For some sites you may never want to provide the standard WordPress login form. An example of this might be a site that requires a custom OAuth login flow.
In any case, if you’ve found this blog post then you have your own reasons for disabling the login form. Below is a simple approach to get you started. This code will hook into WordPress right before the login form is shown, and cleanly stops the execution of the rest of the page.
Also included in this approach is a mechanism for providing a secret url that you can use to see the normal login form, in case of an emergency.
<?php
// pick a hook from the wp-login.php file that best our needs. I chose the filter: wp_login_errors
add_filter( 'wp_login_errors', 'my_login_form_lock_down', 90, 2 );
/**
* Completely lock down the WordPress login form by hijacking the page
* and only executing the the login header, footer, and necessary
* closing tags.
*
* Provide a secret way to show the login form as a url variable in
* case of emergencies.
*/
function my_login_form_lock_down( $errors, $redirect_to ){
// access the login form like so: http://example.com/wp-login.php?secretform=yesplease
$secret_key = "secretform";
$secret_password = "yesplease";
if ( !isset( $_GET[ $secret_key ] ) || $_GET[ $secret_key ] != $secret_password ) {
login_header(__('Log In'), '', $errors);
echo "</div>";
do_action( 'login_footer' );
echo "</body></html>";
exit;
}
return $errors;
}
Discussion
Hi Jonathan,
Can you add some info about where/how to place it? I tried putting it at the top of wp-login as an include (to keep code clean) but it’s not executing and instead showing as plain text once the page renders. I tried both include and copied the require(dirname … and both fail.
Hi Ray,
You’ll want to include this code in a custom plugin, or your theme’s functions.php file. You definitely shouldn’t put it directly into wp-login.php because it will get lost next time you update WordPress.
Important: When putting this code on your site, make sure to remove the top
<?php
line of code.Thanks for this. I’ve been searching for this for a while.
Strangely, I’m still getting alerts from Wordfence about failed login attempts, from people trying to hack the site. I’m assuming somehow they’re finding the hidden login. How would I alter the code above to remove the login completely?
thanks!
That’s not very difficult, but if you do it how would you login yourself?
Regardless, here is the code:
If you’re still getting login errors, the attempts may be coming from another source. It’s possible to submit forms to other sites, also WordPress has XML-RPC authentication. I think a better approach to this code for solving your login errors could be to use iThemes Security, or another plugin, to protect the form and disable XML-RPC.
I’d expect a plugin that is dedicated to the task will have better results than this code snippet.
Thanks for the info. I almost never need to login – it’s a client site – and if I do, I can go in via ftp and take this code out. What I really need is to make sure the site doesn’t get hacked. It’s an old hosting environment and I can’t use the IP Geo Block plugin, which cuts out the vast majority of login hack attempts.
Anyway, thanks for the plugin recommend, too. I’ll check it out
This is brilliant and with no plugins required, thank you!
Hello
I have also used your code – thank you! I’d already installed a plugin to change my login url to a ‘secret’ one, but it has left the Log In instruction and link on the Leave a Comment box that I have on my posts; that link now takes visitors direct to the secret login URL! I only want my site’s members to be able to post comments, and they will book mark the necessary URL to login. Any advice on how to remove the link that people see in the Leave a Comment box? I’ve tried adapting your code to rediect people to just the homepage, but still it redirects to the secret URL, even though there is no Login Form there now. I want the URL to remain secret!
The only great way I see to remove that link is to modify your comment template.
1. Find
comments.php
in your theme2. Find
comment_form();
in that template, and pass the ‘must_log_in’ key in the arguments array with an empty string as the value.Resulting in something like this:
comment_form( array( 'must_log_in' => '' ) );
That should get rid of the login link.
See the comment_form() function in the codex for more information on what is happening there.
You can use your IP address to give you and only you access to the login form, ie. lock it down for everyone else…
if(‘xxx.xx.xxx.xxx’ != $_SERVER[‘REMOTE_ADDR’])
{ add_filter( ‘wp_login_errors’, ‘my_login_form_lock_down’, 90, 2 ); }