{"id":2444,"date":"2023-12-31T05:33:22","date_gmt":"2023-12-31T05:33:22","guid":{"rendered":"https:\/\/wpconsults.com\/?p=2444"},"modified":"2026-07-01T22:46:55","modified_gmt":"2026-07-01T22:46:55","slug":"wp-admin-url-ohne-plugin-andern","status":"publish","type":"post","link":"https:\/\/www.wpconsults.com\/de\/change-wp-admin-url-without-plugin\/","title":{"rendered":"How to Change the wp-admin URL Without a Plugin"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Changing the wp-admin URL is one of the most common WordPress hardening requests, mostly because bots hammer \/wp-login.php all day looking for a way in. You can do it without a plugin, but it takes a snippet or a server rule, and it comes with a caveat worth stating up front.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I will show you two no-plugin methods, a secret-key gate in functions.php and a proper password lock in .htaccess, then I will be honest about what hiding the login does and does not protect you from.<\/p>\n\n\n\n<div class=\"wp-block-group wpc-takeaways is-layout-flow wp-block-group-is-layout-flow\">\n<h3 class=\"wp-block-heading\">Key Takeaways<\/h3>\n\n<ul class=\"wp-block-list\">\n<li>WordPress cannot cleanly rename wp-admin from core, so a no-plugin change means a functions.php snippet or an .htaccess rule.<\/li>\n<li>A login gate lets you require a secret key on wp-login.php, so bots hitting the plain URL get bounced.<\/li>\n<li>An .htaccess password lock is the stronger no-plugin option, adding a second login before WordPress even loads.<\/li>\n<li>Always keep a way back in through FTP or your file manager, because a wrong snippet can lock you out.<\/li>\n<li>Hiding the login is obscurity, not security; strong passwords, 2FA, and limited login attempts do the real work.<\/li>\n<\/ul>\n\n<\/div>\n\n\n<style>.kb-table-of-content-nav.kb-table-of-content-id7066_f7400a-9c .kb-table-of-content-wrap{padding-top:var(--global-kb-spacing-sm, 1.5rem);padding-right:var(--global-kb-spacing-sm, 1.5rem);padding-bottom:var(--global-kb-spacing-sm, 1.5rem);padding-left:var(--global-kb-spacing-sm, 1.5rem);border-top:1px solid var(--global-palette10, #3182CE);border-right:1px solid var(--global-palette10, #3182CE);border-bottom:1px solid var(--global-palette10, #3182CE);border-left:1px solid var(--global-palette10, #3182CE);border-top-left-radius:5px;border-top-right-radius:5px;border-bottom-right-radius:5px;border-bottom-left-radius:5px;box-shadow:15px 15px 0px 0px rgba(160, 152, 255, 0.31);}.kb-table-of-content-nav.kb-table-of-content-id7066_f7400a-9c .kb-table-of-contents-title-wrap{padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id7066_f7400a-9c .kb-table-of-contents-title{font-weight:regular;font-style:normal;}.kb-table-of-content-nav.kb-table-of-content-id7066_f7400a-9c .kb-table-of-content-wrap .kb-table-of-content-list{color:var(--global-palette1, #3182CE);font-weight:regular;font-style:normal;margin-top:var(--global-kb-spacing-sm, 1.5rem);margin-right:0px;margin-bottom:0px;margin-left:0px;}@media all and (max-width: 1024px){.kb-table-of-content-nav.kb-table-of-content-id7066_f7400a-9c .kb-table-of-content-wrap{border-top:1px solid var(--global-palette10, #3182CE);border-right:1px solid var(--global-palette10, #3182CE);border-bottom:1px solid var(--global-palette10, #3182CE);border-left:1px solid var(--global-palette10, #3182CE);}}@media all and (max-width: 767px){.kb-table-of-content-nav.kb-table-of-content-id7066_f7400a-9c .kb-table-of-content-wrap{border-top:1px solid var(--global-palette10, #3182CE);border-right:1px solid var(--global-palette10, #3182CE);border-bottom:1px solid var(--global-palette10, #3182CE);border-left:1px solid var(--global-palette10, #3182CE);}}<\/style>\n\n<h2 class=\"wp-block-heading\">Can you really change wp-admin without a plugin?<\/h2>\n\n<p class=\"wp-block-paragraph\">Partly, and it is worth being clear about that. WordPress has no core setting to rename wp-admin or wp-login.php, so you cannot turn it into a pretty custom slug the way a dedicated plugin does. What you can do without a plugin is control who reaches the login screen, which achieves the real goal behind the request: getting the bots off your login.