Is there any way to rename or hide wp-login.php?

4 comments

1. If you are doing this for your own site then using .htaccess might be the easiest way although it could get tricky if you want to make it work for a plugin as there would be lots of different subtle configuration differences to support.

   Here are some articles that could help; not all are directly answering your question but they all address your security concern in one way or another:

   • Hide WordPress WP-Admin Login Page
   • How to prevent attacks on WordPress wp-login.php page
   • Secure Your WordPress, Playing With Your .htaccess File.
   • How to: change from wp-login.php to login
   • How to protect wp-login and wp-admin
   • Hardening WordPress with Mod Rewrite and htaccess

   And of course that’s no blog expert on Apache and WordPress than the guy who writes AskApache. Be sure to check out these:

   • AskApache Password Protection, For WordPress
   • Security with Apache htaccess Tutorial
   • The list of “WordPress” tagged posts on AskApache

   Log in to Reply

2. I ran into the same problem recently, and you’re right that the Stealth plugin is no longer supported. However, because I finally realized that the Stealth plugin was the best option, I did a clean install of WordPress to the last version of WordPress that the Stealth plugin supported to figure out how the plugin works. Turns out, the only thing that the plugin is doing is creating a .htaccess file with some magic. The .htaccess file will look a little something like this:

   <IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteBase /
   RewriteRule ^logout wp-login.php?action=logout&_wpnonce=asdfasdf&stealth_out_key=asdfasdfasdfasdf [L]
   RewriteRule ^login wp-login.php?stealth_in_key=asdfasdfasdf&redirect_to=http://example.com/login [R,L]
   RewriteRule ^admin wp-admin/?stealth_admin_key=asdfasdfasdfasdf [R,L]
   RewriteCond %{HTTP_REFERER} !^http://example.com/wp-admin
   RewriteCond %{HTTP_REFERER} !^http://example.com/wp-login.php
   RewriteCond %{HTTP_REFERER} !^http://example.com/login
   RewriteCond %{HTTP_REFERER} !^http://example.com/admin
   RewriteCond %{QUERY_STRING} !^stealth_in_key=asdfasdfasdfasdf
   RewriteCond %{QUERY_STRING} !^stealth_out_key=asdfasdfasdfasdfasd
   RewriteCond %{QUERY_STRING} !^stealth_reg_key=asdfasdfasdfasdfasdf
   RewriteCond %{QUERY_STRING} !^stealth_admin_key=asdfasdfasdfasdfasdf
   RewriteRule ^wp-login.php http://example.com [R,L]
   RewriteCond %{QUERY_STRING} ^loggedout=true
   RewriteRule ^wp-login.php http://example.com [R,L]
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
   RewriteRule . /index.php [L]
   </IfModule>
   

   I have changed all of the keys to some variation of “asdfasdfasdf” — obviously you would need to create some secret keys for yourself.

   Hope this helps!

   Log in to Reply

3. or you could rename from wp-login.php to some-obscure-name.php, then when you want to login, type your url/some-obscure-name.php instead of going to wp-admin.php

   Log in to Reply

4. Here’s what I did:

   I simply renamed the wp-admin directory to some obscure name pfgkn for example.

   going to http://your-domain.com/wp-admin/ redirects you to your home page at http://your-domain.com/ or whatever else your 404 not found redirects to.

   When I need to login – I just rename the pfgkn directory to wp-admin, make my changes and then rename it back to pfgkn.

   Log in to Reply