Title: Changing default /wp-admin and /wp-login.php
Last modified: August 21, 2016

---

# Changing default /wp-admin and /wp-login.php

 *  [meshmarketer](https://wordpress.org/support/users/meshmarketer/)
 * (@meshmarketer)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/changing-default-wp-admin-and-wp-loginphp/)
 * I have done some research on this issue and have been using the “Rename wp-login”
   plugin which stopped working and does not seem to be able to be fixed any time
   soon (despite my attempts at helping).
 * I would like to know if there is some definitive set of instructions for eliminating
   the PRIME target of WordPress attackers which is /wp-admin and /wp-login.php.
 * For #$%@#$%^!$, I can’t believe that users can’t choose their own login window.
   I’m thankful that “admin” is no longer forced on admins as their username, but
   really… I’m running over 70 sites on a multi-site install and memory use drops
   significantly when there is a solution that works (and stays working).
 * WordPress is wonderful, don’t get me wrong, but there has GOT TO BE some way 
   that an enterprising non-coder can thwart hackers blasting a default URL.
 * Does anyone have such instructions somewhere?

Viewing 10 replies - 1 through 10 (of 10 total)

 *  [Andrew Nevins](https://wordpress.org/support/users/anevins/)
 * (@anevins)
 * WCLDN 2018 Contributor | Volunteer support
 * [12 years, 4 months ago](https://wordpress.org/support/topic/changing-default-wp-admin-and-wp-loginphp/#post-4592315)
 * Have you talked to your hosting providers about this issue? They’re in a much
   more effective position to tackle this (assuming you’re referring to brute force
   attacks).
 *  Thread Starter [meshmarketer](https://wordpress.org/support/users/meshmarketer/)
 * (@meshmarketer)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/changing-default-wp-admin-and-wp-loginphp/#post-4592318)
 * I use LiquidWeb and they think the best solution is to block by IP address and
   I have over 70 customers who log in from different devices so that’s not going
   to work.
 *  Thread Starter [meshmarketer](https://wordpress.org/support/users/meshmarketer/)
 * (@meshmarketer)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/changing-default-wp-admin-and-wp-loginphp/#post-4592319)
 * I am also currently using WordFence which helps to mitigate the problem but I
   still have 3×70 attempts using ‘admin’ every so often and that’s just not good
   enough. I need to remove the door completely rather than allow three knocks.
 *  Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/)
 * (@ipstenu)
 * 🏳️‍🌈 Advisor and Activist
 * [12 years, 4 months ago](https://wordpress.org/support/topic/changing-default-wp-admin-and-wp-loginphp/#post-4592545)
 * meshmarketer – They’re not wrong. However ask them about mod_security and doing
   more rate limiting on wp-login (which I know they can do).
 * See these too:
 * [http://halfelf.org/2013/wp-login-protection-modsec/](http://halfelf.org/2013/wp-login-protection-modsec/)
   
