Change WordPress admin URL with HC Custom WP-Admin URL

These days it’s common for brute force attacks against the WordPress admin dashboard. Partly because WordPress uses /wp-admin and wp-login.php to handle admin logins by default.

Using the HC Custom WP-Admin URL plugin you can very easily hide these default WordPress admin login URLs, and instead create a custom address that only you will know about.

If you think your WordPress site is under attack you can always review WordPress login attempts, and if you see any malicious attempts you can block unwanted users with .htaccess to prevent further access.

***Notice: This Plugin was last updated on 2013-11-19 and may prevent the ability to reset a user password.

Install and setup HC Custom WP-Admin URL plugin

The HC Custom WP-Admin URL plugin works by simply adding a rule to your WordPress .htaccess file to redirect requests using the custom URL you’ve configured.

Following the steps below you should have the plugin configured to provide extra security for your WordPress site in just a few minutes.

  1. Login to WordPress admin dashboard.
  2. hover over plugins click on add new

    Hover over Plugins, then click on Add New

  3. fill out hc custom wp-admin click search plugins

    Fill out HC Custom WP-Admin and click Search Plugins

  4. click on install now beside hc custom wp-admin url

    Click on Install Now beside HC Custom WP-Admin URL

  5. click ok on confirmation pop up

    Click OK on the plugin install confirmation pop-up

  6. after plugin installs click activate plugin

    After the plugin installs, click on Activate Plugin

  7. hover over settings click on permalinks

    Hover over Settings and click on Permalinks

  8. fill in wp-admin slug click save changes

    The HC Custom WP-Admin URL plugin adds a WP-Admin slug setting to the bottom of your Permalinks page.

    Fill in the URL you’d like to change your WordPress login pages to. I’ve simply used secret and then clicked on Save Changes.

    The WP-Admin URL slug is convered to all lowercase as pointed out in the comment below.

  9. hover over howdy user click log out

    At the top-right, hover over Howdy, User and click on Log Out

  10. admin urls updated showing front page

    Now if you try to access your WordPress admin dashboard with the default /wp-admin or wp-login.php URLs, you’ll simply see your WordPress front page instead of the dashboard.

  11. access secret admin url

    If we instead use the new WP-ADMIN slug that we setup of secret we are then presented with the normal WordPress admin login form.

  12. wp-admin access allowed after using secret url

    After you login using the WP-ADMIN slug that you setup, you’ll be presented with your normal WordPress admin dashboard again.


You should now have successfully added an extra level of security to your WordPress site that should help prevent malicious users from gaining access to your website.

Thoughts on “Change WordPress admin URL with HC Custom WP-Admin URL

  • Hi the plugin doesn’t work anymore. The customized url redirects to wp-admin..but then if I try to access the admin panel it doesn’t work.

    thank you in advance

  • Hi! I just followed the instructions above. The custom admin slug works fine.
    I could access the admin login page using the format:

    The problem is I could still access the admin login page using the default urls or

    Is there a step that I missed?

    • Hello Mark,

      If you followed the directions above then using the normal link should re-direct you. If not, then there’s something else going on that’s affecting that re-direct. You may need to speak with the authors of the plugin if problems persist with it. Note that maintenance on this particular plugin appears to have been stopped as the plugin has not been updated in some time. Since it has not been getting regular updates, we recommend that you try using a different security plugin that is being actively updated.

      If you have any further questions or comments, please let us know.

      Arnel C.

  • I was having the same login trouble with my website but now it’s back. However, i would like to fix it for future. Since this plugin is not working anymore, what do you suggest i should do for a custom wp-admin URL? I am using wordpress 4.5.

    Thank you

    • Hello Jonathan,

      There is no easy way to hide those urls without some deep coding however there is a simple plugin called Theme My Login and it does a very good job of hiding the login areas,

      Best Regards,
      TJ Edens

    • Hello Alison,

      As per the warning above, the plugin had not been updated in years, so it’s very likely that the plugin has been removed from the WordPress site. There are many alternatives now, that you may want to check. This is an example of one that was integrated into WordPress’s popular Jetpack plugin: BruteProtect.

      If you have any further questions or comments, please let us know.

      Arnel C.

  • Thank you so much guys for the step-by-step instructions, i’ve installed the slug and it seems is working as you discribed. 

    Thank you for your support, 

    Now i will find out why most of my posts got changed of language… probably related with hackers attack..


    • Hello Chinh,

      Sorry for the problem with accessing your WordPress admin. We are unfortunately unable to duplicate your problem. I can access your WordPress admin and cPanel seems to be working with no problem. A 406 error is security related. If you’re still getting the problem, can you please describe the exact steps you’re taking to duplicate the error? You’re also welcome to contact our live tech support team for immediate assistance if the 406 error occurs again. Check out this article for further information about the 406 error.

      If you have any further questions or comments, please let us know.

      Arnel C.

  • Two days ago was the first time I saw that our site was under attack and access blocked. Now off line waiting I am reading this thread…the original suggested plug in seems to have left many users in trouble but there have not been many recent comments….i am afraid to use the original plug in….anything more recent?

    What about the two mentioned above “WordFence” and “iThemesSecrity” ?


