Save 15% with code SAVE15

PluginsArmorProWordPress SecurityCitedProSEO & AI VisibilityBoostProSpeed & PerformanceServicesPricingAboutAccount

Custom Login URL

Hide wp-login.php behind a custom URL slug. Original login returns 404.

Last updated Feb 21, 2026

Overview

By default, every WordPress site uses /wp-login.php for its login page. Since this URL is the same on every WordPress installation, automated bots constantly target it with brute force attacks and vulnerability scans. ArmorPro's custom login URL feature hides your login page behind a URL you choose, eliminating the vast majority of automated bot traffic before it ever reaches your login form.

Enabling custom login URL

Go to ArmorPro → Settings and find the Custom Login URL section. Enter a slug for your new login URL. For example, entering my-login makes your login page available at yoursite.com/my-login/.

The slug is automatically converted to a lowercase, URL-safe format. Spaces, special characters, and uppercase letters are normalized so you always get a clean, valid URL.

What happens when enabled

Once you save a custom login URL, several things change:

  • wp-login.php returns 404: All direct requests to /wp-login.php receive a 404 Not Found response, making it invisible to bots
  • Custom URL serves the login page: Your chosen URL loads the standard WordPress login form
  • WordPress redirects are rewritten: After logout, expired sessions, and other internal redirects, WordPress automatically sends users to your custom URL instead of wp-login.php
  • Login URLs rewritten site-wide: The site_url and network_site_url filters rewrite all login URLs throughout WordPress, including those generated by plugins and themes

Cache compatibility

ArmorPro sets cache-busting constants on the custom login page to prevent caching plugins from serving a stale or cached version of your login form. The following constants are set automatically:

  • DONOTCACHEPAGE
  • DONOTCACHEDB
  • DONOTMINIFY
  • DONOTCDN
  • DONOTCACHEOBJECT

This ensures compatibility with LiteSpeed Cache, W3 Total Cache, WP Super Cache, and other popular caching plugins without any additional configuration.

Permalink flush

When you save your custom login URL, ArmorPro automatically flushes WordPress rewrite rules. You do not need to visit Settings → Permalinks manually. The new URL is available immediately after saving.

Remembering your URL

After setting a custom login URL, bookmark it in your browser or store it in a password manager. If you forget the URL, you will not be able to access your login page through the normal WordPress paths.

If you forget your custom login URL, you can regain access by connecting to your site via FTP/SFTP and renaming the armorpro plugin folder (e.g., to armorpro-disabled). This deactivates the plugin and restores the default /wp-login.php URL. After logging in, rename the folder back and check your settings.

Tip

Choose something unique but memorable. Avoid common slugs like admin, login, or secure that bots already try as part of their scanning routines.

Important

A custom login URL is security through obscurity. It reduces noise and eliminates automated attacks, but should not be your only login protection. Always pair it with brute force protection and two-factor authentication for a complete defense.

Previous← Passkey AuthenticationNextSecurity Headers →