How to Change WordPress Admin Login URL – Without Plugin!
1) Download wp-login.php File
Download wp-login.php file through Cpanel or FTP or File Manager Plugin.
What is wp-login.php & Where to Download it?
wp-login.php file contains the code responsible for generating the login page for your WordPress website. It is usually located in the public_html folder or where you installed WordPress.
2) Find and Replace the Old Login URL
Open the downloaded file in Notepad or Text Editor and replace wp-login with custom-url and save this file as custom-url.php (Use your custom login URL instead of custom-url)
Is it Mandatory to Use Hyphen (-) in Custom Login URL or Login File Name ?
No, a hyphen is not mandatory to use in the custom login URL. You can use custom login URL without any special characters. e.g. custom-url, customurl, custom987
3) Upload New Login File – custom-url.php
Upload custom-url.php file to public_html folder or whereverWordPress is installed and delete the old wp-login.php file *at last, after finishing all phases. Don’t omit to take a backup of the wp-login.php file.
Why Need To Delete Old wp-login.php File After Uploading New One?
Deleting the existing wp-login.php removes the login page from the default url. The login panel was accessible through yoursite.com/wp-login.php earlier. After deleting the file if someone tries to login using that url, they’ll get 404 error.
4) Register New Login File
Open functions.php file and paste the following code. The functions.php file can be found inside theme’s folder. (Replace custom-url with your custom login URL)
/*
* Change WP Login File URL using "login_url" and "logout_url" Filter Hook
* https://developer.wordpress.org/reference/hooks/login_url/
* https://developer.wordpress.org/reference/hooks/logout_url/
*/
function custom_login_url( $url ) {
$url = site_url( 'custom-url.php', 'login' );
return $url;
}
add_filter( 'login_url', 'custom_login_url' );
add_filter( 'logout_url', 'custom_login_url' );What does the login_url and logout_url Hook do in the Above Code?
The login_url hook sets the default login url or file for the WordPress website that should be used to login to the site. The logout_url hook does the same thing as what url should be used instead of wp-login.php when the logout button is fired.
In uncomplicated words, login_url replaces the login url and logout_url does the same with the logout url.
5) Stop wp-admin From Being Redirected to Custom Login URL
Now check the new login file/page by yourwebsite.com/custom-url.php in Incognito tab or Secondary browser. If you are not able to see the desired login form on the concerned url then upload back wp-login.php, if you have deleted it and comment down the problem.
Now the issue is that the url /wp-admin is redirecting to the new login url. Which can cause our secret login url to be revealed.
To getting rid of this redirection, paste the following code snippet in functions.php
function stop_redirect($scheme) {
if ( $user_id = wp_validate_auth_cookie( '', $scheme) ) {
return $scheme;
}
wp_redirect(home_url());
exit();
}
function remove_default_redirect() {
remove_action('template_redirect', 'wp_redirect_admin_locations', 1000);
}
add_action('init', 'remove_default_redirect');
add_filter('auth_redirect_scheme', 'stop_redirect', 9999);What does the Above Code Snippet do?
The above code prevents redirection of wp-admin by remove_action('template_redirect', 'wp_redirect_admin_locations', 1000); and the filter add_filter('auth_redirect_scheme', 'stop_redirect', 9999); redirects the wp-admin to the homepage if user is not logged in WordPress.
In simple words, the above code is preventing the redirection of wp-admin to login_url and instead redirecting it to the homepage.
6) Remove .php From Custom Login URL (optional)
Paste the following code snippet at the top of the .htaccess file located in the public_html folder if you want to remove the .php from custom-url.php (e.g. yoursite.com/custom-url)
RewriteEngine On
# Rewrite The Login File URL - Access custom-url.php Content From custom-url
RewriteRule ^custom-url$ /custom-url.php [L]
# Redirect custom-url.php To custom-url
RewriteRule ^custom-url.php /custom-url [L,R=301]What does the Above Code Snippet do?
In simple words above code snippet is removing .php from custom-url.php and redirecting custom-url.php to custom-url if someone tries to access custom-url using .php extension.