With more than 800 million installations, WordPress is by far the most popular content management system out there. It is easy to use, and its repository gives you access to thousands of free and premium themes and plugins. If you own a website, it is very likely that it is built with WordPress.
If this is the case and the visitors on your website can sign up for an account, you may want to customize the site's login page. This way, they will not see the default simple login page that WordPress comes with. Even if there is no option for visitors to sign up, you can customize the login page as you use it to log in as an administrator. In this article, we will show you how you can use a different address (URL) and a different look on the WordPress login page. We will also mention a few useful enhancements that will increase the security of your login page.
- Why should you customize the page?
- Good practices
- Customizing the login address (URL)
- Using a plugin
- Customizing it manually
- Customizing the look
- Using a plugin
- Customizing it manually
- Additional customizations
- Add CAPTCHA
- Limit the login attempts
- Password-protect the login page
- Enforce strong passwords
- Add 2-factor authentication
- Wrap-up
Why should you customize the page?
Before we show you how, we will tell you why you should customize the login page. Any of the reasons below should convince you that this is the right thing to do.
- Security. This is one of the most important reasons to update the login URL for your WordPress dashboard. There are many automatic bots out there trying to brute force WordPress websites that use weak passwords. They usually attempt to log in using the default dashboard URL – example.com/wp-admin. Unless you have added some kind of protection to the site, you have to rely on your hosting provider to block the intruders after a certain number of unsuccessful login attempts. Without any sort of protection, your website can get hacked sooner or later. Using a custom URL will minimize that chance significantly.
- Good reputation. In the unfortunate event of a client or an admin account getting hacked, your reputation will be hurt. Client data may leak, or the website may get defaced. News spreads quickly on social media these days, so such an event is not only a matter of security, but also of keeping your good reputation as a trusted partner.
- Consistency. It is recommended that all pages on a given website have the same or similar design. This cannot happen unless you customize the login page. People with less browsing experience may find it strange that they have to log in on a page that looks completely different from the rest of your website. Having the same layout as the rest of the site will improve the overall user experience.
- Branding. Adding your name and/or logo on the login page will assure people that they are logging in on the right page. If you have a membership website or an online store, for example, people will visit the page often, so you want to brand it properly. This is one more way to increase your brand exposure and awareness as well.
- Additional information. Customizing the login page will allow you to add any additional information you see fit. This could be a phone number for people who cannot log in, or a maintenance schedule, for example. You can also add a custom message such as a reminder, holiday working hours, etc. While you will probably add such information elsewhere as well, existing customers will not miss it on the login page as there won‘t be any distractions there.
Good practices
There are some good practices you can follow when you customize the login page of your WordPress website. We have listed some of the more important ones below. Of course, you can choose to do something different and not stick to conventions. After all, each website is unique in terms of ideas and user base.
- Keep it simple. Do not add too much content on the login page. Its purpose is to allow users to access their account. It is not the place for product information, ads, additional forms, etc. You can have some useful additional information, but it should not be too much. Do not use large images or flashy animations.
- Make text readable. Sometimes it is tempting to use new fonts while trying to create a unique page. It is important to keep the text readable in terms of font, size, and spacing. This is valid for labels and error messages, as all the information users see should be clearly visible on any device and screen resolution.
- Use relevant colors and images. The login page is a part of your website, so its design should be similar as well. Use the same colors you use on the other pages. Add your logo and consider the best size and position. Make sure it is not blurry and it does not overlap with other elements on the page when the screen resolution is changed. The latter is valid for any other images you add on the page as well.
Customizing the login address (URL)
We mentioned that the main idea behind changing the login URL is to increase the security of your website, but there are other reasons as well. You may just want to have something different from the default /wp-admin URL. Whatever the reason is, there are two ways to do that – manually or by using a plugin.
Using a plugin
We will start with the easier option. You will find several plugins such as WPS Hide Login or WP Hide & Security Enhancer. Changing the login URL with them is straightforward – you just have to add the exact web address that you would like to use, and the plugin will do the rest. You won’t have to change anything manually. One of the advantages of using such a plugin is that you can also customize the URL of the “404 Not found” page. Instead of a generic URL, you can use a custom one, which can be more user-friendly.
Some plugins offer more advanced options than others, but they may require a payment, so you have to check which one will work for you.
Customizing it manually
This option isn’t as convenient as the first one, but we mention it because there are people who prefer to use as few plugins as possible. Have in mind that editing core files manually may damage your website, or the changes may be overwritten during a future update. It is also possible that the method mentioned below may not work with all versions of WordPress.
To edit the default login URL, you have to open wp-login.php in a text editor (in your account or a desktop one such as Notepad++), and replace all mentions of wp-login.php with the name you want to use – access.php, for example. After that, save the changes and rename the file to access.php. We recommend that you download a copy of the file as a backup before you make any changes.
After that, you have to edit the functions.php file of your theme, and add the following code to make sure that the lost password and the logout options will lead to the new custom page as well:
add_filter( 'logout_url', 'my_logout_page', 10, 2 );
function my_logout_page( $logout_url) {
return home_url( '/access.php');
}
add_filter( 'lostpassword_url', 'my_lost_password_page', 10, 2 );
function my_lost_password_page( $lostpassword_url ) {
return home_url( '/access.php?action=lostpassword');
}
You should consider using a child theme as a future theme update will likely remove your customizations. Find out how to create a child theme here: How to use a child theme in WordPress. If you change the theme of your site, you will have to do everything all over again.
