Before you can do a single thing with your WordPress site, you need to log in.
Want to change your theme? You’ll need to log in. Want to edit your WordPress pages and posts? Log in first.
Logging in sounds simple, right? Well, yes and no.
WordPress’ basic login feature asks you for your username (or email address) and password, and that’s it.
But, how do you get to that page for your website? Can you customize your login page? How do you keep your site protected against those who want unauthorized access? (People log in to WordPress over 350,000 times per month -- how to log in to others’ WordPress site is no secret!)
In this article, we will cover everything you need to know about WordPress admin logins, from the simple to the complex.
In This Article:
- How the WordPress Admin Login URL Works
- Saving and Accessing the Login URL
- Persisting Login Credentials
- WordPress Login and cPanel Control Panel
- Customize Your WordPress Login
- Adding a Login Form to Your WordPress Site’s Sidebar
- Customizing Your WordPress Login Page
- Add Login with Google, Facebook, and Other Social Providers
- Limit Registrations and Logins to Users (Not Bots)
- A Caveat
- Securing Your Login
- Limit Login Attempts
- Other Ways to Stay Safe When Logging In
- Wrapping Up
Free Security eBook
The 21-Step Checklist to
Ensure a 99.9% Secure WordPress Website
How the WordPress Admin Login URL Works🚪
When you are first getting started with WordPress, you might find yourself confounded by the most simple of tasks: logging in to your website (we were!).
Before you can access your WordPress Dashboard or do anything to the website you just set up (such as changing your theme, writing new posts, creating new pages, installing plugins, and so on), you’ll need to log in. You can do this by going to what’s called your login URL.
In most cases, your WordPress login URL is just your website’s URL with one addition.
The first option you should try to append to your URL is /wp-login.php. So, if your website’s domain is exampleCo.com, then your WordPress login URL would be exampleCo.com/wp-login.php.
Other options that you might try to append to the end of your domain name include /admin or /login. For example, if your website’s domain is exampleCo.com, then your WordPress admin login URL could be exampleCo.com/admin or exampleCo.com/login. Please note that these domains, if functional, will simply redirect you to exampleCo.com/wp-login.php.
WordPress Website Login: Working with Subdomain Names
If you choose to use a subdomain name with your WordPress site, you’ll need to adjust the login URL used to access your WordPress admin login page accordingly.🛎️ Heads up! This article states that if you choose to use a subdomain name with your #WordPress site, you have to adjust the login URL. Click To Tweet
For example, if your subdomain is subdomain.exampleCo.com, then your login URL is subdomain.exampleCo.com/wp-login.php.
URLs for WordPress Installed in a Subdirectory
If, however, you’ve installed WordPress in a subdirectory, then you will need to change your URL to indicate the file where WordPress is located.
Let’s say that you have a folder of demo websites called wp-demo. Your login URL would, therefore, be exampleCo.com/wp-demo/wp-login.php instead of exampleCo.com/wp-login.php.
Saving and Accessing the Login URL 🔐
By default, your site doesn’t display a link to the WordPress admin page. However, if you want to add a link to your page so that you can easily log in to your page in the future, you can do so.
Log in to the WordPress admin dashboard, and using the left-hand navigation bar, go to Appearance > Menus.
Find the menu to which you want your login URL added (if you don’t already have a menu, you’ll need to create one). Open up the Custom Links option under Add menu items, and provide the display name you want and the URL for your login link.
When done, click Add to Menu. Before you leave this page, be sure to adjust its location in your menu and click Save Menu when done.
WordPress Admin Page: Persisting Login Credentials 💾
On the login screen, you will see the Remember Me option, which allows you to stay logged in. With this option enabled, you won’t have to provide your login credentials the next few times that you return to access the WordPress Dashboard login area.
The Remember Me option works by setting a cookie (which is just a small file) that indicates you want to stay logged in. The cookie doesn’t last forever since that isn’t a super-secure thing to do. Whenever the cookie expires (the specific length of time depends on your computer and your browser settings), you will be asked to log in again.
