Admin Tools for WordPress

#41485 How to Change and Hide the WordPress Admin Login URL Using Akeeba Admin Tools

Posted in ‘Admin Tools for WordPress’

This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

WordPress version

n/a

PHP version

n/a

Admin Tools version

n/a

Latest post by on Thursday, 13 February 2025 14:17 CST

Monday, 13 January 2025 13:31 CST

[email protected]

Hello Akeeba Support Team,

I am currently using Akeeba Admin Tools on my WordPress website and would like to enhance the security by changing and hiding the default WordPress admin login URL (`/wp-admin` and `/wp-login.php`). Could you please provide me with step-by-step instructions on how to achieve this using Akeeba Admin Tools? I am particularly interested in utilizing the `.htaccess Maker` or any other recommended feature within the plugin to effectively hide the login URL and create a custom login path. Thank you for your assistance! Best regards,

Tuesday, 14 January 2025 02:07 CST

nicholas

Yes, you can hide –or, to be more precise, lock– both of these URLs. Admin Tools, Web Application Firewall, Configure WAF. Under Basic Features there's Change Admin URL with two fields.

The first field is what you will visit to “unlock” access to /wp-admin and /wp-login.php.

Let's say you enter foo in this field. You will have to go to /foo on your site before trying to log into ir. Doing so unlocks /wp-admin and /wp-login.php and displays the admin login page.

Please note that unlocking uses a user session flag. After visiting /foo and until the session expires you will be able to access /wp-admin and /wp-login.php without being blocked. Also note that other people who do not know about /foo will NOT be able to access /wp-admin and /wp-login.php.

The second field replaces the URL to register a new account. This prevents bots from visiting /wp-register.php on your site to register a new, spammy account. They would need to use the URL slug specified here. For example, if you enter opensesame here, user registration is only possible if someone accesses /opensesame. If they try to access /wp-register.php directly they will be blocked. If you do not want user registration to be possible on your site, remember to also disable user registration in WordPress' options.

The Admin URL Action tells Admin Tools what to do when unauthorized access is detected. The recommended option is 404 Not Found because it confuses the heck out of automated bots, making them think that your site is not using WordPress.

Finally, let me tell you that using a simple .htaccess redirection is NOT a good idea to do what I described. It never was, it never will be. That redirection cannot possible hide the original URLs, like /wp-admin. They will still be accessible by everyone. It would only add an alias to /wp-admin. Not quite what you want. Doing it the right way requires PHP code. WordPress has built-in support to “rename” those endpoints, which by default works a lot like a .htaccess redirection. We use that together with our custom PHP code which creates the “locking” effect you need.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 13 February 2025 14:17 CST

System Task

system

This ticket has been automatically closed.

All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.