<\/p>\n\n\n<p class=\"wp-block-paragraph\">The two methods below do exactly that. One changes the URL you log in from, the other puts a hard lock in front of it, and each is a genuine step up from leaving \/wp-login.php wide open.<\/p>\n\n\n<h2 class=\"wp-block-heading\">Method 1: gate wp-login.php with a secret key<\/h2>\n\n<p class=\"wp-block-paragraph\">The cleanest no-plugin way to change your login URL is to guard wp-login.php with a secret key. Add this to your child theme&#8217;s functions.php, or a code snippets plugin, the same place I add tweaks like the <a href=\"https:\/\/www.wpconsults.com\/duplicate-posts-pages-in-wordpress\/\">duplicate posts and pages snippet<\/a>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>add_action( 'login_init', 'wpc_gate_login' );\nfunction wpc_gate_login() {\n    \/\/ Let logout, password resets, and form submissions through\n    if ( ! empty( $_GET['action'] ) || 'POST' === $_SERVER['REQUEST_METHOD'] ) {\n        return;\n    }\n    \/\/ Require your secret key on the plain login screen\n    if ( ! isset( $_GET['wpc_key'] ) || 'change-this-to-your-own-secret' !== $_GET['wpc_key'] ) {\n        wp_safe_redirect( home_url( '\/' ) );\n        exit;\n    }\n}<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Your login URL becomes <code>https:\/\/yoursite.com\/wp-login.php?wpc_key=change-this-to-your-own-secret<\/code>. Anyone hitting the plain \/wp-login.php is sent to your homepage, which is exactly what the bots run into. The check deliberately lets logout, password resets, and form submissions through, so normal logins keep working.<\/p>\n\n\n<p class=\"wp-block-paragraph\">One rule before you save it: <strong>keep a way back in.<\/strong> Bookmark your key URL, and make sure you can reach your files over FTP or your host&#8217;s file manager, because if you mistype the key you will lock yourself out and deleting the snippet is how you recover.<\/p>\n\n\n<h2 class=\"wp-block-heading\">Method 2: password-protect wp-admin with .htaccess<\/h2>\n\n<p class=\"wp-block-paragraph\">If you want something stronger than a hidden door, lock the whole wp-admin folder at the server level. This adds a browser username and password prompt before WordPress even loads, so brute-force scripts never reach your login form at all. Create an <code>.htpasswd<\/code> file through your host, then put this in the <code>.htaccess<\/code> inside \/wp-admin\/:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Password-protect the wp-admin folder\nAuthType Basic\nAuthName &quot;Restricted Admin Area&quot;\nAuthUserFile \/home\/your-username\/.htpasswd\nRequire valid-user\n\n# Keep admin-ajax.php reachable so the front end keeps working\n&lt;Files admin-ajax.php&gt;\nRequire all granted\n&lt;\/Files&gt;<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Point <code>AuthUserFile<\/code> at the real path your host gives you, and do not skip the admin-ajax.php exception, because without it front-end features that rely on AJAX can break. This is the method I trust most on the no-plugin list, since it is a real lock rather than a hidden door. Apache&#8217;s own <a href=\"https:\/\/httpd.apache.org\/docs\/current\/howto\/auth.html\" target=\"_blank\" rel=\"noopener nofollow\">authentication guide<\/a> walks through creating the password file if your host does not do it for you.<\/p>\n\n\n<h2 class=\"wp-block-heading\">Hiding the login is not the same as securing it<\/h2>\n\n<p class=\"wp-block-paragraph\">Here is the part most tutorials skip. Renaming or hiding your login mainly cuts the noise from automated bots, which is a real and worthwhile win for your logs and your server load, but it is not the same as being secure. A determined attacker can still find the login, and a hidden URL buys you nothing against a weak password.<\/p>\n\n\n<p class=\"wp-block-paragraph\">So treat the URL change as one small layer and put your real effort into the basics: a strong, unique admin password, two-factor authentication, and a limit on failed login attempts. WordPress&#8217;s own <a href=\"https:\/\/developer.wordpress.org\/advanced-administration\/security\/hardening\/\" target=\"_blank\" rel=\"noopener nofollow\">hardening guide<\/a> lays these out, and they matter far more than the slug your login sits on. If you run a store, the same mindset carries into wider <a href=\"https:\/\/www.wpconsults.com\/pci-dss-compliance-for-e-commerce-store\/\">PCI DSS compliance<\/a> work.