Sign inBlogSupportContact
Security

Hide your WordPress login page from bots

Move wp-login.php to a custom URL. Bots get 404. You get peace of mind.

4 min read May 2026 hide login

Every bot on the internet knows where your login page is

Every WordPress site has its login page at /wp-login.php or /wp-admin. Every brute-force bot knows this. They hammer those URLs with thousands of password attempts per day, burning server resources and filling your security logs.

Strong passwords protect you from unauthorized access, but they don't stop the bots from trying. Every failed attempt is a PHP request that consumes CPU and database queries. On shared hosting, this can measurably slow your site.

What most people do instead

Security plugins with login hidingWordfence, iThemes Security, WPS Hide Login. Full security suites with dozens of features you may not need, just to move one URL.
Rate limiting / IP blockingBlock IPs after failed attempts. Whack-a-mole approach — bots rotate IPs. Doesn't stop the requests, just rejects them.
.htaccess rulesRewrite rules to redirect wp-login.php. Easy to break, hard to debug, doesn't handle wp-admin redirects properly.

A better way: move the login page in one command

Open the navigator. Type hide login -slug=manage. Your login page moves from /wp-login.php to /manage. Anyone hitting the old URL gets a 404. Bots can't find what doesn't exist.

TrueCommander
hide login -slug=manage
Login page moved to /manage
Hide LoginActive
Login URLexample.com/manage
/wp-admin404 for non-logged-in visitors
/wp-login.php404
Bookmark your new login URL
↑↓ navigate runesc close

Emergency recovery built in. If you forget your custom URL, TrueCommander generates a secret recovery token on activation. You can always get back in.

How it works

1
Choose a custom slughide login -slug=manage moves the login to /manage. Validates against reserved paths and existing pages.
2
Old URLs return 404/wp-login.php and /wp-admin return 404 for non-logged-in visitors. Bots find nothing.
3
Restore anytimehide login -disable restores the default login URL. Rewrite rules flush automatically.
DetailValue
Command namehide login
Set custom URL-slug=manage (min 3 characters)
Disable-disable restores /wp-login.php
Check statushide login (no flags)
Blocked slugswp-admin, wp-login, admin, login, feed, sitemap, and other reserved paths
Page conflictRejects slugs that match published page URLs
Can be used in
Shortcut Macro

Real example

You check your server access logs and see 3,000 failed login attempts in the last week — all from bots hitting /wp-login.php. Your shared hosting provider sent a warning about CPU usage.

You open the navigator and type hide login -slug=team-portal. The login page moves. You bookmark the new URL and share it with your team.

Next week, the access logs show zero hits on /wp-login.php — they all return 404 before WordPress even loads. The brute-force attempts dropped to zero because there's nothing at the URL bots expect. Server CPU usage drops. Hosting provider stops complaining.

Goes further with TrueCommander

Add password protectionHide the login AND lock the frontend. Double layer of security for staging sites.
Enable maintenance modeHidden login + maintenance page. Full lockdown during development.
Debug after securingHide the login, then debug safely. No bots hitting your site while you troubleshoot.
Ready?

Bots can't hack what they can't find.

This is one of 91 commands. All included with every license.

Install in 10 secondsBrowse all commands
Related commands

You might also need these.

Password protect site
Site-wide password wall for non-logged-in visitors
security
Enable maintenance mode
Branded maintenance page while you work
security
Create site backup
Full site backup as ZIP with 1-hour download link
tools
Browse all 91 commands
Cookies. The short version.

Essential cookies keep the cart and theme working. Analytics only fire if you say yes. Read our policy.