    Thanks, Jim

    • Hello Jim,

      Thank you for contacting us. Yes, it looks like this plugin has not been updated in several years, and is no longer compatible with the latest version of WordPress.

      I recommend using a different security plugin, here are some of our recommended security plugins. Be sure to use plugins that are compatible with your version of WordPress. I also like to use plugins that are updated recently.

      Thank you,

  • Hello I installed the plugin and was able to logout successfully and use the new address to login, but haven’t been able to succesfully login in since then. I use the new address and it takes me to the login, but then once I hit the login button it takes me to my website’s homepage and not to my dashboard. 

  • Hi Arnel,

    Thanks for your reply. I’ll check out Clef Two, but I’ve already discovered and installed two plugins on two sites that seem to be doing a super-dandy job. They are WordFence and iThemes Security.  I’m curious what you would say about those plugins.

    Getting back to the 2 yr comment about HC, I find most I.T. guys warn about using plugins that are not updated due to security concerns. I have used several hosting providers in the past, (in process of moving all my sites to IMH), but find InMotion to be the best hands down! So I’m surprised a top notch hosting company like yours would not follow suit with what seems to me to be the industry norm.

    Thanks again for your reply. Have a great weekend!

    • Hello Rich,

      Thanks for the concern. The plugins will always vary – there may be a solution provided that is suggested because of what it does, and then another may appear later which is better. So your comment is well taken. If you want a more up-to-date security plugin, check out Clef two-factor authentication.

      If you have any further questions or comments, please let us know.

      Arnel C.

  • I was facing a serieus bruteforce login hack on the admin accound. The plugin you suggested in this article does not work anymore… but there is a great alternitive! just search for “Rename wp-login.php”

  • I need to say thank you for this plugin. It really saved me. ALL the other lockdown plugins bar NONE did not work work for me. This one did. Follow the instructions – especially the one in the comment about changing the code for wordpress 4.1 and it SHOULD work. Thanks again my firend

    • This is not supported in WP 4.x or higher. Can lock all admins out! Please remove recommendation from your site.

  • Hello TJEdens,

    thank you for your quick reply. I have changed plugin’s folder name from the cpanel. Now, I’m able to access to the dashboard. Thank you again.

  • Hello.

    I need your help.
    Whenever I try to go to the wp-admin page, I am getting an error message saying:

    Warning: file(/home/user/public_html/my site/.htaccess) [function.file]: failed to open stream: No such file or directory in /home/user/public_html/my site/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.php on line 137

    Warning: implode() [function.implode]: Invalid arguments passed in /home/user/public_html/my site/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.php on line 137

    Warning: Cannot modify header information – headers already sent by (output started at /home/user/public_html/my site/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.php:137) in /home/user/public_html/my site/wp-includes/pluggable.php on line 941, 942 ,943 ……..

    When I try to log in with my user account it says:

    ERROR: Cookies are blocked due to unexpected output. For help, please see this documentation or try the support forums

    What should I do? PLease, help me to solve this. Thanks a lot, beforehand

    • Hello Asif,

      Are you sure the file below actually exist as that is the first warning.

      /home/user/public_html/my site/.htaccess

      Best Regards,
      TJ Edens

  • Solved my problem by hiring a technician….here is what my login has to look like to work:



    If I simply do as instructed  I get direct to my home page.


    I use WP 4.1





  • Hi everyone,

    Your plugin looks very cool and very eaasy to use. Unfortunately it doesn’t work properly on my website :(. I do everything right: the wp-admin et wp-login.php pages are well redirected to my homepage, that’s great. I enter my new login page url (ex : and as expected i see my the usual wordpress admin login form. I enter my ID and my password, press enter and then i don’t access to my admin but i’m redirected to my homepage. 

    I’m using WordPress 4.1 with security plugins Wordfence an IP Blacklist

    Thanks for your support !

  • Installed plugin and created the slug.  Cleared cache on browser twice & restarted computer.


    … takes me to the WP login screen.  I enter my UID and PW and it takes me to the home page of my web site.  I can no longer log into my WP site.

    Do you know what is wrong?




    • Hello Don,

      Thank you for your question. It is difficult to say what is wrong, without the specific steps you took when you set this up, and without knowing your version of WordPress and all plugins you are using.

      But, most likely this wasn’t setup correctly, or there is an existing plugin/.htaccess rule interfering with this functionality.

      As a test, I recommend troubleshooting your .htaccess file, by renaming it.

      Then, test to see if you are able to login. If you are able to login, then you know something in the .htaccess file is causing the problem.

      Thank you,

  • Hi,

    I see that once the user has logged into their dashboard, their url goes back to wp-admin. Is it possible to avoid that, and keep it to whatever was set before (“secret” in your example).


    • Unfortunately, this plugin will not allow you to do so. There may be other plugins out there that will accomplish this, but we have not tested them.

  • Your instruction are confusing and sometime wrong . FYI , since last night I am unable to login to my Admin and not technical to use the htaccess mode . What shall I do then ? 

  • However you are “blocking” is overly agressive.  I was logged in, and have never been blocked while trying to log in, but once I log in, and try to upgrade WordPress, I then get the locked out message.