<\/p>\n\n\n<h2 class=\"wp-block-heading\">So, is hiding wp-admin worth doing without a plugin?<\/h2>\n\n<p class=\"wp-block-paragraph\">It is worth doing, as long as you are clear about what you are buying. If you are comfortable with code, the .htaccess password lock is the one I would reach for, because it actually stops brute-force attempts rather than just moving the door, while the functions.php gate is a fine lighter option if you only want to shake the bots off.<\/p>\n\n\n<p class=\"wp-block-paragraph\">That said, I would not pretend the no-plugin route is tidier than a plugin that renames the URL cleanly and safely, such as WPS Hide Login. If a single plugin does not bother you, that is the simpler path. Either way, do the real hardening first and treat the hidden URL as the bonus layer it is.<\/p>\n\n\n\n<div class=\"wp-block-group wpc-post-cta is-layout-flow wp-block-group-is-layout-flow\">\n<h3 class=\"wp-block-heading\">Locked out or unsure it is safe?<\/h3>\n<p class=\"wp-block-paragraph\">If a snippet has locked you out, or you want your login hardened properly without breaking anything, feel free to <a href=\"https:\/\/www.wpconsults.com\/work-with-wpconsults\/\">contact us<\/a> or <a href=\"mailto:abdullah@wpconsults.com\">email me<\/a> and I will help you sort it.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-group wpc-changelog is-layout-flow wp-block-group-is-layout-flow\" id=\"article-update-logs\">\n<h2 class=\"wp-block-heading\">Update Logs<\/h2>\n<p class=\"wp-block-paragraph\"><strong>02 Jul 2026<\/strong><\/p>\n<ul class=\"wp-block-list\"><li>Rewrote with two safe no-plugin methods, a secret-key login gate and an .htaccess password lock, and added an honest section on why hiding the login is obscurity, not a replacement for real hardening.<\/li><li>Sharpened the section headings so each is clear on its own.<\/li><\/ul>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>How to change the wp-admin URL without a plugin, using a functions.php secret-key gate or .htaccess password protection, plus an honest note on why real login hardening matters more than hiding it.<\/p>","protected":false},"author":1,"featured_media":7410,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kb_optimizer_status":0,"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","rank_math_title":"Change wp-admin URL Without a Plugin (Safe Methods)","rank_math_description":"How to change the wp-admin URL without a plugin: a functions.php secret-key gate and .htaccess password protection, with the security caveats that actually matter.","rank_math_focus_keyword":"change wp-admin url without plugin","_colophon_preset":"regular","_colophon_fc_on":"","_colophon_edited_on":"","footnotes":""},"categories":[7],"tags":[64],"class_list":["post-2444","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wordpress-tips-tutorials","tag-without-plugin-series"],"_links":{"self":[{"href":"https:\/\/www.wpconsults.com\/de\/wp-json\/wp\/v2\/posts\/2444","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wpconsults.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wpconsults.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wpconsults.com\/de\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wpconsults.com\/de\/wp-json\/wp\/v2\/comments?post=2444"}],"version-history":[{"count":3,"href":"https:\/\/www.wpconsults.com\/de\/wp-json\/wp\/v2\/posts\/2444\/revisions"}],"predecessor-version":[{"id":7422,"href":"https:\/\/www.wpconsults.com\/de\/wp-json\/wp\/v2\/posts\/2444\/revisions\/7422"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.wpconsults.com\/de\/wp-json\/wp\/v2\/media\/7410"}],"wp:attachment":[{"href":"https:\/\/www.wpconsults.com\/de\/wp-json\/wp\/v2\/media?parent=2444"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wpconsults.com\/de\/wp-json\/wp\/v2\/categories?post=2444"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wpconsults.com\/de\/wp-json\/wp\/v2\/tags?post=2444"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}