Solid Security Hide Backend

Hides the login page (wp-login.php, wp-admin, admin, and login), making it harder to find by automated attacks and making it easier for users unfamiliar with the WordPress platform.


If you forget your new login slug, this article can help you find it: How Do I Recover My Hide Backend URL?


Enable Hide Backend


You can enable this setting in Security > Settings > Advanced > Hide Backend



Hide Backend Options





Login Slug


The login URL slug cannot be "login," "admin," "dashboard," or "wp-login.php" as these are used by default in WordPress. 


Register Slug


The URL/slug you want to use for site registration.


Note: The output is limited to alphanumeric characters, underscore (_), and dash (-). Special characters such as "." and "/" are not allowed and will be converted in the same manner as a post title. Please review your selection before logging out.




Enable Redirection


Instead of displaying a "403" error, you can choose to redirect to any page or post - your 404 page or another page with on-screen instructions for your users.


Redirection Slug


The slug to the page or post redirects the site users when they try to access wp-admin while not logged in.




Custom Login Action


WordPress uses the "action" variable to handle many login and logout functions. By default, this plugin can handle the normal ones, but some plugins and themes may utilize a custom action (such as logging out of a private post). If you need a custom action please enter it here.


The idea behind hiding the wp-admin is that hackers can’t hack what they can’t find. If your login URL isn’t the standard WordPress /wp-admin/ URL, aren’t you protected from brute-force attacks?


The truth is that most Hide Backend features are simply security through obscurity, which isn’t a bulletproof security strategy.

While hiding your backend wp-admin URL can help mitigate some of the attacks on your login, this approach won’t stop all of them.

We frequently receive support tickets from people who are perplexed at how Solid Security Pro is reporting invalid login attempts when they have hidden their login.

That’s because there are other ways to log into your WordPress sites besides using a browser, like using XML-RPC or the REST API. After you change the login URL, another plugin or theme could still link to the new URL.

In fact, the Hide Backend feature doesn’t really change anything. Yes, it does prevent most users from directly accessing the default login URL. But after someone enters the custom login URL, they are redirected back to the default WordPress login URL.

The truth is that you can’t completely hide the backend login page of your WordPress website.

If you were to change the wp-admin URL, you would break your site. Everything you install on your site, including WordPress, assumes that /wp-admin will be in the URL. When you do something as basic as creating a post, you have to go through the wp-admin before you get to /wp-admin/post.php.

Customizing the login URL is also known to cause conflicts. There are some plugins, themes, or third-party apps that hardcode wp-login.php into their code base. So when a hardcoded piece of software is looking for, it finds an error instead.

A brute force attack is a trial-and-error method used to obtain information such as a username or password. In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.

Have more questions? Submit a request
Powered by Zendesk