WordPress Login and cPanel Control Panel 🎛️
Some web hosting providers include cPanel Control Panel with its WordPress hosting packages. The cPanel is useful for things like server system administration, resource monitoring, transferring files to your web hosting environment, and managing your web hosting environment in general.
If you want to use your cPanel to manage your WordPress site, you’ll need to install the WordPress Manager plugin. You can use WordPress Manager to do things like view your database name and use information, manage automatic updates, manage passwords, and backup/restore your WordPress site.
Note, however, that this is not a replacement for the official WordPress admin dashboard -- it is merely a supplement for your convenience. For more complex or involved tasks, you will still need to use the WordPress dashboard itself.
Customize Your WordPress Login 🧰
The login form that comes default with WordPress is functionality...but it’s not very aesthetically pleasing.
If you (or just a limited number of administrators) are going to be using the WordPress login form, then you might opt to leave it be. However, if your WordPress site offers personalized features that are available to users only upon login, it might be a good idea for you to customize the login page. This will allow you to create something that looks better, matches your overall website theme, and be more secure.
In the following sections, we will cover the ways in which you can customize your WordPress login screen. Or you might want to opt for a white-labeled experience.
Adding a Login Form to Your WordPress Site’s Sidebar
We’ve previously covered how to add a login link to your WordPress site, but if you need to offer many people the option to login (e.g., you have multiple WordPress administrators or you have site personalization features that are only accessible to logged-in users), you might want to add a login form to the sidebar (or another part) of your website.
Building a custom form from scratch is difficult and time-consuming. Luckily, there are plugins that make it easy to design forms and embed them into your WordPress site.
One easy way to do this is with WPForms. Founded in 2016, the team of sixteen at WP Forms offers a beginner-friendly, easy-to-use, drag and drop WordPress forms builder that’s being used on over 2 million websites.
While WPForms is known as a contact form builder, its feature set includes the ability to create:
- Registration forms (which your users would use to register for an account to use with your website);
- Login forms (which allows your users to log in after they’ve created an account).
With WPForms, you can create custom forms that ask for the information you want (the default page only allows you to ask for username/email and password), as well as customize them to match your website and brand. You can also make it easy for your users to access these forms since WPForms lets you place them on posts, pages, or the sidebar as a widget.
Another option that might appeal to you is Gravity Forms. This plugin is developed by a small, Virginia Beach, VA-based company called Rocketgenius.
Gravity Forms offers near-identical functionality to WPForms. As such, you can use the tool to create registration and login forms that can then be embedded onto your WordPress site as a widget.
Building and using something with Gravity Forms requires just a few steps:
- Select the fields you want to include
- Configure the options for your form
- Embed your form using Gravity Forms’ built-in tools
If you use any other third-party services with your WordPress site, Gravity Forms supports integrations with many other products and services, including PayPal, MailChimp, Stripe, Slack, and Zapier.
Customizing Your WordPress Login Page
As we’ve mentioned, the default WordPress admin login page is very plain, very functional, and not very fancy with regards to design. If you want to change it so that its appearance matches the rest of your site, you can do so.
Theme My Login
One plugin that helps you change the appearance of your login page is Theme My Login, which is an open-source project spearheaded by freelance developer Jeff Farthing.
Theme My Login allows you to bypass the default WordPress login page. You would use instead of the registration and login pages you’ve created that match your theme. Theme My Login is similar to WPForms and Gravity Forms, which we’ve previously mentioned, but Theme My Login offers more limited functionality than these two alternatives.
In addition to making it easy for you to modify the appearance of your login and registration pages, Theme My Login also allows you to change the behavior of both processes. For example, you can change the slugs (or portions of the URLs) related to these processes, set up email-only registration, add protection against bot users attempting to sign up, and add auto-login for all of your users.
