WordPress security: rename wp-login.php and protect it from hackers

Wordpress security

In the last few days, I have again seen attacks on the WordPress admin area “wp-admin” on some customer blogs. I use the plugin on most blogs Login lockdown, which not only records the unsuccessful login attempts, but also blocks the login for an IP after a certain number of incorrect logins. You can set the number of logins and the duration of the block yourself by changing the plugin settings in the admin area. In this way you can also see whether a hacker wants to gain access to the Wordpress admin with a [brute force attack->brute force attack]. Incidentally, this technique is also used to attack the XML-RPC interface of WordPress – but more on that in another post.

I was now looking for a way to protect the Wordpress login - specifically the data wp-login.php in the /wp-admin/ folder. The easiest way is to just rename this file. Since the hackers' scripts usually target the file with the name wp-login.php directly, future attacks will come to nothing once the file has been renamed. To enable the renaming procedure for normal Wordpress users as well, there is a Wordpress plugin called “rename wp login".

How rename-wp-login works

However, technically speaking, this plugin does not change the name of the file, but intercepts URL calls to the file and then redirects them accordingly or issues an error message if you want to call up the “wp-login.php” that no longer exists. It's difficult to understand, but with the plugin you assign a new file name, which is then only used virtually. However, it is not visible to the hackers and other users, but from the outside it looks as if the data has actually been renamed. The nice thing about the plugin is that if you disable it, everything is back to normal and you don't have to rename anything back - so a very user-friendly way of doing this thing.

Wordpress 4 Security: Training as a video workshop

For those who want to get a little deeper into Wordpress, I can offer the video training from Galileo recommend. There is also a complete chapter dedicated to WordPress security and there are many other tips, tricks and explanations on video so that you can follow the individual steps directly in the WP Admin.

WordPress 4: 10 hours of WordPress practice for beginners and advanced users
The WordPress experts René Reimann and Birgit Olzem create a complete theme with you step by step and show you how to equip your website with numerous modern features. Benefit from her tips on plug-ins, design, security, SEO and mobile web design. Including complete sample material on DVD!

My tips & tricks about technology & Apple

Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership would support.

The page contains affiliate links / images: Amazon.de

17 Responses to “Wordpress security: rename wp-login.php and protect it from hackers”

  1. Hi. These are 2 nice plugins that you present here. For a few days I have been dealing with the security of Wordpress because I also have to determine access to my wp-login.php again and again. Especially the “rename wp-login” sounds interesting, I'll try it out. Thanks for your tips and you have a nice blog here. Greetings Manuel.

    1. Hello Rolf! You can then log in to the admin using the new (self-assigned) URL. The access data remain the same, but the address of the admin area changes. I hope you come in :-)

  2. Hans Joachim Brosch


    great thing the plugin Rename wp-login.php. I still have a .htpasswd in the .htaccess. Do I have to rename it here?

    Thanks and Greetings

    1. Hello Joachim! However, the .htpasswd is not a standard Wordpress file. I assume this is an additional login protection that is done before the actual WP admin login. In that case you don't really have to rename anything. But as I said: I don't know the .htpasswd in detail and can only assume that nothing else is necessary. Do you know where the .htpasswd comes from? Best regards!


    1. Oh yes, Sergei's instructions. Yes, it's quite good, but from my point of view something for paranoid people. Half of this is usually enough to keep your admin free from hackers. Unfortunately, the biggest gateway is also the non-updated plug-ins, which have some security gaps, which hackers then use.

  3. Hans Joachim Brosch

    I checked it again. If I activate the Rename wp-login.php plugin, the command works

    AuthName “Admin Area”
    AuthType Basic
    AuthUserFile /path-to-your-file-htpasswd/.htpasswd
    Require valid-user

    does not.
    Right at the top is also.
    My question is:
    What should the line be called correctly if I switch to a folder in the “Rename wp-login.php” plugin?

    Thank you very much

    1. Hi Joachim! Why do you want to change the additional login with .htaccess and .htpasswd? Actually it should still work if you haven't moved the .htpasswd. The line in the .htaccess file only tells the server where the file is located and it doesn't necessarily have to be in the "Rename wp-login.php" folder, but can also remain where it has been doing its job so far. If you still get an error, there must be an error somewhere... I'm happy to take a look if you like. However, I would then have to look at the server... Greetings! Jens

  4. Hello Sir Apfelot,
    I would like to set up a particularly high level of security on a customer site with htaccess protection AND a renamed login URL (plugin “Rename WP-Login.php”).
    I have both set up, but when I call the renamed login url, the htaccess guard does not come. What do I have to enter in the htaccess so that an htaccess username and password also have to be entered in the new URL?

    1. Hello Michaela! The .htaccess protection usually applies to the entire wp-admin folder. However, once you've logged into htaccess protection, you won't be prompted for login again for a while. Maybe that's why the protection no longer works. If you want to test it, just open a new “private window” in your browser. There are no cookies or the like in this and you will be treated like an unknown user. The query should come accordingly.

      In your case, the best solution might be the “iThemes Security” plugin anyway. So you can realize both features with one plugin, if I'm not mistaken. It also has many other benefits like blocking brute force attacks and locking the XMLRPC interface.

      I hope I could help you!

  5. Hello Sir Apfelot,
    I just installed Rename wp-login.php and changed my url. When I call it now, the following error message comes up: Not Found
    The requested URL was not found on this server.
    What did I do wrong again?

    1. Hello Sabine! I guess you renamed the wp-login.php file to something else. You must of course enter the new name of the file to log in. LG, Jens

Post a comment

Your e-mail address will not be published. Required fields are marked with * marked

In the Sir Apfelot Blog you will find advice, instructions and reviews on Apple products such as the iPhone, iPad, Apple Watch, AirPods, iMac, Mac Pro, Mac Mini and Mac Studio.