How to Change the WordPress Logout Path with WP Ghost
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Change the WordPress logout path with WP Ghost (formerly Hide My WP Ghost) to remove the last predictable wp-login.php action from your site. If you have already changed the login, register, lost password, and activation paths, leaving logout at default is an inconsistency bots notice. It takes ten seconds to fix.
The default logout URL is wp-login.php?action=logout. Like every other wp-login.php action, it confirms WordPress to any bot that probes it. Changing it is especially useful for WooCommerce stores, membership sites, and learning platforms where customers interact with a custom “My Account” area. A custom logout path keeps the internal URL structure clean and prevents accidental exposure of WordPress paths in the user-facing interface.
Why Change the Logout Path
| Default logout path (exposed) | With WP Ghost (secured) |
|---|---|
| wp-login.php?action=logout confirms WordPress | Custom URL, no CMS fingerprint |
| Predictable URL enables CSRF logout attacks | Attackers cannot target unknown URL |
| Inconsistent if other paths are already hidden | Complete path-hiding strategy |
| Exposes WordPress paths in WooCommerce/membership UIs | Clean user-facing URL structure |
How to Change the Logout Path with WP Ghost
Activate Safe Mode or Ghost Mode
Go to WP Ghost > Change Paths > Level of Security. Select Safe Mode or Ghost Mode and click Save.
Change the Logout Path
Go to WP Ghost > Change Paths > Login Security. Find the Custom Logout Path field. A predefined name is already filled in. Enter a different name or keep the predefined one. Click Save.
No files are changed
WP Ghost does not move or rename any files. It uses rewrite rules to create virtual paths. Deactivating restores the default wp-login.php?action=logout path instantly.
All “Log Out” links across your site update automatically. WordPress generates logout URLs dynamically using the wp_logout_url() function. WP Ghost hooks into this function, so every logout link (admin bar, dashboard, WooCommerce account pages, custom menus) automatically points to the new path.
Verify with a Security Check
Go to WP Ghost > Security Check. Click Start Scan. The scan confirms the logout path is changed.
Troubleshooting
If logout stops working after changing the path:
Clear all caches. Clear your browser cache, WordPress caching plugin, and CDN. Cached pages may still contain old logout URLs.
Check for typos. Verify the custom path has no extra spaces or special characters.
Refresh permalinks. Go to Settings > Permalinks and click Save Changes to flush rewrite rules.
Check hardcoded links. Any theme or plugin using the standard wp_logout_url() function automatically uses the new path. If a theme hardcodes wp-login.php?action=logout directly, that link will not update. Check your theme settings or contact the developer.
Revert to default. Clear the Custom Logout Path field and save. This restores the default path.
Frequently Asked Questions
Will users notice any difference after this change?
No. The logout experience is identical. Users click “Log Out,” their session ends, and they are redirected normally. The only difference is the URL during the redirect, which most users never see.
How does this help prevent CSRF attacks?
In a CSRF attack, an attacker embeds a logout request in a malicious page. When a logged-in user visits that page, their session is terminated without consent. This works because the attacker knows the exact URL format. WordPress uses nonces for protection, but a custom logout path adds a second barrier. Attackers cannot target a URL they do not know.
Does this work with WooCommerce My Account logout?
Yes. WooCommerce generates logout links using the standard WordPress wp_logout_url() function, which WP Ghost hooks into. Customer-facing “Log Out” buttons on the My Account page automatically update to use the new custom URL.
Is changing the logout path mandatory?
Not mandatory, but recommended as part of a complete path-hiding strategy. If you have already changed the login, register, lost password, and activation paths, leaving logout at default is an inconsistency that bots can detect. It takes ten seconds to fix.
Does WP Ghost modify WordPress core files?
No. All path changes are handled through URL rewrite rules and WordPress filters. Deactivating WP Ghost restores the default path instantly.
Related Tutorials
Change and Hide the Login Path – secure the main wp-login.php page.
Change the Register Path – prevent spam signups.
Change the Lost Password Path – hide the password recovery page.
Change the Activation Path – secure user activation endpoints.
Customize All WordPress Paths – change every path in one guide.