    • Hello,

      If you are being blocked by our mod_security rule you may contact our Live Support team to have it disabled. As long as you follow the other security procedures such as the custom URL then you should be safe from the brute force attacks.

      Kindest Regards,
      Scott M

  • Hi, 

    I followed the instructions, installed the plugin and changed the URL for login-in into WordPress. However, after login out, it didn’t worked with the new slug I created. For some reasons, I need iThemes Security to login in WordPress because I can’t find the original slug to login into WordPress. Could iThemes security block HC custom plugin and how can I find the original slug to login into WordPress (it’s not wp-admin, wp-login, ?)

    • Hello Jessica,

      Thanks for the question and sorry for problem you’re having. The change to the slug should be happening within your .htaccess file. If it’s not working, it could be because it’s buried in the file and should be near the top of the file. However, you should be able to determine the slug change within the .htaccess file. You may need to remove or disable the plugins temporarily so that you can see things BEFORE you have added the plugins. If you removed the HC Custom WP Admin URL, then it’s possible that the changes in the .htaccess file still exist. The notes above also add that the link change is added in the permalinks page. If it’s still loaded, then you should be able to see the entry as noted in the instructions above.

      Kindest regards,
      Arnel C.

  • Finally sorted my issue.


    I don’t know why but the get_home_path function of hc-custom-wp-admin-url.php (starts on line 152 was returning ‘/’ not the home directory for my site where the .htaccess file was actually located. Once I commented out the code and put the proper path to the file in – the plugin started to work.


    If I have time later I’ll try to figure out why it is broken.

  • Thanks @Jacob for your kindiest suggestion but my client requirments is that

    they want the custom url which HC Custom WP-Admin URL plugin provides and also the wp-admin should work for only 3 selected IP addresses.


    • Hello Narola,

      You will want to use either the IP restriction or password protection of .htaccess. Using one of those hiding the /wp-admin doesn’t matter because once a user successfully hits the secret URL and logs into WordPress they are hitting the normal /wp-admin anyways. So the masking is just an unnecessary step.

      Kindest Regards,
      Scott M

  • yes I know its too difficult but can you help me in suggesting that what rule I should write in .htaccess file or how can I customize the plugin.


    Please help me asap

    • Unfortunately, we are unable to provide custom development, but there are various developers out there that you could hire to write this code for you.

    • Hello narola,

      It sounds like you might not need the HC Custom WP-Admin URL plugin to protect your WordPress installation. Instead you can simply lock down WordPress admin access by IP address which would look something like this in your .htaccess file:

      <IfModule mod_rewrite.c>
      RewriteEngine on
      RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
      RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
      RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.121$
      RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.122$
      RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
      RewriteRule ^(.*)$ – [R=403,L]

      This would just allow the IP addresses,, and to access your WordPress admin section.

      If the IP addresses change a lot, then I’d recommend that you setup a secondary WordPress admin password. This way you will be prompted for a username and password prior to even getting to the actual WordPress login screen.

      Please let us know if you had any further questions at all.

      – Jacob

  • Thanks for the reply

    please understand my requiremnts what i want is that

    (1) => Any user can login to dashboord using the url  https://localhost/wordpress-                 3.9.2/secret     with any IP address . Now what will hapeen my                   

                https://localhost/wordpress-3.9.2/wp-admin won’t work right?

    (2) => Now another requirment is that  only for specific IP address this url should work https://localhost/wordpress-3.9.2/wp-admin and no other IP can access this url.


    please reply me asap.


    • Hello Narola,

      That type of situation is beyond the scope of this article, so I’m sure it cannot be done via the plugin. You may want to look for a solution by custom coding it in the .htaccess file.

      Kindest Regards,
      Scott M

  • Just wanted to update what has happened on the WP sites that I installed this on. I also installed the security-protection2.0 plugin as well because I didn’t think that would hurt.

    I have had ZERO emails about any failed login attempts.

    I’m a happy camper.


    • Hello Narola,

      If you want to deny all access from a specific area but allow specific IP addresses, you will want to use a format like the one below:

      order deny,allow
      deny from all
      allow from 111.222.333.444

      Kindest Regards,
      Scott M

  • I have read through almost all the comments on this article. I think that most of the people who are having issues are maybe new to working with WordPress and/or websites in general.

    And, that’s OK. Experience is a great teacher.

    I’m fairly advanced as a WordPress user and website builder.

    I installed this plugin on three of my WordPress sites in about five minutes. That included editing my RoboForm password manger and have had ‘ZERO’ issues with this plugin working.

    I’m also running the latest version 3.9.1 of WP. Now we’ll see what difference it makes in the brute force attacks that have started again over the past week.

    Thanks for a great article and plugin,

    Ernie Hodge


  • Worked flawless!

    Just remember to clear cache otherwise typing your new WP-URL or WP-ADMIN will both work or redirect you to the login.

    Thanks again!

    • Hello Ivan,

      Glad to hear the plugin worked out for you. I will add a section to this guide about being sure to clear your cache because what you said about both being accessible is true.

      Some users have also had problems with their new admin slug not working until they clear browser cache.

