How to Change your WordPress admin URL with Lockdown WP Admin

Note: The Lockdown WP Admin plugin is no longer supported in newer versions of WordPress.

Because WordPress brute force attacks are on the rise, using a WordPress plugin like Lockdown WP Admin can help by allowing you to change the WordPress default login URL. This way attackers won’t have access to your admin login form, so they can’t continually try to guess your password and break in.

If you’re curious if your WordPress site has already had malicious users trying to login to your admin dashboard, you can check out my guide on reviewing WordPress login attempts for easy steps on how to find out.

You also want to make sure after you install Lockdown WP Admin, be sure to hide the secret URL from the Meta widget so that an attacker can’t discover your new server admin address.

Install and configure the Lockdown WP Admin WordPress plugin

Using the steps below you can quickly install the Lockdown WP Admin plugin and configure it so that your normal WordPress login URLs of /wp-admin and wp-login.php are changed.

  1. Login to WordPress admin dashboard
  2. For this plugin to function correctly your site must first be be using WordPress permalinks
  3. Hover over Plugins, then click on Add New
  4. hover over plugins click on add new

  5. Type in Lockdown WP Admin, then click on Search Plugins
  6. type in lockdown wp-admin click search plugins

  7. Click on Install Now beside the Lockdown WP Admin plugin
  8. click install now beside lockdown wp-admin

  9. Click OK on the confirmation pop-up window
  10. click ok on pop up

  11. Click Activate Plugin
  12. click activate plugin

  13. Hover over the new Lockdown WP, then click on Lockdown WP
  14. hover over lockdown wp click lockdown wp

  15. Place a check beside Yes, please hide WP Admin from the user…
  16. configure lockdown wp admin plugin click save options

  17. Change your WordPress Login URL to something like secret-admin
  18. Leave Disable HTTP Auth selected, click Save Options

    If you use the HTTP Auth options the plugin will let you also create a secondary WordPress admin .htaccess password. This secondary password would have to be entered in, even if someone guessed your secret login URL.

    Selecting WordPress Login Credentials will prompt you for your normal WordPress admin username and password, prior to gaining access to the actual WordPress admin login page.

    If you instead use Private Usernames/Passwords you can configure a new secondary login from the Lockdown WP > Private Users section.

    In my testing of this plugin I didn’t have great success with the secondary password protection, which is why I’ve recommended to leave it disabled as is default.

  19. Hover over Howdy, User, then click on Log Out
  20. hover over howdy user click log out

  21. You should see the secret-admin URL you set
  22. after lockdown wp-admin plugin installed wp-login url changed

  23. Try to directly access /wp-admin or wp-login.php, you get a 404 page
  24. after lockdown wp-admin plugin installed 404 errors for login

  25. Access the /secret-admin URL and you get your WordPress login page
  26. after lockdown wp-admin plugin installed login with secret url

Prevent WordPress Meta widget from exposing secret login URL

Unfortunately while the Lockdown WP Admin plugin does a great job securing your site from bots that might continually try to hit the default login URLs, it also updates the Meta widget in WordPress with the new updated URL as seen below:

wordpress meta log in link still links to secret admin

There are two ways in which you can prevent your secret login URL from being shown like this.

Remove Meta widget from WordPress

  1. Login to WordPress admin dashboard
  2. Hover over Appearance, then click on Widgets
  3. hover over appearance click on widgets

  4. Click on the Meta widget, then click on Delete
  5. click on meta then on delete

Edit WordPress general-template.php file to hide Log In link

  1. You can also simply edit the Log in link from displaying on your WordPress site by editing your template file. Although note that if you are doing it this way, future WordPress updates might override the files in your /wp-includes and revert your changes, so keep that in mind.
  2. Use the cPanel File Manager Code Editor
  3. Navigate to your /wp-includes directory
  4. cpanel file manager edit general template

  5. Right-click on general-template.php, then click Edit
  6. cpanel file manager edit general template

  7. Look for this line of code:
  8. $link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '</a>';

    cpanel file manager edit general template before

    Comment out the line above with two forward slashes //

    On the line below it, set the $link variable to be blank with this code:

    $link = '';

    cpanel file manager edit general template after

    You should end up with the final code looking like this, with your changes in red:

    function wp_loginout($redirect = '', $echo = true) { if ( ! is_user_logged_in() ) //$link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '</a>'; $link = '';         else
  9. You should now see that the Log in link is gone from the Meta widget
  10. log in link gone from meta widget

You should now know how to add an extra level of security to your WordPress site by making sure that bots and malicious users can’t easily get to your admin log in anymore.

IC
InMotion Hosting Contributor

InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!

More Articles by InMotion Hosting

10 Comments

    • Hello Mehak – The typical WordPress Admin url is always based on the domain name you used to install WordPress and then /wp-admin. For example, if the URL is ABC.COM, then the Admin URL is abc.com/wp-admin.

  • Hello. I have a problem with ‘Lockdown WP Admin WordPress’ plugin, I accidentally activate  Private Usernames/Passwords and will not let me access my web. Can you help me? Thank you.

  • Hi, I have used lockdown WP admin. Our computer accidentally stopped and when I typed the URL login that I created it redirects to the wordpress login but even when I typed my password and username, it redirects me to the website but not with the dashboard.

    • Hello John,

      Thank you for contacting us. We are happy to help, but will need some additional information. Are you getting any errors? Putting WordPress in debug mode may provide a more detailed error message.

      Can you provide a link to the site for testing?

      Thank you,
      John-Paul

  • How about creating a link to the new path using the Text Widget? I am also worried about those who want to register or join the site for the first time.

    • Placing an HTML link within a text widget would indeed be a good solution to direct those users to the correct page.

    • Hello Kumi,

      Your admin login area is now the new ‘slug’ you created in the plugin, such as ‘https://example.com/secret‘. Any members that need to log in will also need to use that URL.

      If the membership plugin you use does use the meta widget, then simply re-enable it and use the other method described above that removes the login link from the page but still allowing all other links.

      Kindest Regards,
      Scott M

Was this article helpful? Let us know!