Add Login with Google, Facebook, and Other Social Providers
Instead of requiring that your users to login with credentials they’ve created for use exclusively on your WordPress site, you might consider adding alternative options as well. For example, you might allow your users to register and log in with their Google or Facebook credentials. This makes the authentication process much easier for your users.
Nextend Social Login and Register
One plugin you might consider for adding social registration and login functionality to your login process is Nextend Social Login and Register.
Backed by Daniel David and Roland Soos, both of whom are based in Hungary, Nextend makes it easy for you to allow your users to register and log in to your website with their Facebook, Twitter, Google, LinkedIn, and other social accounts.
Its functionality supplements your existing WordPress forms, and you can customize the screen that is displayed to your users. Furthermore, you can allow different types of logins for different parts of your WordPress site (e.g., username/password for Admin access and social login for commenting).
If you have existing users, they can link their account with a social account so that they can use the latter for future logins.
Nextend also offers support for WooCommerce, the most popular e-commerce plugin used with the WordPress platform.
WordPress Social Login
One alternative to Nextend that offers functionality that’s similar is miniOrange’s WordPress Social Login. miniOrange is an American security company based in Wilmington, MA offering a variety of cloud and mobile security, identity and access management, and vulnerability management tools.
The WordPress Social Login plugin supports a larger number of social networks than Nextend. There are free and premium options, with the free option including support for Facebook, Google, Twitter, LinkedIn, Instagram, Vkontakte, Windows Live, Amazon, Salesforce, and Yahoo (the paid option supports over 30 social networks).
WordPress Social Login makes it fairly simple to add or remove social providers and to customize the appearance of the icons that will be displayed on your login page.
Limit Registrations and Logins to Users (Not Bots)
If you open up registration and sign in to the general public, you’ll find that some of the entries you get are spam registrations done by bots. If this is an issue for you, you can add CAPTCHA to your registration or sign-in process to minimize the likelihood that spambots successfully create accounts.
A CAPTCHA is a challenge that is designed to distinguish between a human user and a bot without active participation from the website owner or other personnel. You might have seen various forms of CAPTCHA -- some ask you to check a box, some ask you to type words shown to you in fonts difficult to decipher by bots, while others ask you to select photographs that show specific imagery.⚡ CAPTCHA protects your site against spam registration, logins, and brute force attacks. Get it on your #WordPress site now! Click To Tweet
In addition to protecting you from spam registration and logins, CAPTCHA can help protect you from what’s called a brute force attack. Essentially, such attacks feature a bot guessing various username/email and password combinations until something works. Because this task is so tedious, hackers rely on bots to carry this out -- by thwarting the bot, you add an additional layer of protection to your website.
One easy way to add CAPTCHA functionality to your login or registration form is to use a supplemental plugin (supplemental plugins are those that add CAPTCHA functionality to either your WordPress login functionality or your forms plugin -- they are not standalone options)
Really Simple CAPTCHA
Developed by Japanese engineer and founder of Rock Lobster, Takayuki Myoshi, the lone developer behind Contact Form 7, Really Simple CAPTCHA is exactly what it sounds like.
It adds CAPTCHA functionality to the forms you create with other plugins, and it does nothing else -- it doesn’t include security features like two-factor authentication and it doesn’t include appearance customization. For those types of features, the developer asks that you select another plugin to complement Really Simple CAPTCHA.
Login No Captcha reCAPTCHA
Another super simple option for implementing CAPTCHA functionality is Robert Peake’s open-source project, Login No Captcha reCAPTCHA.
With this plugin, which is currently in use by over 60,000 WordPress sites, you add a checkbox that humans can select. Once selected, they can proceed with the login process.
Note, however, that many of the other login-related plugins we mention on this page come with CAPTCHA-type functionality. If you opt for one of those, check that you don’t already have CAPTCHA functionality before installing one of these plugins.