      Thanks for your comment!

      – Jacob

    • Hello JR,

      If you can’t access the WordPress dashboard with the plugin enabled you can find your .htaccess file, and look for this line:

      RewriteRule ^secret/?$ /wp-login.php [QSA,L]

      Then just remove or comment that line out with a # symbol at the front of the line and save the file.

      You can disable WordPress plugins in bulk which should disable the custom admin URL plugin and allow you back in.

      It could be that this plugin is interfering with another plugin or it is not properly working with your site not being in the main /public_html directory of the account.

      This plugin installed on a fresh copy of WordPress doesn’t run into the errors you’ve mentioned. So I might recommend instead using a secondary WordPress admin password to restrict access to the admin dashboard in your case.

      Please let us know if you’re still having issues.

      – Jacob

    • it is no true. the plugin doesn’t change anything at all, only thing: you now will be able to login with “/secret” a swell, beneath of normal “wp-login or wp-admin”

  • I got a reply to my previous post though I don’t see it here now. I have reactivated the plugin, so of course I can no longer access my site – so please let me know when you are done looking at it. I put in the slug loggins and when I saved I got a white page with just the following errors:

    Warning: file(/.htaccess) [function.file]: failed to open stream: No such file or directory in /home/userna5/public_html/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.php on line 52

    Warning: implode() [function.implode]: Invalid arguments passed in /home/userna5/public_html/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.phpon line 52

    Warning: fwrite() expects parameter 1 to be resource, boolean given in /home/userna5/public_html/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.phpon line 68

    Warning: Cannot modify header information – headers already sent by (output started at /home/userna5/public_html/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.php:52) in /home/userna5/public_html/wp-includes/pluggable.php on line 1121

    If I go to the login page now I get the errors I mentioned before and loggin in fails.

  • I get these warnings when I go to the login page at the slug:

    Warning: file(/.htaccess) [function.file]: failed to open stream: No such file or directory in /home/geeksi5/public_html/ on line 137

    Warning: implode() [function.implode]: Invalid arguments passed in /home/geeksi5/public_html/ on line 137

    Then when I try to log in I get a page of errors. The plugin says it can’t write to .htaccess but I’ve checked and the permissions on the file are 644.

    If I disable the plugin you lock my site. If I have the plugin enabled my site is broken and I can’t log in to it.

    • It looks like you may have removed the plugin. So that I can see what you are seeing, could you re-activate it?

  • Jacob,

    Thanks for the help. Our website has a home page that is served out of the root public-html directory, while the blog is served out of the /blog directory. The plugin seemed to have changed the root .htaccess file and not the .htaccess file in the /blog directory.

    We manually updated the .htaccess file in the /blog directory, and that allowed us to get to the login screen.

    Once logged in, it was redirecting us to the home page rather than the admin tool. So, as mentioned in an earlier comment, we removed the rewrite rule from the .htaccess file in the root public-html directory.

    That fixed the issue, and everything is working properly. I wanted to let you know that’s what we had to do, in case it helps other customers.

    Good luck!

  • Tried that earlier. I just emptied my cache and tried that again. When I enter that, I get an Error 404 – Page Not Found message. I’ve tried every blog/secret or wp-login.php/secret or wp-admin/secret derivative I can think of.

    • Hello Angelina,

      If you open up your .htaccess file which in your case sounds like it should be located at /blog/.htaccess, do you see a line like this:

      RewriteRule ^secret/?$ /wp-login.php [QSA,L]

      This is the RewriteRule that converts your hidden WordPress admin slug to the normal wp-login.php script internally.

      Are you sure that you’re entering in the same slug that you’ve set with the plugin? You should be able to verify it with that line.

      If you’re still having issues, you can simply remove the line manually from your .htaccess file, and you should be able to access your WordPress admin normally again.

      If you’re still having issues and have your website hosted with us, feel free to comment back with your domain name and we can take a look for you. We can take your domain name out of your comment prior to approving it to be displayed to the public.

      – Jacob

  • Same problem as others. Can’t access log-in. Both mainpage/blog/wp-login.php/secret and mainpage/blog/wp-login.php take me to my site’s home page. I’ve cleared cache, cookies and history multiple times.

  • Thank you very much for this explanation!

    I just installed the plugin and changed the login link. When I logged out and clicked on the previous login link, it didn’t work anymore, just as you mentioned above. However, shortly afterwards, the old login link worked again, meaning I now have to login links – the old one and the new WP slug one. 

    Do you know why the old login link works again, and if there is anything I can do to only have the new WP slug login link work? 

    Thank you very much in advance for your help!



    • Hello Christine,

      Glad the steps helped you get the plugin installed. After logging in with your /secret WordPress admin slug, you can then access the normal URL as long as you are logged in.

      After logging out of WordPress, if you are still able to directly access your WordPress admin login page from either /wp-admin or /wp-login.php then you might want to clear you web browser’s cache. It sounds like possibly your computer is caching the old .htaccess file so it isn’t requiring the redirect through the secret URL.

      If that still isn’t working, are you sure that the HC Custom WP Admin plugin is still enabled in WordPress under the Plugins section?

