Rename login page URL to fight brute force attacks

WordPress login page is always located at {site url}/wp-login.php and this makes it very easy to brute force attack the login system.

This plugin implements the most obvious solution to this problem and allows the site administrator define any URL he wants to be used as the login page with all of its embedded functionality, namely – login, password reset, registration (when open).  The page in wp-login.php remains there, but any login attempt from it is denied. In essence it is a honeypot that will keep at least some of the attackers from even looking for the new location.

Of course it is not enough to move the login page, it is also important to prevent the new location to be easily discovered by an attacker. This is the point where a trade off between security and usability has to be made and the plugin tries to reduce the inconvenience as much as possible.

In addition to setting up the new login URL, you can fine tune the behavior of the wp-login.php page to provide some hints for users that might not know about the change of URL. There are three settings available for it

  • No Hint – Every login attemp will fail and a general error “unknown user or password” will be displayed.This is the most secure setting but it might leave users confused so you might not want to use it right away when you activate the plugin
  • Hint the current URL – Users which supplied the correct credentials (user and password) will get an error message which will point to the new location of the login page. This is the least secure option, although an attacker still needs to figure out the user and password first which might be hard if a strong password policy is being used.
  • Hint the current URL and reset password – a sort of compromise between the other setting. A user gets a hint but his password is reset forcing him to go through the process of resetting his password once he get to the cyrrent login page. This prevents the attacker from continuing into exploiting that account, but it still exposes the new location.

Another implication of making it hard for an attacker to figure out the new location, is disable the automatic redirect of URLs in the admin area into the login page. If this wasn’t disabled the attacker could have easily discover the new page by trying to access {site url}/wp-admin and parse the redirection message to figure out the new location.
Instead a user is presented with a message that the redirect had failed and he should login to access the URL he was trying to get to.


The settings reside in the “Settings” >> “Manage Endpoints” page in the admin.

In the settings you can configure the slug/end poit/url of the new login page, and how should a “successful” login to the old location be handled.


Not compatible with network/multisite

Supports wordpress version 3.9 and above

Should work with all other brute force denial plugins that do not assume that the login page is at a specific login. Should work with plugins that implement different authentication schemes then the wordpress default on (LDAP for example) as long as they hook into the proper WordPress APIs.


Leave a Reply

Your email address will not be published. Required fields are marked *

Comment policy

We are not going to share your e-mail with anyone else, but we might send you answers to your questions directly to your email.