WordPress Admin Page: Securing Your Login 🔒
Just as you wouldn’t leave the front door to your house unlocked, you shouldn’t leave your WordPress login page unsecured.
Yes, the WordPress login page is itself a security feature designed to keep out hackers and those without the proper authorization to work with your WordPress site. But, if you use the default login page as-is, it’s like putting a flimsy lock onto your front door instead of replacing it with something more robust.
While asking for login credentials are a start in terms of security, there are many more things to help protect against unauthorized access, including changing the location of your login page, adding security features to the login process in general, enabling two-factor authentication, and more.
Changing the URL of Your WordPress Admin Page
If possible, you should change the URL used to access your WordPress website login page.
At the beginning of this article, we showed you how to find the URL for your WordPress login page. These steps work for your website and almost every other WordPress website in existence. Hackers know this. Therefore, one of the first security-related steps you can take to protect your site (especially if you don’t have a website that requires your users to log in) is to change this URL.
Yes, hackers still have to guess your username and password combination, but by changing the URL, you’ve added an additional step that malicious parties have to take to access your site. Because there are so many sites that aren’t secure, making yours even a bit tougher to access lessens the chances of a breach significantly.
Many security plugins will include functionality to change the URL of your WordPress website login page, as well as any other commonly-used WordPress variables. For a list of options recommended by WP Buffs, please see WordPress Security Plugins: 13 Best Options for Website Safety (2019).
Using a Full Login Protection Suite
If you want to add additional security features, consider using one of the many WordPress login plugins available. By opting for such a plugin, you’ll be adding a group of features with just a few installation steps.
Wordfence Login Security
One option that you might be interested in is the Wordfence Login Security plugin.
Wordfence is the flagship product of Delaware-based Defiant, a small software engineering team putting out WordPress security plugins. Strictly speaking, its features and functionality are a subset of the more robust Wordfence security plugin.
Though the full Wordfence suite is a powerful and useful product, if all you’re interested in is protecting your login (or you have another security suite that you are happy with), the smaller Wordfence Login Security suite might be the right fit for you.
Wordfence Login Security adds the following to your WordPress login process:
- Two-factor authentication, which makes it difficult for people to log in (even if they somehow manage to get a hold of valid user credentials) since there’s a second factor (e.g., mobile phone, fingerprint, etc.) that they likely do not have
- Login page CAPTCHA to keep out bots and protect against password guessing and credential stuffing
- Protects XML-RPC from attacks
Limit Login Attempts
One of the simplest (yet effective) attacks is to try various username and password combinations until something works. Luckily, blocking such attacks (which are also referred to as brute force attacks) is simple -- simple limit the number of attempts allowed by someone. The user is identified by IP address, which is not an infallible process, but it will definitely slow down the brute force nature of such attacks.
One way to easily limit login attempts is with Loginizer, which is a plugin developed by Mumbai, India-based software engineer Raj Kothari.
Loginizer is a WordPress plugin that blocks requests from an IP address once it has reached the request limit set by you.
Alternatively, if you know that your WordPress site will only be accessed by a select few with static IP addresses, you can choose to whitelist IP addresses and allow access from users using those IPs.
Loginizer is open source software, which means that it’s free to use. Don’t let that fool you into thinking that it’s a light piece of software -- Loginizer also comes with Passwordless login functionality, two-factor authentication, reCAPTCHA, blacklisting, and support for moving your WordPress login page to a hidden location.
Limit Login Attempts Reloaded
To add protection against those who make a massive number of attempts to log in to your website, you can use something like WPChef’s Limit Login Attempts Reloaded.
WPChef is a small company that offers a variety of plugins designed to speed up development of WordPress sites, deploy changes en masse, and secure your site. They’re supported by 2by2host, a company started in 206 to work with open source products.
With Limit Login Attempts Reloaded, you can do things like set the number of allowable attempts and log any activity the happens and set up email notifications.