   [http://halfelf.org/2013/wp-login-protection-htaccess/](http://halfelf.org/2013/wp-login-protection-htaccess/)
 *  Thread Starter [meshmarketer](https://wordpress.org/support/users/meshmarketer/)
 * (@meshmarketer)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/changing-default-wp-admin-and-wp-loginphp/#post-4592547)
 * They do use ModSec already and it’s screwing up my efforts to use plugins to 
   thwart Brute Force Attacks.
 * While I appreciate your viewpoint that “they’re not wrong” it really doesn’t 
   help me. I have over 70 customers including ones who access their site via Hughes
   ISP and their IP address literally changes every five minutes. It is truly impossible
   to limit by IP with such customers.
 * I’m really amazed that there is no solution here for such an obvious vulnerability.
   If you have just ONE target page accessible via millions of addresses which creates
   millions of targets being hit continually, then you increase the target to millions
   TIMES millions and see if that doesn’t improve things a bit.
 * After all, the default “admin” name did get changed, right? Why can’t there be
   some instructions on how to make this more bulletproof?
 *  Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/)
 * (@ipstenu)
 * 🏳️‍🌈 Advisor and Activist
 * [12 years, 4 months ago](https://wordpress.org/support/topic/changing-default-wp-admin-and-wp-loginphp/#post-4592550)
 * Again, see the two links I posted.
 * You can also read this: [https://codex.wordpress.org/Brute_Force_Attacks](https://codex.wordpress.org/Brute_Force_Attacks)
 * If you’re on their shared service, there’s a limit to what they can do. If you’re
   on a VPS, you should install CSF – [https://www.liquidweb.com/kb/csf-config-server-firewall-installation/](https://www.liquidweb.com/kb/csf-config-server-firewall-installation/)–
   and it does a remarkable job 🙂
 * There isn’t ‘one’ fix because there just isn’t one size fits all. It’s just not
   possible yet given the myriad situations possible to have installed WP, and the
   billions of ways people use them. You’re on one kind of server, I’m on another,
   and someone else is on Windows or Nginx, and frankly the SAME fix won’t work 
   for all of them. Yaaaay.
 *  Thread Starter [meshmarketer](https://wordpress.org/support/users/meshmarketer/)
 * (@meshmarketer)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/changing-default-wp-admin-and-wp-loginphp/#post-4592553)
 * I appreciate your insistence that you have a solution, but as I had mentioned,
   I already talked with them about this AND with a little help from WordFence, 
   I’m currently blocking those who fail to put in a password after three attempts
   as well as anyone using “admin” as a username. This helps to stem the flow, but
   really, what is needed is a sea-change strategy here. We can’t rely on workarounds
   to fix this for everyone (and by the way, you say there is no one fix and yet
   you seem insistent that yours is the way to go).
 * I’m saying there IS one fix for everyone and that is to eliminate the address
   where hackers go to.
 * I’m not a programmer, but it seems to me that having a URL to go to (accessible
   via email recovery) that will set a cookie which can make the login door visible
   would be a smart way to go.
 * If I knew how this “referral request” worked and I were a programmer then I would
   make my own plugin and then take every single Brute Force Attacker and redirect
   them to their own address via .htaccess.
 *  Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/)
 * (@ipstenu)
 * 🏳️‍🌈 Advisor and Activist
 * [12 years, 4 months ago](https://wordpress.org/support/topic/changing-default-wp-admin-and-wp-loginphp/#post-4592581)
 * If you’d read the links I gave you, you’d see that they are general advice with
   options and suggestions to possible solutions that work for you. There are TEN
   plugins posted there as options, three .htaccess possibilities, and more server
   possibilities.
 * If you don’t want to read them and experiement, that’s on you. We’re suggesting
   you try what fits your scenario.
 * > I’m not a programmer, but it seems to me that having a URL to go to (accessible
   > via email recovery) that will set a cookie which can make the login door visible
   > would be a smart way to go.
 * Sure. And every single time these crackers hit that URL, or the wp-login.php/
   wp-admin one that they used to hit, and get an error, your site will be loading
   WP, which will cause it to slow down and have the same end result of a DDoS that
   you’re seeing now.
 * > If I knew how this “referral request” worked and I were a programmer then I
   > would make my own plugin and then take every single Brute Force Attacker and
   > redirect them to their own address via .htaccess.
 * [https://codex.wordpress.org/Brute_Force_Attacks#Deny_Access_to_No_Referrer_Requests](https://codex.wordpress.org/Brute_Force_Attacks#Deny_Access_to_No_Referrer_Requests)
 * Like that?
 *  Thread Starter [meshmarketer](https://wordpress.org/support/users/meshmarketer/)
 * (@meshmarketer)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/changing-default-wp-admin-and-wp-loginphp/#post-4592582)
 * Ipstenu, I’m not asking for information other than some instructions on how to
   safely make my own login address.
 * I read what you sent, if it’s any consolation to you, and I have been testing
   SEVERAL plugins and what I have found is that none of them appear to work with
   multi-site. Even the fine folks at LiquidWeb who have been using a number of 
   different approaches to stem the Brute Force Attacks have sent me links to plugins
   that are not multi-site compatible and they have also tried to get ones I have
   tried to work properly without throwing 500 errors.
 * I have no doubt you want to help, and thank you for that, but I really did know
   what I was requesting and I still am waiting for my request to be fulfilled and
   not redirected. If you don’t have those instructions, I’m really not sure why
   you think I should be given something else.
 *  Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/)
 * (@ipstenu)
 * 🏳️‍🌈 Advisor and Activist
 * [12 years, 4 months ago](https://wordpress.org/support/topic/changing-default-wp-admin-and-wp-loginphp/#post-4592615)
 * My advice, having been in this business for a long time, is you don’t need to
   do this. You will, as you already have, find yourself banging your head on the
   wall. Multisite makes _everything_ harder, just hands down, and hiding wp-admin
   MAY break a lot of things because WordPress doesn’t want you to do this. It’s
   very close to putting leaded fuel in your car.
 * > I’m not asking for information other than some instructions on how to safely
   > make my own login address.
 * [https://wordpress.org/plugins/rename-wp-login/](https://wordpress.org/plugins/rename-wp-login/)(
   which you said was broken and didn’t look like would be fixed any time soon) 
   was updated on the 8th. The very day you posted. So make sure that didn’t fix
   it for you too.
 * [https://wordpress.org/plugins/better-wp-security/](https://wordpress.org/plugins/better-wp-security/)
   purports to do it.
 * > I really did know what I was requesting
 * You do, but you don’t understand why it’s a bad idea, and why it’s hard, and 
   why it’s the wrong road to travel down. Which is why we attempt to educate you
   so you don’t end up back here tomorrow complaining that the plugins don’t work
   right in your setup.
 * We will not be surprised, by the way, if that happens anyway. We’ve been there
   before.

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘Changing default /wp-admin and /wp-login.php’ is closed to new replies.

 * In: [Networking WordPress](https://wordpress.org/support/forum/multisite/)
 * 10 replies
 * 3 participants
 * Last reply from: [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/)
 * Last activity: [12 years, 4 months ago](https://wordpress.org/support/topic/changing-default-wp-admin-and-wp-loginphp/#post-4592615)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics