although note that if you are doing it this way, future WordPress updates might override the files in your /wp-includes and revert your changes, so keep that in mind.
- Use the cPanel File Manager Code Editor
- Navigate to your /wp-includes directory
- Right-click on general-template.php, then click Edit
- Look for this line of code:
- You should now see that the Log in link is gone from the Meta widget
$link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '</a>';
Comment out the line above with two forward slashes //
On the line below it, set the $link variable to be blank with this code:
$link = '';
You should end up with the final code looking like this, with your changes in red:
function wp_loginout($redirect = '', $echo = true) { if ( ! is_user_logged_in() ) //$link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '</a>'; $link = ''; else
You should now know how to add an extra level of security to your WordPress site by making sure that bots and malicious users can’t easily get to your admin log in anymore.
Hello. I have a problem with ‘Lockdown WP Admin WordPress’ plugin, I accidentally activate Private Usernames/Passwords and will not let me access my web. Can you help me? Thank you.
I advise you disable WordPress plugins to see if you can get your access back.
Hi, I have used lockdown WP admin. Our computer accidentally stopped and when I typed the URL login that I created it redirects to the wordpress login but even when I typed my password and username, it redirects me to the website but not with the dashboard.
Hello John,
Thank you for contacting us. We are happy to help, but will need some additional information. Are you getting any errors? Putting WordPress in debug mode may provide a more detailed error message.
Can you provide a link to the site for testing?
Thank you,
John-Paul
How about creating a link to the new path using the Text Widget? I am also worried about those who want to register or join the site for the first time.
Placing an HTML link within a text widget would indeed be a good solution to direct those users to the correct page.
Now the meta widget is gone. How does the admin sign in? And how do join the site and sign in?
Hello Kumi,
Your admin login area is now the new ‘slug’ you created in the plugin, such as ‘https://example.com/secret‘. Any members that need to log in will also need to use that URL.
If the membership plugin you use does use the meta widget, then simply re-enable it and use the other method described above that removes the login link from the page but still allowing all other links.
Kindest Regards,
Scott M