If your WordPress site is publicly accessible, it is being probed right now. Automated bots constantly scan the internet for WordPress installations and hammer the default login pages - /wp-admin and /wp-login.php - with thousands of username and password combinations every day.
Changing your login URL does not make your site impenetrable, but it does make it invisible to the vast majority of automated attacks. Most bots do not try to find a custom login URL - they just move on to easier targets.
Install WPS Hide Login
The easiest way to change your WordPress login URL is with the free WPS Hide Login plugin.
- In your WordPress dashboard, go to Plugins > Add New
- Search for "WPS Hide Login"
- Install and activate it
- Go to Settings > WPS Hide Login
- In the "Login URL" field, change the default value to something you will remember but that is not obvious - something like
team-portalorstaff-access-2025works well - Click Save Changes
Your new login URL will be yourdomain.ca/whatever-you-chose. The old /wp-admin and /wp-login.php URLs will return a 404 error to anyone who tries to access them - including bots.
Choosing a Good Login Slug
Avoid the obvious. Do not use login, signin, dashboard, admin, or wordpress - bots and scanners already try these. Pick something memorable but not guessable. A short phrase, a word from your industry, or a combination works well.
Write it down. Seriously. Put it in your password manager along with your username and password.
What to Do If You Forget the New URL
It happens. You change the login URL, clear your browser history, and two months later you cannot remember what you set it to.
Option 1: Check your password manager. If you saved it there, you are done.
Option 2: Check the database via phpMyAdmin. Log into cPanel, open phpMyAdmin, select your WordPress database, and look in the wp_options table (or whatever prefix you use). Search for the whl_page option - the value will be your custom login slug.
Option 3: Deactivate the plugin via FTP or cPanel File Manager. Navigate to wp-content/plugins/ and rename the wps-hide-login folder to something like wps-hide-login-disabled. This deactivates the plugin and restores the default login URL. Log in normally, then rename the folder back and reactivate.
This Is One Layer, Not the Only Layer
Hiding your login URL reduces noise, but it should not be your only security measure. Treat it as one layer in a stack:
Strong passwords and usernames. Never use "admin" as your username. Use a long, unique password generated by a password manager.
Two-factor authentication. Plugins like WP 2FA or Google Authenticator add a second verification step even if your password is compromised.
Login attempt limits. Plugins like Limit Login Attempts Reloaded block IP addresses after a set number of failed login tries. Even if a bot finds your custom URL, it will be locked out quickly.
Keep everything updated. The majority of WordPress hacks exploit known vulnerabilities in outdated plugins, themes, and WordPress core. Updates are security patches.
Regular backups. Not a prevention measure, but your last line of defence. If something does go wrong, a clean recent backup is invaluable.
The Five-Minute Investment
Changing your WordPress login URL takes less time than reading this article. It immediately reduces the volume of brute force traffic hitting your site, which means less server load and fewer opportunities for credential stuffing attacks to succeed.
Combined with strong passwords, two-factor authentication, and a login limiter, you have a solid security baseline - one that stops the vast majority of automated attacks before they ever become a real threat.
Looking for WordPress hosting with built-in security features? dotCanada's managed WordPress plans include server-level protections that work alongside your in-dashboard security setup.
