Skip to content

Adam Greenwell

Custom Login URL

The Custom Login URL feature lets you hide your WordPress admin login page by using a unique URL instead of the default /wp-login.php and /wp-admin. This is one of the most effective ways to prevent automated bot attacks on your site.

Why Use a Custom Login URL?

WordPress sites are constantly targeted by automated bots that attempt to log in to /wp-login.php with common username/password combinations. By changing your login URL:

  • Eliminate 90%+ of automated attacks – Bots can’t find your login page
  • Reduce server load – Fewer malicious login attempts
  • Clean up your logs – Stop filling activity logs with bot attempts
  • Improve performance – Less processing of failed login attempts

How It Works

When you set a custom login slug, Guard Dog:

  1. Intercepts requests to your custom URL and displays the login form
  2. Blocks direct access to /wp-login.php (redirects to 404)
  3. Allows essential functions like password reset and logout
  4. Updates all login links throughout WordPress to use your custom URL

The system works on all server types (Apache, Nginx, Litespeed) without requiring special configuration.

Setting Up Custom Login URL

Step 1: Choose Your Login Slug

Navigate to Guard Dog → Login Security and find the Custom Login URL section.

Good examples:

  • secure-entrance
  • backend-access
  • my-secret-door
  • portal-2024

Avoid these:

  • admin, login, wp-admin (too obvious)
  • secure, private (commonly guessed)
  • Your company name (easily guessed)
  • Numbers only (not memorable)

Tips:

  • Use a combination of words and numbers
  • Make it memorable but not guessable
  • Consider rotating it periodically for high-security sites

Step 2: Enter Your Slug

  1. Type your chosen slug in the Login Slug field
  2. The slug should only contain:
  • Lowercase letters (a-z)
  • Numbers (0-9)
  • Hyphens (-)
  1. Click Save Changes

Step 3: Bookmark Your New URL

This is critical! Your new login URL will be:

https://yoursite.com/your-slug

Add this to your browser bookmarks immediately. If you forget it, you’ll need to access your site files to recover access.

Step 4: Test Your New URL

  1. Open a private/incognito browser window
  2. Try accessing yoursite.com/wp-admin – should redirect to 404
  3. Try accessing yoursite.com/wp-login.php – should redirect to 404
  4. Access yoursite.com/your-slug – should show the login form
  5. Log in successfully

What Happens to the Old URLs?

/wp-login.php and /wp-admin

Direct access to these URLs is blocked and redirects to a 404 page except for:

  • Password reset requests – The /wp-login.php?action=lostpassword continues to work
  • Password reset confirmation – Reset links sent via email still work
  • Logout requests/wp-login.php?action=logout continues to work
  • Form POST requests – Login form submissions are processed normally

This ensures that essential WordPress functions continue working while blocking unauthorized access.

Login Links Throughout WordPress

Guard Dog automatically updates login URLs in:

  • WordPress admin bar
  • Login/logout links in themes
  • WordPress core login redirects
  • Password reset emails
  • Custom login widgets

Using Custom Login URL with Other Features

With CAPTCHA

When you enable CAPTCHA protection, it will appear on your custom login URL automatically. The CAPTCHA verification happens seamlessly regardless of which login URL you use.

With Two-Factor Authentication

After entering your username and password on the custom login URL, you’ll be prompted for your 2FA code as normal. The 2FA flow works identically on the custom URL.

With Login Attempt Limiting

Login attempts are tracked by IP address regardless of which URL is accessed. If a bot somehow finds your custom login URL, they’ll still be locked out after too many failed attempts.

With Temporary User Access

Temporary user access links automatically work with your custom login URL. When a temporary user clicks their access link, they’re logged in through the custom URL seamlessly.

Advanced Usage

Multiple Administrators

If you have multiple administrators:

  1. Share the custom login URL securely (encrypted messaging, password manager)
  2. Consider using a password manager’s secure sharing feature
  3. Update all saved bookmarks
  4. Document it in your internal security documentation

Rotating Your Login URL

For high-security sites, consider changing your login URL periodically:

  1. Go to Guard Dog → Login Security
  2. Change the Login Slug to a new value
  3. Save changes
  4. Update all administrator bookmarks
  5. Notify all users of the new URL

Recommended rotation: Every 6-12 months for high-security sites.

Server Configuration

The custom login URL feature is server-agnostic and requires no special configuration:

  • Apache: Works without .htaccess modifications
  • Nginx: Works without nginx.conf changes
  • Litespeed: Works without special rules
  • Cloud hosting: Works on all major platforms

No rewrite rules or server configuration needed!