Other Ways to Stay Safe When Logging In to WordPress 🔑
In addition to the tips, tricks, and plugins we’ve covered above, there are additional things you can do to stay safe when logging in to WordPress.
Secure Socket Layer (SSL) is extra security that encrypts information transfers between your computer/browser and servers on the internet. Because the data going back and forth is encrypted, those who intercept the data cannot read it.
While SSL is a requirement for eCommerce sites, we think that no WordPress should go without SSL protection. In addition to protecting your data from unauthorized users, pages that are secured rank better in search engine results. Because SSL certificates are readily available, we recommend obtaining and installing one as soon as possible. (If you are unfamiliar with WordPress and SSL protection, we’ve got you covered.)
Use a VPN
Virtual private networks (VPNs) keep you safe by hiding your internet-related activity (including your login activities) from others. Typically, VPNs are paid services, and they require the installation of a program on your computer. However, once you’re all set up, the VPN will:
- Encrypt your data
- Send your data to the VPN’s servers
- Forwards the data from your VPN’s server to the final destination
This seems like it would require a lot of time, but the price is increased security.
First, the server that receives the requests you send sees that the origins of the traffic are the VPN server, not you. This helps you stay anonymous and makes it difficult (if not nearly impossible) identify you as the source of your data, its origins, and more. Second, your data is encrypted so intercepted data cannot be read.
There are tons of VPN options available, so if you’re interested in getting started with one, check out our article, 7 Best Free VPNs to Secure 100% of Your Online Activity (2019).
Enable Two-Factor Authentication
Two-factor authentication is one of the best ways of keeping malicious parties out of your WordPress site.
As its name implies, authentication requires two factors. Typically, the first factor is a username and password combination. The second factor, however, may vary. It could be providing a code that is sent to the user’s mobile phone or email. It could be providing a fingerprint scan.
With the addition of the second factor, it becomes extremely difficult for someone to log in to someone else’s account, even if they somehow manage to obtain the user's login credentials.
Many security plugins offer you the ability to add two-factor authentication with ease, but there are stand-alone options, such as the Two Factor Authentication plugin by David Nutbourne and David Anderson, as well.
Use Strong Passwords
Yes, we know that remembering passwords is difficult, but using a strong password can help keep your account safe. Furthermore, we recommend using a password that you haven’t used elsewhere; this removes the likelihood of another company’s data breach compromising your WordPress site.
Don’t Use Passwords
Are you surprised by this recommendation, given what we mentioned in the section immediately above?
Passwords, especially secure ones, can be difficult to remember. As such, people either make them simple (and easy to guess), or they reuse passwords across sites. This means that if any one site gets hacked, the malicious party now has valid credentials for multiple sites.
To prevent this, consider using an alternative login method that doesn’t require the use of a password.
One way to do this is to use StoreApps’ Temporary Login Without Password. StoreApps is a small company founded by Nirav Mehta in 2010 to offer WooCommerce extensions. Since then, the company has launched additional options.
Temporary Login Without Password is a plugin that generates self-expiring links for WordPress sites. Anytime you need to provide someone with access to your WordPress site, to log someone in, you can create a temporary login for that person.
The user simply opens up the link provided to them via email -- this link is valid only for a limited period of time, minimizing the likelihood that the URL gets out and is used by someone who shouldn’t.
Free Security eBook
The 21-Step Checklist to
Ensure a 99.9% Secure WordPress Website
Can't Log in to WordPress Admin? Troubleshooting Issues 🤬
What happens if you have issues logging in to your WordPress admin/Dashboard area? Well, the specific steps you need to take depends on the issue you are having.
Your Username/Email and/or Password are Rejected
If the login credentials you provide aren’t accepted, you can reset them.
You See a Blank Screen Instead of the Login Page
If you navigate to the /wp-admin page and you get a blank page instead of the prompt to enter your username and password, you can check your server error log to see what happened. Where the server error log is can vary, so ask your web hosting provider if you need help finding it.
