Home Plugin Docs Consulting About Blog Get in Touch

← CloudScale Plugin Help/CloudScale Cyber and Devtools – Free WordPress Security, AI Penetration Testing & Developer Toolkit

Hide Login URL

Moves your WordPress login page from the default /wp-login.php to a secret URL you choose. Bots and automated attack scripts probe the default path thousands of times a day – if they can’t find the login form, they can’t attack it.

WordPress Hide Login URL settings panel - move wp-login.php to a secret URL to block automated bot attacks

🔐 Stop Bots Before They Even See Your Login Page

Every WordPress site on the internet is probed by bots testing /wp-login.php around the clock. These are not targeted attacks against you specifically – they are automated credential-stuffing scripts running against millions of sites simultaneously, trying breached username and password combinations at scale. If they can reach your login form, they will keep trying indefinitely. Hide Login URL removes the form from the default URL entirely: bots get a 404 and move on to easier targets.

Competing plugins charge $49-$99/year for this feature (iThemes Security Pro, All-in-One Security Premium). CloudScale includes it free, bundled with 2FA and Passkeys in the same plugin, so there is no juggling three separate security plugins that need to know about each other.

The mechanism is simple and reliable. When enabled, a WordPress init hook at priority 1 intercepts any request matching your chosen secret slug and serves the login form for that request. No redirect, no URL change visible in the browser’s address bar – the form just loads at your secret path. Direct requests to /wp-login.php return a clean 404. Internal WordPress links – password reset emails, admin bar logout links, plugin redirect-after-login URLs – all automatically reference your secret URL rather than the default. You do not need to configure anything else; the change propagates through WordPress automatically.

Hide Login URL works best in combination with 2FA (also on this tab). Hiding the login URL removes the attack surface for automated bot traffic. 2FA ensures that even if someone discovers your secret URL (through a browser history leak or social engineering), a stolen password alone is still not enough to break in. Together they cover two different threat categories.

Settings

  • Enable Hide Login: master switch. When enabled, /wp-login.php returns a 404. Your secret slug serves the login form. When disabled, everything reverts to WordPress defaults with no other changes required.
  • Login slug: the path segment after your domain where the login form will live. For example, entering team-portal means your login URL becomes yoursite.com/team-portal/. Avoid predictable words: login, admin, dashboard, wp-admin, and signin are commonly tried by automated scanners and provide little security benefit. A two-word phrase with a number (e.g. launch-control-7) is both memorable and not in any scanner’s dictionary.

Setup (30 seconds)

  1. Toggle Enable Hide Login on.
  2. Enter your secret slug in the Login Slug field.
  3. Click Save.
  4. Bookmark the new URL immediately before navigating away. The current URL is shown on the settings panel after saving.

What is not affected

WP-CLI, XML-RPC, the REST API, and WP-Cron all bypass the login URL check entirely. This means automated processes that authenticate against WordPress continue working without any configuration changes. The hide-login feature targets human browser-based login attempts only.

If you forget your secret URL

If you lose track of your custom login URL, retrieve it without logging in via WP-CLI from your server:

wp option get csdt_devtools_login_slug

Or query your database directly: SELECT option_value FROM wp_options WHERE option_name = 'csdt_devtools_login_slug'. If you cannot access the server at all, temporarily disabling the plugin via FTP (rename the plugin folder) will re-enable the default /wp-login.php path.

← Back to all sections