How to Change the Register Path in WordPress with WP Ghost
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Change the WordPress registration path with WP Ghost (formerly Hide My WP Ghost) to block spam bot registrations, prevent username enumeration, and stop fake accounts from being created on your site. The default /wp-login.php?action=register URL is identical on every WordPress installation. Bots target it at scale. Change it once, and they can no longer find it.
WordPress’s default registration system includes no built-in spam protection. Bots just append /wp-login.php?action=register to every WordPress domain they find and start creating fake accounts at scale. According to WPForms, sites that replace the default registration form can reduce spam signups by up to 95%. Once a bot registers even a subscriber-level account, it has authenticated access to your site, which can be escalated if any plugin has a privilege escalation vulnerability.
Why You Need to Secure the Registration Path
| Default registration (exposed) | With WP Ghost (secured) |
|---|---|
| /wp-login.php?action=register on every site | Custom URL only you know |
| Bots create hundreds of fake accounts | Registration form unreachable, spam stops |
| Form confirms which usernames exist | Username enumeration blocked |
| Mass registration drains server resources | Requests blocked before reaching WordPress |
How to Change the Register Path with WP Ghost
Activate Safe Mode or Ghost Mode
Go to WP Ghost > Change Paths > Level of Security. Select Safe Mode or Ghost Mode and click Save.
Change the Register Path
Go to WP Ghost > Change Paths > Login Security. Find the Custom Register Path field. A predefined name is already filled in. Enter a different name or keep the predefined one. Click Save.
Avoid obvious names like “register”, “signup”, “join”, or “create-account”. Bots try common registration-related variations. Use something unique and unrelated to registration.
No files are changed
WP Ghost does not physically move or rename any files. It uses rewrite rules to create the new path. Your WordPress installation stays untouched. Deactivating the plugin restores the default path instantly.
For complete registration protection, also enable Sign Up Form Protection with reCAPTCHA in WP Ghost > Brute Force > Settings. This catches bots that discover your custom registration URL through other means. See the Brute Force Protection tutorial for setup instructions.
Verify with a Security Check
Go to WP Ghost > Security Check. Click Start Scan. The scan confirms the registration path is changed and the default URL is no longer accessible.
What Happens After You Change the Path
The new registration URL is active immediately. The “Register” link on your login page and any WordPress-generated registration links update automatically to point to the new custom path. The old /wp-login.php?action=register URL stops working for non-logged-in users.
Spam bot traffic drops significantly. Without the predictable default URL, bots have no target. Combined with brute force protection with reCAPTCHA on the signup form, you get layered defense that stops spam registration from both directions.
Troubleshooting
If registration stops working after changing the path, try these steps:
Clear all caches. Clear your browser cache, WordPress caching plugin, and CDN. Cached pages may still reference the old URL.
Check for typos. Verify the custom path has no extra spaces or special characters. Make sure it does not conflict with an existing page slug.
Revert to the predefined name. If your custom name causes issues, clear the field and let WP Ghost use its predefined name. Save and test.
Refresh permalinks. Go to Settings > Permalinks and click Save Changes to flush rewrite rules.
Check plugin conflicts. Some membership or registration plugins create their own registration forms and may conflict with custom paths. Deactivate them one by one to identify the conflict.
Use the Safe URL. If you are locked out, use the Safe URL parameter or the Emergency Disable guide.
Frequently Asked Questions
Can users still register after this change?
Yes. The registration process works exactly the same way. Users visit the new custom URL, provide their details, and create an account. The only difference is the URL they use to reach the form.
What if I do not allow user registration?
If registration is disabled in Settings > General > Membership, the register path is already inactive. Changing it with WP Ghost adds an extra safety layer in case registration is accidentally re-enabled, but it is not required.
Does this work with WooCommerce customer registration?
WooCommerce uses its own registration forms on the My Account and checkout pages, which are separate from wp-login.php?action=register. Changing the WordPress register path does not affect WooCommerce customer signups. Both work independently.
Does this work with membership plugins?
Most membership plugins that hook into the default WordPress registration process continue working with the new custom path. Plugins that create their own independent registration forms (like MemberPress or Ultimate Member) are typically unaffected since they use their own URLs.
Does WP Ghost modify WordPress core files?
No. All path changes are handled through URL rewrite rules and WordPress filters. Deactivating WP Ghost restores the default path instantly.
Related Tutorials
Change and Hide the Login Path – hide wp-login.php, the parent path for registration.
Change the Lost Password Path – hide the password reset form from bots.
Brute Force Attack Protection – add reCAPTCHA to registration and login forms.
Customize All WordPress Paths – change every path in one guide.
Website Security Check – verify your configuration after making changes.
