Wordpress Admin Secret Login Page without Plugin

This secret login page for wordpress administrator is definitely important, unique, as well as improving your wordpress security level. This trick will prevent any attempt to access your wordpress dashboard, since the Address / URL is hidden and only accessible for You. It is not using cookie or strict IP to apply this trick, so where ever You log into wordpress admin none would able to trace You.

The idea of this wordpress secret login page is adapted from Better Wordpress Security plugin. This actually a good and complete wordpress security plugin, unfortunately the big stuffs always take more. This plugin require extra server resource and load queries from database (which I dislike). So, I decided to adapt one of it best feature, hiding wordpess admin login page from htaccess. Yes, thats it, that's the secret. This tutorial will guide complete steps to hide wordpress admin page using htaccess:
Add this code to your htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^enter/?$ /wp-login.php?7ry709u355m3 [R,L]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^dashboard/?$ /wp-login.php?7ry709u355m3&redirect_to=/wp-admin/ [R,L]
RewriteRule ^dashboard/?$ /wp-admin/?7ry709u355m3 [R,L]
RewriteRule ^register/?$ /wp-login.php?7ry709u355m3&action=register [R,L]

RewriteCond %{SCRIPT_FILENAME} !^(.*)admin-ajax\.php
RewriteCond %{HTTP_REFERER} !^(.*)yoursite.com/wp-admin
RewriteCond %{HTTP_REFERER} !^(.*)yoursite.com/wp-login\.php
RewriteCond %{HTTP_REFERER} !^(.*)yoursite.com/enter
RewriteCond %{HTTP_REFERER} !^(.*)yoursite.com/dashboard
RewriteCond %{HTTP_REFERER} !^(.*)yoursite.com/register
RewriteCond %{QUERY_STRING} !^7ry709u355m3
RewriteCond %{QUERY_STRING} !^action=logout
RewriteCond %{QUERY_STRING} !^action=rp
RewriteCond %{QUERY_STRING} !^action=register
RewriteCond %{QUERY_STRING} !^action=postpass
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^.*wp-admin/?|^.*wp-login\.php /not_found [R,L]
RewriteCond %{QUERY_STRING} ^loggedout=true
RewriteRule ^.*$ /wp-login.php?7ry709u355m3 [R,L]
</IfModule>

Don't forget to change "yoursite.com" with your real URL

• After using the code, your default admin login page will now inaccessible (not_found). Obviously, this will make fool on whoever try accessing admin page without permission. The admin page is now secret, only You know the address and You can define it freely.

Where is the real URL? See this URL Change:

Default URL:
http://www.yoursite.net/wp-login.php
http://www.yoursite.net/wp-admin/
http://www.yoursite.net/wp-signup.php

URL after the code:
http://www.yoursite.net/enter
http://www.yoursite.net/dashboard
http://www.yoursite.net/register

Please notice that the URL above will only accessible after you're logged in. You have to log in from a new secret URL, this is the real trick! You'll have to add a query string to your URL, according to the code provided your secret admin page now is:

http://www.yoursite.net/wp-login.php?7ry709u355m3

You can freely change the secret query to your liking, anything. Yes, that will be your secret key, so define it by yourself. Don't let anybody knows it, but make sure You can easily remember it. Have a try!

Share