      Please let us know if you’re still having any problems, or if you have any other questions at all!

      – Jacob

  • Hi,

    I used the HC Custom WP-Admin URL procedure but did not notice that in step #8 I needed to add the entire URL for my site and instead just entered a set of letters and numbers. Now I cannot access my WP admin page. Step #8 could have been made more clear if instead of showing the word “secret” you showed an entire URL with /secret at the end. What can I do now?

    Thanks for any help you can give me,




    • Hello Richard,

      In step #8 you only have to add the ‘slug’, not the entire URL. What type of error are you getting?

      Kindest Regards,
      Scott M

  • For the record, whatever “slug” you use, it will have to be converted to all lowercase letters when you use it to sign in.  Thus, if your slug is “BigMack”, you will sign in using “/bigmack”  I found this out after a few hours of frustration over not being able to sign into my account!  (I kept getting 404 errors.)  Maybe everyone in the world already knows this, but I didn’t.

    • Hello BigMack, and thank you for your comment.

      Thanks for pointing this out, it does look like when you create your WP-Admin Slug it does mention below it Allowed characters are a-z, 0-9, – and _ excluding any capital letters. That’s an easy thing to miss though!

      I’ll go ahead and update this article as well to hopefully save anyone else from having the same issues.

      Thanks again for commenting and letting us know!

      – Jacob

  • I’m trying to find my htaccess in cPanel but do not know where to start – can someone help?  i need to reset the slug because it did not work for me even after clearing my cache. 

    I have a blog deadline by tomorrow and any help would be great ASAP. 




    • Hello Lisa,

      Thank you for contacting us. Here is a link to our helpful guide on how to manage files in your account.

      The easiest option may be to use the File Manager in cpanel.

      If you have any further questions, feel free to post them below.
      Thank you,


    • Ben,

      Thanks for the comment – and the compliment! It’s all good. We understand that many people have varying opinions and may come from a variety of backgrounds. We just try our best to be fair and open-minded to the opinions expressed. We try to avoid negativity and we hope to relay the best solution – whether it’s from our staff or from any one willing to contribute. So, many thanks for your input!

      Arnel C.
      Community Support Team

  • Hey Arn & Carl,

       Firstly, I do apologise!! You’re absolutely right Carl.. it’s a shame to think itheme’s has butchered this plugin because ‘Better WP Security’ was (is) great.

    Sounds like it could be a similar (although not as severe) situation as Nextgen gallery, man that was an epic fall from grace!

    Arn your right, that’s something I didn’t consider.. again, apologies for providing an inferior option. Personal opinion can obviously be problematic when something works for you.. especially when you haven’t considered all angles.

    ^^ Listen to these guys, they’re the pros ^^^



  • Hi Ben,


    Thanks for the suggestion.


    However, I would look closer at the ratings you’re referencing.  


    “WP Better Security”, now known as “iThemes Security” had one of the best ratings history’s PRIOR to being purchased by iThemes.  Since iThemes purchased the plugin around March of this year and made their changes, it has received approximately 90 Single Star Ratings and 37 Five Star Ratings.


    So the current iThemes release of this plugin is about a 1.4 Star out of 5.


    I do use iThemes Security on one of my sites and have been happy with it, but you need to look closely at the ratings and read the good and bad to get the full picture.  There’s currently a lot of angry people at iThemes.


    I’d also like to reiterate the Inmotion’s support staff’s suggestion relating to this article is a very effective and lightweight solution.

  • I followed the instructions and downloaded the plugin where this is the 2nd locked out I have had in past week after a mass attack.

    The plugin installed easily enough and it is working as described. Thanks.

  • This is not a good recommendation – If anyone is looking for the best WordPress security plugin, it’s “ithemes security”, aka ‘Better WP Security’.

    You only have to look at the ratings to be convinced. It’ll do what is suggested here and more.

    Damn this is sounding super spammy, sorry but it’s worth mentioning… ha ha. Seriously, this plugin is a winner.



    • Thanks for the comment, Ben.

      I can understand when you have a recommendation based on experience. Please bear in mind that any plugin that needs to be called up for any security event will have a resource cost on the server. If the server is being hit by a large brute force attack, then this may still cause downtime issues. The suggestions made by Jacob provide security changes that help to stop attacks BEFORE a WordPress plugin/process is running. This helps to provide security while also avoiding a large impact on server resources.

      Kindest regards,
      Arnel C.

  • I appreciate your support on this topic.

    However, I would highly recommend against suggesting this particular plugin.  It has one of the lowest ratings, lowest download numbers, a four month back up in the support forums.

    I know plugins are a ton of work to create and maintain and authors sometimes have other priorities.  So it’s no ones fault, but “Rename wp-login.php” has a perfect score, double the downloads, excellent support and even identifies caching conflicts on activation and recommends the proper action.


    I hope this helps.

  • Hi Jacob,

    I tried the instructions above serveral times but with no luck. I end up removing the script in .htaccess to be able to login again to the site. I have W3 Total Cache installed in the site, it might be the reason why the plugin is not working. Would it be possible to make HC Custom WP-Admin work with W3 Total Cache? If yes, do you have any instructions on how? 

