
Changing the wp-admin URL is one of the most common WordPress hardening requests, mostly because bots hammer /wp-login.php all day looking for a way in. You can do it without a plugin, but it takes a snippet or a server rule, and it comes with a caveat worth stating up front.
I will show you two no-plugin methods, a secret-key gate in functions.php and a proper password lock in .htaccess, then I will be honest about what hiding the login does and does not protect you from.
Wichtigste Erkenntnisse
- WordPress cannot cleanly rename wp-admin from core, so a no-plugin change means a functions.php snippet or an .htaccess rule.
- A login gate lets you require a secret key on wp-login.php, so bots hitting the plain URL get bounced.
- An .htaccess password lock is the stronger no-plugin option, adding a second login before WordPress even loads.
- Always keep a way back in through FTP or your file manager, because a wrong snippet can lock you out.
- Hiding the login is obscurity, not security; strong passwords, 2FA, and limited login attempts do the real work.
Can you really change wp-admin without a plugin?
Partly, and it is worth being clear about that. WordPress has no core setting to rename wp-admin or wp-login.php, so you cannot turn it into a pretty custom slug the way a dedicated plugin does. What you can do without a plugin is control who reaches the login screen, which achieves the real goal behind the request: getting the bots off your login.
The two methods below do exactly that. One changes the URL you log in from, the other puts a hard lock in front of it, and each is a genuine step up from leaving /wp-login.php wide open.
Method 1: gate wp-login.php with a secret key
The cleanest no-plugin way to change your login URL is to guard wp-login.php with a secret key. Add this to your child theme’s functions.php, or a code snippets plugin, the same place I add tweaks like the duplicate posts and pages snippet:
add_action( 'login_init', 'wpc_gate_login' );
function wpc_gate_login() {
// Let logout, password resets, and form submissions through
if ( ! empty( $_GET['action'] ) || 'POST' === $_SERVER['REQUEST_METHOD'] ) {
return;
}
// Require your secret key on the plain login screen
if ( ! isset( $_GET['wpc_key'] ) || 'change-this-to-your-own-secret' !== $_GET['wpc_key'] ) {
wp_safe_redirect( home_url( '/' ) );
exit;
}
}Your login URL becomes https://yoursite.com/wp-login.php?wpc_key=change-this-to-your-own-secret. Anyone hitting the plain /wp-login.php is sent to your homepage, which is exactly what the bots run into. The check deliberately lets logout, password resets, and form submissions through, so normal logins keep working.
One rule before you save it: keep a way back in. Bookmark your key URL, and make sure you can reach your files over FTP or your host’s file manager, because if you mistype the key you will lock yourself out and deleting the snippet is how you recover.
Method 2: password-protect wp-admin with .htaccess
If you want something stronger than a hidden door, lock the whole wp-admin folder at the server level. This adds a browser username and password prompt before WordPress even loads, so brute-force scripts never reach your login form at all. Create an .htpasswd file through your host, then put this in the .htaccess inside /wp-admin/:
# Password-protect the wp-admin folder
AuthType Basic
AuthName "Restricted Admin Area"
AuthUserFile /home/your-username/.htpasswd
Require valid-user
# Keep admin-ajax.php reachable so the front end keeps working
<Files admin-ajax.php>
Require all granted
</Files>Point AuthUserFile at the real path your host gives you, and do not skip the admin-ajax.php exception, because without it front-end features that rely on AJAX can break. This is the method I trust most on the no-plugin list, since it is a real lock rather than a hidden door. Apache’s own authentication guide walks through creating the password file if your host does not do it for you.
Hiding the login is not the same as securing it
Here is the part most tutorials skip. Renaming or hiding your login mainly cuts the noise from automated bots, which is a real and worthwhile win for your logs and your server load, but it is not the same as being secure. A determined attacker can still find the login, and a hidden URL buys you nothing against a weak password.
So treat the URL change as one small layer and put your real effort into the basics: a strong, unique admin password, two-factor authentication, and a limit on failed login attempts. WordPress’s own hardening guide lays these out, and they matter far more than the slug your login sits on. If you run a store, the same mindset carries into wider PCI DSS compliance work.
So, is hiding wp-admin worth doing without a plugin?
It is worth doing, as long as you are clear about what you are buying. If you are comfortable with code, the .htaccess password lock is the one I would reach for, because it actually stops brute-force attempts rather than just moving the door, while the functions.php gate is a fine lighter option if you only want to shake the bots off.
That said, I would not pretend the no-plugin route is tidier than a plugin that renames the URL cleanly and safely, such as WPS Hide Login. If a single plugin does not bother you, that is the simpler path. Either way, do the real hardening first and treat the hidden URL as the bonus layer it is.
Locked out or unsure it is safe?
If a snippet has locked you out, or you want your login hardened properly without breaking anything, feel free to kontaktieren Sie uns oder E-Mail and I will help you sort it.
Änderungsprotokolle
02 Jul 2026
- Rewrote with two safe no-plugin methods, a secret-key login gate and an .htaccess password lock, and added an honest section on why hiding the login is obscurity, not a replacement for real hardening.
- Sharpened the section headings so each is clear on its own.
Want our posts to show up more often on Google?
One step & Google will surface this site in your Top Stories.
