How Login URL Masking Protects Your WordPress Site
Login URL masking relocates your login page from the well-known /wp-login.php to a private URL only you know.
The Problem with /wp-login.php
Every WordPress site in the world ships with the same login URL: /wp-login.php. Automated botnets scan billions of IP addresses looking for this exact path. Once found, they launch brute force attacks — trying thousands of username and password combinations per minute.
Even with a strong password, brute force attacks consume server resources, fill error logs, and trigger hosting alerts. Login URL masking eliminates this attack surface entirely.
How WP 1 Click LockDown Implements URL Masking
The plugin works at the WordPress request routing level — it does not modify any core files or use .htaccess rewrites:
- When a request arrives for /wp-login.php or /wp-admin, the plugin intercepts it via the plugins_loaded and wp_loaded hooks.
- If the visitor is not logged in, they are silently redirected to your configured redirect URL (usually the homepage). Bots see a normal 302 and move on.
- When a request arrives for your custom slug (e.g. /secure-login/), the plugin quietly serves the real wp-login.php without changing the visible URL.
- All WordPress filter hooks that generate login URLs are also patched, so links inside emails, dashboards, and plugins all point to your custom URL automatically.
What Attackers See
A bot scanning for /wp-login.php receives a redirect to your homepage with a 302 status. There is no error, no sign that WordPress is even installed, and no login form to attempt credentials against. Most bots record the site as "no WordPress" and skip it permanently.
Important Considerations
- Always write down your custom login URL after setting it.
- If you use WooCommerce, the customer account login is separate from /wp-login.php and is not affected.
- Caching plugins that cache the homepage may need to exclude your custom login slug from caching rules — though this is rarely an issue in practice.
- The custom URL does not add CAPTCHA or 2FA by itself — pair it with brute force protection and a dedicated 2FA plugin for maximum security.
Login URL masking is not security through obscurity in the negative sense — it is a real attack surface reduction. You cannot brute-force a URL you cannot find.
Was this article helpful?
Need more help? Contact our support team →