WordPress custom admin login page

0
votes

Does anyone know how to update the .htacesss file for a WordPress site? I must change the wp-admin login URL to something custom because someone is trying to brute force hack into my website right now (on Christmas day!) and therefore I'm trying to hide my login page.

Any help would be appreciated. Thanks.

Current url:

example.com/wp-admin

Expected url:

example.com/someslug

2
wordpress
There are a ton of plugins to do this for you, as well as provide automatic lockouts, etc. When dealing with these brute force attacks, don't reinvent the wheel. I use Wordfence a all of my WP installs - docs.wordfence.com/en/Wordfence_Official_DocumentationWillardSolutions

2 Answers

0
votes

Change URL using plugin

This plugin will hide WordPress Admin (/wp-admin/) when a user isn't logged in. If a user isn't logged in and they attempt to access WP Admin directly, they will be unable to and it will return a 404. It can also rename the login URL.

https://wordpress.org/plugins/lockdown-wp-admin/

Change using a code

apply filter in admin_url.

return apply_filters('admin_url', $url, $path, $blog_id);

Note : If you are using a wordefence or wp security kind plugin then there is already option.

0
votes

Personally, I don't recommend you to edit the .htaccess for the purpose. You can try this code, it works for me.

This code redirects to homepage whenever the default /wp-admin or /wp-login is accessed. You can set a passcode as the login URL and only allow wp-admin and wp-login access via this URL: https://www.yourdomain.com/?you-set-your-passcode

Add this code to the functions.php of your theme.

// define and set passcode that serves as login url.
define('PASSCODE','make-you-own-passcode');

function mask_login_url(){
// redirect to login page when passcode is verified
if( !is_user_logged_in() && parse_url($_SERVER['REQUEST_URI'], PHP_URL_QUERY) == PASSCODE ){
    wp_safe_redirect( home_url('wp-login.php?'. PASSCODE .'&redirect=false') );
    exit();
}
// redirect to dashboard if user has already logged in
if( is_user_logged_in() && parse_url($_SERVER['REQUEST_URI'], PHP_URL_QUERY) == PASSCODE ){
    wp_safe_redirect( home_url("wp-admin") );
    exit();
} } 
add_action( 'init', 'mask_login_url');

function mask_login_redirects(){
if( isset($_POST['passcode']) && $_POST['passcode'] == PASSCODE) return false;

// redirects to dashboard when /wp-admin is accessed and user is logged in
if ( (is_user_logged_in()) && (strpos($_SERVER['REQUEST_URI'], 'wp-admin') !== false)) {
    wp_safe_redirect( home_url("wp-admin"), 302 );
    exit();
}
// redirects to homepage when /wp-admin or /wp-login is accessed and user is not logged in
if ( (!is_user_logged_in()) && ((strpos($_SERVER['REQUEST_URI'], 'wp-admin') !== false) || (strpos($_SERVER['REQUEST_URI'], 'wp-login') !== false)) && ( strpos($_SERVER['REQUEST_URI'], PASSCODE) === false ) ) {
    wp_safe_redirect( home_url(), 302 );
    exit();
}
// redirect to homepage after logout
if( strpos($_SERVER['REQUEST_URI'], 'action=logout') !== false ){
    check_admin_referer( 'log-out' );
    wp_logout();
    wp_safe_redirect( home_url('?logged-out'), 302 );
    exit();
} }
add_action( 'login_init', 'mask_login_redirects', 1); 

// Add a passcode hidden field to login form
function custom_login_hidden_field(){
echo '<input type="hidden" name="passcode" value="'. PASSCODE .'" />';
}
add_action('login_form', 'custom_login_hidden_field');