    Thank you in Advance!



    • We have not fully tested the use of the WordPress mobile app after changing the admin URL, however, as it is just a rewrite, we assume it will work fine. If you have confirmed it working or not working, let us know so that we can report it to others.

    • We have tested this plugin alongside W3 Total Cache and have seen that it is working correctly, however, the cache will need to be purchased within the W3 Total Cache plugin as well as your browser cache will need to be cleared to access the WordPress admin correctly.

  • Hi Jacob,

    I’m assuming you were off this weekend, as the comments did not post … 

    Just to let you know live support is doing a full site restore to the 16th, along with my database backups. The .htaccess file they are using will have the snippet of code at the top for the redirect in the case of multiple IP addresses. The plugin will not be on there.

    I really hope this fixes everything … my customers have been great about it and not given me grief for not being able to login.

    I thought I would let you know so that you don’t go in to the files and waste your time looking for code that won’t be there. 🙂

    Crossing my fingers now … 

    Thank you,


  • Hello Arnel and Jacob,

    Whatever coding got changed in this thread, live support cannot find and fix. Not happy, but more disappointed. Something in the Inmotion cog wheels need to be fixed – the left hand is not working with the right hand. 

    They have referred me back to yourselves to fix it.

    My customers have been unable to login for 2 days now.

    The HT plugin has been disabled and removed and I do not want that plugin back in the system.

    The problem is now that the login button keeps referring to best-customers-ever and there is no such thing so an error results.

    Would you please REMOVE the coding that does this (Arnel I think put it in), and please KEEP the coding in the .htaccess file that was from the article Lock down WordPress in the section: Dynamic IP address access, limit by referer.

    Please test that:

    1) customers can only login in via the blue button on the main page

    2) customers cannot login via wp-login.php in a cached form – they have to click on a blue button

    Thank you in advance for considering this a priority.


  • How does this plugin affect the ability to access the backend using the WordPress mobile apps? I tend to write my blog using the Android app as opposed to logging in via web browser.

  • Hi Jacob,

    I am speaking with live support now – please leave the account alone. 

    I sure hope they can let you know that they’ve made the changes.



  • Hi Jacob,

    At this point I am extremely frustrated because I cannot log in, nor can my 60 clients.

    I do not want the plugin enabled, but I can’t login to remove it.

    What I want is what Larry W. in service did, which was change the .htaccess so that a client had to click on the login button manually to log in.

    I do not want a secret login anymore, because it is NOT WORKING.

    I have cleared all of the caches and used brand-new browsers and it is definitely NOT WORKING.

    Please remove the plugin.

    In the future, I need someone to phone before making changes to the site. I was kicked off the site when you went in to make changes and the only way I found out was through my cPanel. You can’t just go in and boot off people.

    Please fix this issue right now!


  • Hi Jacob,

    Yes I am able to login from the site, and it redirects properly to best-customers-ever BUT I am also able to login from wp-login.php, which is what Larry W. in service was supposed to have changed for me.

    To foil the Brute Force Attacks, the ability to login from the default login page for WordPress was supposed to have been blocked, which was happening before we got into the plugin that messed everything up.

    Can you please fix this?

    This is what I need:

    1) client not able to login from wp-login.php *** key for the Brute Force attacks

    2) client only able to login by clicking the login button on the site, not through a cached wp-login.php page *** key for Brute Force

    3) client able to login from any page on the website with the login button ** key for customer service

    Hope that helps – it sure would be easier to talk on the phone rather than have 20 emails back and forth.




    • Hello Gillian,

      I agree that reaching out to live tech support would probably help you resolve this issue better if you continue to have problems.

      Unfortunately I’ve set things up for you and tested them to work, but then the HC Custom WP-Admin URL plugin gets disabled, which re-allows access to /wp-admin and wp-login.php once again which in turns triggers our ModSecurity rules when you have failed login attempts.

      I have once again re-enabled this plugin for you, and I can confirm right now that trying to directly go to either of those URLs results in just your front page loading. Using the secret admin slug of best-customers-ever the normal WordPress login page is displayed. This is also still what your template that we edited is having your Login button going to.

      If you are not seeing this behavior, then clear your web browser’s cache. Or even better open a new Incognito or Private browsing window to ensure that your computer is not caching anything related to the WordPress login. You should see when trying to access either /wp-admin or wp-login.php that your main page will simply be loaded again, but if you click on the Log in link it should work.

      If certain users are having issues, and you disable the plugin, it’s just going to allow access back to the default admin URLs and possibly trigger a block again. So I’d recommend towards telling all your members to not attempt to log in if their browser happens to say /wp-login.php at the end and only if they are using the Log In button or the secret slug URL.

      – Jacob

  • Hello Jacob,

    I uninstalled the plugin because I could not log in to the site. It keeps returning me to the home page every time.

    I have uninstalled the plugin again because I have 60 paid customers accessing the site and they must be able to login at any time.

    I am not sure why we can’t fix this issue. Would you please look into this further?

    Thank you.


    p.s. your service people had originally altered the .htaccess file so that you could only log in from the home page, which is a good thing because it requires a manual click by the customer to login.

    I am wondering if this plug in is competing with the alterations in the .htaccess file (it does say in the plugin’s warnings that this can happen!!)


    • Hello again Gillian,

      Are you able to login now? I simply re-installed the plugin and was able to access the website as normal as well as the admin dashboard. You might have possibly had another .htaccess rule conflicting with the plugin, but I’m not sure what that would have been because it is not present now.

      If you’re having any issues at all accessing the WordPress admin from your login link, you will want to make sure to clear your web-browser cache to make sure that you are in fact loading up the latest rules.

      – Jacob

    • We have now added an unsubscribe link within the email notification. Simply click this link to be removed from this article.

    • Hello Gillian,

      Arnel simply followed the steps that I previously mentioned further up in the comments about modifying the WordPress login link.

      It doesn’t look like you had sufficient protection setup, as both your wp-login.php script and /wp-admin directory were accessible to anyone because you had uninstalled the HC Custom WP-Admin URL plugin.

      I went ahead and reinstalled that plugin for you and ensured things were setup correctly.

      As far as the code Arnel edited for you, as the instructions for modifying the WordPress login link explain, you just open up your /wp-includes/general-template.php file and then add the highlighted code where would be your domain followed by the custom URL you setup in the plugin:

      function wp_loginout($redirect = '', $echo = true) {
      if ( ! is_user_logged_in() )
      //$link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '';
      $link='<a href="">Log in</a>';

      Let us know if you have any further questions!

      – Jacob

  • That’s perfect – you’ve fixed it 🙂

    No need to move the login if it’s loading right from any page.

    Thank you so very much again!


  • Thanks so much Arnel!!

    I appreciate it so much that you helped out. 

    My next question is the Login button is riding along in the header on every page, so it’s confusing for customers because they get an error when they try to log in on a page other than the Home page. Is there a way to move this Login button into the Home page sidebar instead so it only shows on the Home page?

    I appreciate so much the help because I don’t want to mess it up. I don’t know how to remove the login button from the header.



    • Hello Gillian,

      Sorry for the problem there. What was happening was the re-write was trying to load the slug you specified earlier for each page, meaning the URL was being loaded incorrectly. I have corrected it so the error does not appear when you click on the login button. This was a site created by InMotion Web Design, so if you’re asking changes to the design it really should go back to them, unless you intend to modify it yourself. You can change what’s in the header by simply editing the theme editor so that the LOGIN button is longer at the top. Moving it to another location would require more some design consideration, especially you’d have to either move or resize elements that are already in place.

      Apologies that I can’t make all of the changes, but I hope this helps to provide a workable solution.

      Arnel C.

  • Hi Jacob,

    Actually Inmotion did my design for the website … it’s based on a Twenty-Eleven theme and they coded in the button…

    Are you able to look at the code from your end to help me out?

    I just don’t want to mess anything up after today’s challenges!




    • Hello Gillian,

      I reviewed the suggestions that Jacob suggested above and made the changes for you. Your login link for admin is now based on slug you set up for it. I verified that it’s working. Check it out and let us know if you have any further questions.

      Arnel C.

  • Your customer support team gave me this article link, and I installed the plugin (great instructions, btw) … however, because I have a custom login button, it just disabled the login. Of couse I was able to log in by putting the correct slug in ….

    Are you able to help me modify the custom login so that it works?

    I have had a very bad day with a full site restore needed because of hackers. I would really like to prevent this in the future.

    Thanks for your help!



    • Hello Gillian,

      You should be able to simply edit your custom login button to reflect the new secret admin URL slug that you used. You can look at my comment a few responses up talking about modifying the WordPress login link and see if that works for you.

      If not, please let us know how you are adding the custom login button, either with a plugin or theme.

      – Jacob

  • Thank you very much for quick reply Jacob!

    Yes, the fix you provided worked fine for me. I ended up changing following 4 files for login links based on your direction.







    • Hello John,
      We are happy to hear Jacob was able to get things squared away for you. Please do not hesitate to contact us again if you have any further questions.

      Kindest Regards,
      Scott M

  • Hi,

    This is nice plugin and works fine with my WP 3.4.2.

    But I have comments enabled in blog. If I am not looged in, it shows a text “Please log in or register to post a comment and join the discussion.” on main blog page. Login link here does not work now. Because it points to wp-login.php and it redirects user to home page.

    Do you have a fix for this?



    • Hello John,

      After changing your wp-login.php URL with the HC Custom WP-Admin URL plugin, you can modify your /wp-includes/general-template.php file to reflect this change as well in your Meta widget.

      If you edit that file, look for this section of code:

      wp_loginout($redirect = '', $echo = true) {
      if ( ! is_user_logged_in() )
      $link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '</a>';
      $link = '<a href="' . esc_url( wp_logout_url($redirect) ) . '">' . __('Log out') . '</a>';

      The line that I’ve highlighted is the way WordPress creates the Log in link. You could instead change this to the following if your WP-Admin slug was set to wp-secret:

      //$link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '</a&gt';
      $link = '<a href="wp-secret">Log in</a>';

      You don’t need to modify the Log Out link, because once you’re logged into WordPress you can send requests to wp-login.php as normal.