Customizing the look
Here, you have two options as well. Once again, the easier one is to use a plugin, but if you prefer, you can customize the design of the page manually.
Using a plugin
There are lots of plugins in the WordPress repository that will allow you to change the way the login page looks. A few examples are LoginPress, Custom Login Page Customizer and Custom Login. While some specific options may be unique for each plugin, they all offer more or less the same basic set of functions. You can replace the logo, rename the login form boxes, customize the lost password form, edit the buttons on the page, change the error messages, and more.
Customizing it manually
If you prefer to edit the page without plugins, you can do it manually. To update the logo, you should find the functions.php file of the active theme. You can go through the WordPress dashboard -> Appearance -> Editor, or you can go to the site root directory /wp-content/themes/active-theme/. There, add the following snippet below the code you will see in the file:
function custom_login_logo() {
echo '<style type="text/css">
h1 a {
background-image: url(https://example.com/path-to-logo.png) !important;
}
</style>';
}
add_action('login_head', 'custom_login_logo');
You should have uploaded the new logo before that. If you want to add a background image, add the following code to functions.php:
function login_background_image() {
echo '<style type="text/css">
body.login{
background-image: url( "https://example.com/background.png" )!important;
}
</style>';
}
add_action('login_head', 'login_background_image');
If you want to change the design further, you will have to add custom CSS code, so it may be easier to use a plugin.
A theme update may overwrite your changes, so you should consider using a child theme before you edit the code. Do not forget to back up any files you edit before you add or delete code.
Additional customizations
So far, we have mentioned how to edit the URL of the WordPress login page, or how to customize its design. In this section, we will mention several additional customizations you should consider. They will help you to enhance the security of your website. No matter if you have updated the login URL, or you prefer not to change it, you should think about securing the page.
Add CAPTCHA
You can add CAPTCHA as an additional security layer. You will find many plugins for that purpose in the WordPress repository – Really Simple CAPTCHA, Advanced Google reCAPTCHA, or hCaptcha for WordPress. If you are not familiar with the term, CAPTCHA is the challenge you have to complete on some websites to be able to access particular content. You can find out more about this option in our article: What Is CAPTCHA and How Тo Add One on Your Website?
Limit the login attempts
By adding a plugin, you can also limit the number of times a certain user can try to log in. Plugins such as Limit Login Attempts Reloaded or Loginizer are suitable for that purpose. Once the limit is reached, users won‘t be allowed to make another attempt for a certain period of time. This option is very useful in preventing brute force attacks.
Password-protect the login page
You can also password-protect the wp-login.php file so that bots and unauthorized individuals are not able to reach it at all. For that purpose, you will need a file named .htpasswd. It will include the username and the password you want to use, separated by a colon:
testuser:$apr1$7cv9jbr3$tZYZ7eJYv2xtSMESE.FbT0
As the password is encrypted, you should use a tool provided by your web hosting provider, or an online generator such as https://wtools.io/generate-htpasswd-online.
Then, you have to edit the .htaccess file in the site root folder (you should have one if you use WordPress, as your site won’t function properly without such a file). The .htaccess file is used to “tell” the Apache web server how to handle certain requests. In this case, the login credentials from the .htpasswd file should be required to access wp-login.php, and the code you should add in the .htaccess file should be:
<Files "wp-login.php">
AuthType Basic
AuthUserFile "/home/username/www/www/.htpasswd"
AuthName Limited!
require valid-user
</Files>
Make sure that the path is the correct one for your hosting provider/account.
If you use our web hosting services, you can easily add password protection from our feature-rich WordPress Manager, along with many other useful options such as speed optimization, content directories protection, server-side caching, and more.
Enforce strong passwords
WordPress comes with a password strength meter, but it allows users to set even very weak passwords by simply checking a box to acknowledge they are aware of the password being weak. If you want to prevent that and make sure that users use very strong passwords, you can use plugins like Solid Security or Password Policy Manager. They will allow you to choose the length and the complexity of the passwords that users are able to set. Some plugins check hashed passwords against public lists of leaked data to make sure that users do not use compromised passwords.
Add 2-factor authentication
This is one of the best options to make sure that there won’t be unauthorized access to your admin account or to any of the clients’ accounts. Adding a 2FA plugin will allow you to add a second level of security – email approval, SMS code, authenticator token, etc. A few examples of such plugins are Two Factor Authentication, WP 2FA and Two-Factor. You should add 2-factor authentication to your administrator account for sure. Consider the pros and cons for your customers, though. They should not experience difficulties accessing their accounts, so you should find the balance between security and good user experience.
Wrap-up
With millions of WordPress websites out there, it is important for your website to stand out. One of the ways to do that is to customize the login page. You will increase the site security significantly if you change the page URL and add security measures such as CAPTCHA, 2-factor authentication or a limit for the number of login attempts. You can also improve the user experience if you customize the look of the page. Using the same design as the rest of the website, adding your brand name and logo, and displaying additional contact information or social media icons are improvements that your customers will definitely appreciate.