Troubleshooting

I Forgot My Custom Login URL

Solution 1: Check Your Database

  1. Access phpMyAdmin or your database tool
  2. Look in the wp_options table
  3. Find the row where option_name = guard_dog_login_slug
  4. The option_value column shows your login slug

Solution 2: Disable the Plugin Temporarily

  1. Via FTP or File Manager, navigate to /wp-content/plugins/
  2. Rename the guard-dog folder to guard-dog-disabled
  3. Access /wp-login.php normally
  4. Rename the folder back to guard-dog
  5. Check the setting in Guard Dog admin

Solution 3: Reset via wp-config.php
Add this line temporarily to wp-config.php:

define('GUARD_DOG_BYPASS', true);

This disables all Guard Dog protection temporarily. Remove it after recovering access.

Custom Login URL Not Working

Check these common issues:

  1. Slug is empty – Make sure you entered a value
  2. Caching conflict – Clear your site cache and browser cache
  3. Permalink structure – Go to Settings → Permalinks and click Save
  4. Plugin conflict – Temporarily disable other security plugins
  5. Server caching – Clear server-level caching (Varnish, Redis, etc.)

Getting 404 on Both URLs

If both your custom URL and /wp-login.php show 404:

  1. Flush rewrite rules – Go to Settings → Permalinks → Save Changes
  2. Check plugin is active – Ensure Guard Dog is activated
  3. File permissions – Ensure WordPress can write to database
  4. Clear all caches – Browser, plugin, server

Redirect Loop When Accessing Custom URL

Causes:

  • Another plugin also modifying login URLs
  • Incorrect server redirect rules
  • Caching issue

Solutions:

  1. Disable other security plugins one by one
  2. Remove any custom login redirects in .htaccess
  3. Clear all caches
  4. Check for hardcoded redirects in your theme

Login Forms from Plugins Not Working

Some plugins include their own login forms. Update these plugins to use the WordPress wp_login_url() function, which Guard Dog filters automatically.

For plugin developers, always use:

$login_url = wp_login_url();

Never hardcode:

$login_url = '/wp-login.php'; // ❌ Don't do this

Security Considerations

Is Custom Login URL Enough?

No. While effective against automated bots, a custom login URL should be part of a multi-layered security approach:

  1. Custom Login URL – Stops automated bots (this feature)
  2. CAPTCHA – Stops automated tools that find your URL
  3. Login Limiting – Stops brute-force attempts
  4. 2FA – Protects against password theft
  5. Access Control – Restricts by IP or username

Use all these features together for comprehensive protection.

Security Through Obscurity?

Custom login URLs are often criticized as “security through obscurity.” While true, they’re still valuable:

  • First line of defense – Eliminates most attacks before they start
  • Reduces attack surface – Fewer requests to process
  • Complements other security – Works alongside strong authentication
  • Proven effective – Used by millions of WordPress sites successfully

Think of it like locking your front door. A determined attacker could pick the lock, but it still stops most intrusions.

Can Attackers Find My Custom URL?

Potentially, yes:

  • Brute force scanning – Trying common URL patterns
  • Information disclosure – Poorly coded themes revealing the URL
  • Social engineering – Tricking users into revealing it

Mitigations:

  • Use a non-obvious, unique slug
  • Enable CAPTCHA as a second layer
  • Enable login limiting to stop brute-force
  • Don’t share the URL publicly

Best Practices

  1. Set it immediately after installing Guard Dog
  2. Bookmark it in multiple places (password manager, browser)
  3. Don’t share it publicly (blog posts, forum signatures, etc.)
  4. Change it if compromised (rotate periodically for high-security sites)
  5. Document it securely for team members
  6. Combine with other features (CAPTCHA, 2FA, login limiting)
  7. Test in incognito mode before logging out of your current session

FAQ

Q: Will this break plugins or themes?
A: No. Guard Dog properly filters all WordPress login URL functions. Well-coded plugins and themes will work automatically.

Q: Can I use special characters in my slug?
A: Only lowercase letters, numbers, and hyphens are allowed for maximum compatibility.

Q: Does this work with multisite?
A: Custom login URLs work on WordPress multisite installations.

Q: Will users see a 404 error?
A: Yes, attempts to access /wp-login.php directly will see a 404 page. This is intentional and prevents attackers from knowing WordPress is installed.

Q: Can I set different login URLs for different users?
A: No. There is one custom login URL for the entire site. All users must use the same URL.

Q: Will this slow down my site?
A: No. The custom login URL check is extremely lightweight and has negligible performance impact.