      Please let me know if that works for you. If you’re still having issues, and would like us to take a closer look please let us know the site you’re having these problems on.

      – Jacob

  • Definitely doesn’t work with current wordpress install. Installed…says this when I try to access the new slug I set up:

    Not Found

    Sorry, but you are looking for something that isn’t here.


    Lost access to both wp-admin and wp-login. Tried clearing cache…different browsers…and different computers.

    Now off to find my .htcaccess file and try and figure out how to fix.


    • Hello J,

      As discussed in the comments above, this plugin does indeed function with the latest version of WordPress and has been tested many times. Make sure that you clear your web-browser’s cache prior to attempting to access your dashboard over the new secret URL.

      If you’re having a specific problem accessing your WordPress dashboard now, you should simply be able to find your .htaccess file, and look for this line:

      RewriteRule ^secret/?$ /wp-login.php [QSA,L]

      That should be the secret slug you want to use to attempt to access your dashboard now. Unfortunately I was unable to find any account information with us to check on this for you. So if you’re hosting with us and still having any issues getting it working please submit a ticket in order for us to investigate what might be wrong with your install.

      You can manually disable WordPress plugins in bulk which should disable the custom admin URL plugin and allow you back in regardless. It’s also possible you have another plugin that could be interfering with the HC Custom WP-Admin URL plugin, so you could try re-enabling your plugins one at a time till you find an issue.

      – Jacob

  • This plugin actually doesn’t work with WP 3.8.1.  Using it caused me to lose access to WP as the slug does not work for login.  Additionally, there are much better security plugins that do work.  The WP help is mostly out of date and your support staff seems to not know that.

    • This would be caused by your .htaccess file not being writable. You would need to either copy the code provided into your .htaccess file, or adjust the permissions of your .htaccess file to allow writing to it, which would typically be permissions of 644.

  • IN installed the plub in but am getting an error message after changing my slug name and saving the name.  now allowing me to write that slug name for some reason.  It then asks me to copy some code.  I’m not sure what do do here. 

    • Hello Handy,

      Thank you for your question. Since you are using “HC Custom WP-Admin” to mask your wp-admin folder from the outside, there is no need to rename your wp-admin folder.

      The WordPress community recommends using a plugin to accomplish this, as can be seen in this forum post.

      I did find a possible solution through google search here.

      If you have any further questions, feel free to post them below.
      Thank you,


  • Hi Jacob, 

    As embarassing as it is, I can’t remember what word I selected in step 8. I have tried what I remember it to be but I am not getting to my dashboard.

    Any suggestions?



    • Hello Aaron,

      Thank you for your question. You can view your slug in your .htaccess file; which is located in the root folder where your WordPress is installed.

      For example: If you chose test as your slug it will look like this in the .htaccess file:

      RewriteRule ^test/?$ /wp-login.php [QSA,L]

      If you have any further questions, feel free to post them below.
      Thank you,


  • Hi John-Paul,  

    I am able to get to the URL/website search reply, not the admin… how do I proceed to the WP admin to edit the website? Is there a way to undo this?

    Thanks, Richard

    • Hello Richard,

      Sorry for the confusion, your WordPress admin area should still be accessible after you installed the HC Custom WP-Admin URL plugin. You just need use the WP-admin slug that you set from step #8.

      If your WordPress dashboard was available at:

      If you set your WP-admin slug to secret like my example in this guide. You would then be able to get to your dashboard from:

      Essentially the WP-admin slug you set with this plugin, becomes your new URL for accessing the dashboard going forward.

      If you did want to undo the changes made by the plugin, you could edit your .htaccess file in your WordPress directory. Just comment out by placing a # symbol at the front of the line, the one that reads something like:

      RewriteRule ^secret/?$ /wp-login.php [QSA,L]

      Then save your .htaccess file, clear your browser’s cache, then try to access the admin dashboard normally again from:

      If you’re still having any issues accessing your dashboard after installing, or disabling this plugin, please let us know!

      – Jacob

    • Hello Richard Keith,

      Thank you for your question. You should add the slug with no spaces like this:

      You may have to clear your browser cache before it will work.

      If you have any further questions, feel free to post them below.
      Thank you,


  • I’ve completely lost access to my Admin… how do I get it back?… 

    I added slug at the end of the URL, like this: .com/wp-admin slug

    Was that the right way to do it?



    • Hello ZoD Gaudette,

      While this plugin doesn’t officially support WordPress 3.8 in terms of having it on the WordPress plugin page as a compatible release yet. It does indeed function with WordPress 3.8 which is the version of WordPress this article was written using.

      I just installed a fresh copy of the latest WordPress 3.8.1 and tested it out and this plugin still functions.

      If you’ve installed this plugin and are having issues accessing your WordPresss dashboard afterwards, you might want to try clearing your local web-browser’s cache. We’ve seen instances where the server’s .htaccess file which contains the redirect code that this plugin uses, gets cached on a users computer, and they can’t see the updated changes.

      If you’re having another specific problem at all using this plugin with the newer versions of WordPress, please let us know!

      – Jacob

Leave a Reply to InMotionFan Cancel reply