You want to change the WordPress login URL, you can use a custom PHP script to do so. This script allows you to define a new login URL and replace the default WordPress login URL with the new URL.
Why Should You Change The Login URL For Your WordPress Site?
1. Security!
By changing the login URL, you can make it more difficult for unauthorized users to access the login page. This can help prevent attackers from guessing or brute-forcing the login URL and attempting to log in to your WordPress site.
2.Branding
Changing the login URL can also help with branding. For example, you can use your company or brand name as the login URL, which can help improve recognition and association with your brand.
3. Compatibility
Some WordPress plugins and themes may require a specific login URL in order to work properly. By changing the login URL, you can ensure that these plugins and themes are compatible with your WordPress site.
Why Use A Custom Script Over A Plugin?
The main advantage of using a custom PHP script instead of a plugin to change the WordPress login URL is that its FREE and has no chance of requiring a paid license after you become dependant on the feature.
Another advantage of using a custom PHP script is that it gives you full control over the login URL. With a plugin, you may be limited to the options that the plugin provides, whereas with a custom script, you can define the login URL exactly as you want it. This can be especially useful if you want to use a login URL that is not available with any existing plugin.
How Change The Login URL Manually
To use the custom PHP script, follow these steps:
Add the following code to your WordPress theme’s functions.php file:
<?php
// Replace "newlogin" with the new login URL that you want to use
define('LOGIN_URL', 'newlogin');
// Filter the login URL and replace it with the new URL
add_filter('login_url', function() {
return site_url(LOGIN_URL);
});
Replace the placeholder value newlogin with the actual login URL that you want to use. For example, if you want to use the login URL mysite.com/customlogin, you would change the code to:
<?php
// Replace "newlogin" with the new login URL that you want to use
define('LOGIN_URL', 'customlogin');
// Filter the login URL and replace it with the new URL
add_filter('login_url', function() {
return site_url(LOGIN_URL);
});
Save the functions.php file and test the new login URL to make sure it is working as expected.
With this simple PHP script, you can easily change the WordPress login URL without the need for a plugin. This allows you to use a custom login URL and gives you full control over the login process.
Additional Security – Blacklist IP’s From Your WordPress Site
Changing the login url is a great way to help protect your site and reduce the load on your server from brute force attempts, but its not a complete security solution for protecting your wordpress site. If a hacker is targeting you specifically they will more than likely discover your “secret login” url. One more layer of security you can add is to blacklist IP addresses after a certain number of login attempts. To do this simply add the php script below to your functions.php file in your WordPress theme:
# Store failed login attempts in a dictionary where the key is the IP address
# and the value is the number of failed attempts
failed_attempts = {}
# Hook into the login process
add_action('wp_login_failed', 'handle_failed_login')
function handle_failed_login($username) {
# Get the IP address of the client that tried to login
$ip = $_SERVER['REMOTE_ADDR']
# If the IP is not already in the dictionary, add it with a value of 1
if (!array_key_exists($ip, failed_attempts)) {
failed_attempts[$ip] = 1
} else {
# If the IP is already in the dictionary, increment the value by 1
failed_attempts[$ip] += 1
}
# If the number of failed attempts for this IP is greater than or equal to 3,
# block the IP from accessing the site
if (failed_attempts[$ip] >= 3) {
# You can use the `wp_blacklist_check` function to block an IP address
wp_blacklist_check($ip)
}
}
This will work well to limit login attempts in the even that someone discovers your new login url, but you may want to plan for the possibility that you end up blocking your own ip. To avoid getting yourself blacklisted from your own site you can adjust the above script to include a list of IPS that will remain on the “whitelist”
# Define an array of whitelisted IP addresses
$whitelist = [
'192.168.1.100',
'192.168.1.101',
'192.168.1.102'
]
# Hook into the login process
add_action('wp_login_failed', 'handle_failed_login')
function handle_failed_login($username) {
# Get the IP address of the client that tried to login
$ip = $_SERVER['REMOTE_ADDR']
# If the IP address is not in the whitelist, continue with the login process
if (!in_array($ip, $whitelist)) {
# Store failed login attempts in a dictionary where the key is the IP address
# and the value is the number of failed attempts
failed_attempts = {}
# If the IP is not already in the dictionary, add it with a value of 1
if (!array_key_exists($ip, failed_attempts)) {
failed_attempts[$ip] = 1
} else {
# If the IP is already in the dictionary, increment the value by 1
failed_attempts[$ip] += 1
}
# If the number of failed attempts for this IP is greater than or equal to 3,
# block the IP from accessing the site
if (failed_attempts[$ip] >= 3) {
# You can use the `wp_blacklist_check` function to block an IP address
wp_blacklist_check($ip)
}
}
}