You should also enable wp_debug and wp_debug_log. Then, try launching the /wp-admin page again. Check wp-content/debug.log to see if there’s a newly-logged, relevant error there.
You are Seeing an Error Not Mentioned Above
There are a few errors you can see when logging in, but the following steps are helpful in identifying most issues.
Isolate the Problematic Plugin
If you think a plugin or theme is causing your login issues, you can narrow down the list of troubleshooting steps you need to take to fix it. You will need to:
- Disable all plugins
- Enable one of the default WordPress themes
- Try to access the login screen
If you are able to see the login prompt, you know that one of your plugins or your theme was causing the issue. Re-enable your plugins and theme, one at a time, to identify the one that was causing the login error.
You can disable plugins even without being able to access the login screen and access the administrative areas.
Check Your Cookies
Cookies are small data files stored in your browser. You have the choice of allowing cookies or not, but because WordPress relies heavily on cookies to work properly, disabling cookies may lead to issues with login.
If you do not have cookies enabled in your browser, enable them. The specific steps required to do so vary based on browser, so check with your browser’s documentation for further assistance.
Afterward, clear your browser cache to start fresh. Again, the steps to do this vary based on browser, so refer to your browser’s documentation for further details.
Check for a Corrupted Login File
The wp-login.php file is responsible for all login-related functionality, and if there are issues with this file (or the file is missing), then you will not be able to log in.
First, check to see that you have a wp-login.php file. If not, you will need to add it. You can get a new copy of the file by downloading the latest version of WordPress and extracting the file from the download.
If you do have a copy of the file, you can try replacing it with a fresh, uncorrupted copy. First, back up your existing WordPress site.
Next, delete the copy of wp-login.php your site is using, and add the fresh copy to the source folder for your site. Within the file, find the case retrieve password section (look for this comment, and this section will be immediately after: // redefining user_login ensures we return the right case in the email). Replace
$user_login = $user_data["user_login"]; with with $user_login = $user_data->user_login;
URLs are used to identify and control the location of your WordPress resources. The WordPress Address (URL) is where your WordPress core files live. The Site Address (URL) is the address visitors use to access your WordPress site from the internet. If either of these are wrong, because you moved your WordPress core to a subdirectory, started using a subdomain, migrated your website to a new host, or made a mistake typing your URLs, you’ll find some (or all) of your website inaccessible.
To confirm that this is the issue you’re seeing, back up your WordPress site and add the following to your wp-config.php file.
Make sure that you replace the URLs provided in the snippet above with the correct values for your site. Save the file and see if you still have problems accessing the login screen. If not, you’ll know that you have a URL issue.
Note that the change snippet provided above is a temporary fix; you should identify the source of the URL discrepancy and fix it.
Wrapping Up 🎀
Understanding your WordPress login is more than just providing a username or email and password and accessing your admin dashboard. It is a doorway to control over your site, and just as you wouldn’t latch your front door with a privacy lock, you wouldn’t want to leave your WordPress site unguarded (especially since there are so many threats on the internet).
Furthermore, if you have users logging in, you will want to provide them with a better experience than that which comes with the default WordPress installation.
In this article, we covered the ins-and-outs of WordPress admin logins, how to secure your logins, and how you can customize your registration and login process so that it matches your WordPress site design and branding. And if you need any help with this process, be sure to reach out to us here at WP Buffs and get hands-on help with customizing your WordPress login with white-labeling services.
Want to give your feedback or join the conversation? Add your comments 🐦 on Twitter
Brenda Barron is the blog editor for the WP Buffs WordPress blog and a freelance writer from southern California. When not working, she’s spending time with her family, homeschooling her kids, knitting, and getting outdoors. Find out more about her at Digital Inkwell. If you want some freebies, check out our free speed and security ebooks, webinars for WordPress professionals, WordPress blog or WordPress podcast all about building monthly recurring revenue.