How to Change and Hide the wp-admin Path in WordPress with WP Ghost
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Protect your WordPress dashboard by changing and hiding the wp-admin path with WP Ghost (formerly Hide My WP Ghost). The default /wp-admin URL is the single most attacked path on any WordPress site. Every bot knows it. Change it once, and that entire class of automated attacks fails before it starts.
WordPress powers over 43% of all websites on the internet. Every single one uses the same default admin URL: /wp-admin. Bots do not need to guess where your dashboard is. They already know. According to security researchers, WordPress faces an average of 90,000 attacks per minute, and the wp-admin path is the first URL every scanner probes.
WP Ghost lets you change the wp-admin path to any custom name, hide it completely from visitors and bots, and restrict it to administrators only. All changes use rewrite rules. No WordPress core files are modified.
Why You Need to Secure the wp-admin Path
| Default wp-admin (exposed) | With WP Ghost (secured) |
|---|---|
| Every bot knows the exact URL | Custom URL only you know |
| Brute force attacks target it directly | Bots get a 404 error, attack fails |
| All logged-in users can access it | Restricted to administrators only |
| Confirms WordPress to scanners | Admin path invisible in source code |
How to Change and Hide wp-admin with WP Ghost
Activate Safe Mode or Ghost Mode
Before you can change individual paths, activate one of WP Ghost’s security levels. Go to WP Ghost > Change Paths > Level of Security. Select Safe Mode or Ghost Mode and click Save.
Safe Mode applies essential path changes and is the recommended starting point. Ghost Mode adds advanced path security including wp-admin and admin-ajax.php path changes. If you are unsure, start with Safe Mode. You can upgrade to Ghost Mode later.
Not sure which mode fits your site? See the Safe Mode vs Ghost Mode comparison.
Change the wp-admin Path
Go to WP Ghost > Change Paths > Admin Security. Enter a custom name in the Custom wp-admin Path field. Click Save.
Avoid common words like “login”, “admin”, “backend”, or “dashboard” for your custom path. Bots try these variations by default. Use something unique, like a combination of random words.
No files are moved
WP Ghost does not physically move or rename any files on your server. It uses rewrite rules to create the new path. Your WordPress installation stays untouched.
Not all hosting environments handle custom admin paths the same way. If you are on a managed host like WP Engine or Kinsta, check the hosting compatibility guides.
Hide wp-admin from Visitors and Bots
Changing the path gives you a new URL, but the original /wp-admin may still be accessible. The Hide wp-admin option makes the old path return a 404 error for anyone who is not logged in.
Go to WP Ghost > Change Paths > Admin Security. Switch on Hide “wp-admin”. Click Save.
Once activated, any bot or visitor hitting /wp-admin gets a dead end. Only users who are already logged in through the custom login path can reach the dashboard.
Hide wp-admin from Non-Admin Users
By default, every logged-in WordPress user (editors, authors, subscribers) can access /wp-admin. On most sites, that is unnecessary. WP Ghost lets you restrict wp-admin access to administrators only.
Go to WP Ghost > Change Paths > Admin Security. Switch on Hide “wp-admin” from Non-Admin Users. Click Save.
This is especially useful for WooCommerce stores, membership sites, or any WordPress site with multiple user roles. Even if a subscriber or editor account gets compromised, the attacker still cannot reach the admin dashboard.
Verify with a Security Check
After making your changes, run a security scan to confirm everything is working. Go to WP Ghost > Security Check. Click Start Scan. The scan will confirm if the wp-admin path is hidden and highlight any remaining security issues.
Troubleshooting
Custom wp-admin Path Causes Plugin or Server Issues
Some plugins and hosting environments do not support custom wp-admin paths. If you experience issues after changing the path, try these steps in order:
Use the default wp-admin path with Hide enabled. Revert the custom path back to “wp-admin” but keep the Hide wp-admin option active. This gives you the security benefit (404 for non-logged-in users) without the compatibility risk of a custom path name.
Check plugin compatibility. Deactivate other plugins one by one to identify if a specific plugin is causing the conflict. Some plugins hardcode the /wp-admin path. Check the Compatibility Plugins List for known issues.
Contact your hosting provider. Managed hosts like WP Engine use Nginx path redirection instead of rewrite mapping. On these servers, keep the default wp-admin path and use the Hide option instead of a custom name.
Cannot Log In After Hiding wp-admin
If you customized the wp-admin path and enabled Hide wp-admin, you need to use your custom path to reach the dashboard. If you forgot the custom path, use the Safe URL parameter to bypass WP Ghost temporarily. If that does not work, see the Emergency Disable guide for FTP-based recovery.
Frequently Asked Questions
Does changing the wp-admin URL actually improve security?
Yes. Most WordPress attacks are automated. Bots are programmed to target /wp-admin and /wp-login.php by default. When these paths return a 404, the bot moves on to the next target. Your site never enters the attack pipeline.
Will changing the wp-admin path break my plugins?
Most plugins work correctly with custom paths. Some plugins hardcode /wp-admin and may not function properly. If you experience issues, keep the default wp-admin path and use the Hide option instead. Check the Compatibility Plugins List for known conflicts.
What if I forget my custom admin URL?
Use the Safe URL parameter to bypass WP Ghost temporarily and access the default login page. If that does not work, rename the plugin folder via FTP to disable WP Ghost. See the Emergency Disable guide.
Does this work with WooCommerce?
Yes. WP Ghost is fully compatible with WooCommerce. Customer-facing pages like shop, cart, checkout, and my account are not affected by admin path changes.
Does WP Ghost modify WordPress core files?
No. All path changes use rewrite rules and WordPress filters. No files are moved, renamed, or modified. Deactivating WP Ghost restores all defaults instantly.
Related Tutorials
Change and Hide the Login Path – hide wp-login.php, the other most-attacked WordPress path.
Customize All WordPress Paths – change every WordPress path in one guide.
Brute Force Attack Protection – add reCAPTCHA and login attempt limits.
Two-Factor Authentication – add 2FA for the strongest login security.
Rollback Settings – recover access if path changes cause issues.
Website Security Check – verify your configuration after making changes.
