No, you should not use the same custom login path in two security plugins. Each plugin that offers a custom login URL needs its own unique path. When two plugins fight over the same URL, you get redirect loops, broken login pages, and worst of all, the conflict can leak your real login path to bots scanning the redirect chain.
Why Two Plugins on the Same Login Path Is a Bad Idea
When two security plugins try to own the same custom login URL, they compete for control. Each one writes its own rewrite rules in .htaccess and applies its own redirect logic. You cannot predict which one fires first, and that unpredictability is the problem. One plugin may redirect the request before the other processes it. Both may inject CSS into the login page, so you end up with broken styling. Sometimes the whole page gets stuck in a redirect loop and becomes completely inaccessible.
The conflict itself is a security risk. If one plugin redirects to /wp-login.php before the other hides it, bots watching the redirect chain can see your real login path in the response headers. That defeats the entire point of changing the login URL. You thought you hid the door, but the plugins are arguing so loudly that the bot hears the address anyway.
Default vs Secured Setup
| Setup | Result |
|---|---|
| Two plugins, same login path | Redirect loops, broken styling, real login path leaks to bots |
| Two plugins, different login paths | Both work independently, no conflict |
| One plugin handling the login path, the other disabled for this feature | Cleanest setup, faster performance, zero conflict risk |
The Recommended Setup
The cleanest approach is to let one plugin own the login path and disable that feature in the other. WP Ghost is the recommended choice because it handles the login path change at the server rewrite level, which is faster and more thorough than PHP-level redirects. Go to WP Ghost > Change Paths > Login Security, set your custom login path, and disable the custom login feature in the second plugin.
If you really need two different login entry points, for example one styled login for clients and one hidden login for admins, give each plugin a completely different URL. Set WP Ghost to /my-secret-login and the other plugin, like Wordfence or Solid Security, to /team-access. Then make sure WP Ghost hides the default /wp-login.php and /login paths so bots cannot find the original door either.
A Practical Example
Here is WP Ghost and Wordfence running side by side without stepping on each other. WP Ghost handles the custom login path at /my-secret-login with the default WordPress paths hidden. Wordfence uses its own styled login at /team-access. Both plugins operate independently because nothing overlaps. Bots scanning /wp-login.php or /login hit a 404 and move on to an easier target.
The LoginPress Exception
LoginPress is the one exception to the rule. You can use the same custom login path for WP Ghost and LoginPress without a conflict, because LoginPress is not a security plugin. It does not write rewrite rules. It does not add redirect logic. It only applies visual customization to the login page, so there is nothing for WP Ghost to fight with. This lets you have a branded, styled login page that sits behind a hidden URL. If you prefer a built-in option, WP Ghost also includes its own Login Page Design feature, so you may not need a separate styling plugin at all.
Why Path Security Matters Here
Most WordPress attacks are not genius hackers picking locks. They are bots running through lists of default URLs and trying common passwords. The moment they find /wp-login.php or /wp-admin, your site enters their queue. Changing and hiding the login path is one of the highest-value hack prevention moves you can make. But that move only works if it is done cleanly. Two plugins arguing over the same login URL is worse than having no custom path at all, because the conflict itself tells the bot where to look. Pick one plugin, configure it well, and let the other focus on what it does best.
Frequently Asked Questions
What happens if I accidentally set the same login path in two security plugins?
You will usually hit one of three problems: a redirect loop that blocks access, a broken login page with mismatched styles, or a complete lockout from the dashboard. If this happens, follow the emergency disable method to regain access, then set a unique path in each plugin and re-enable the features one at a time.
Which plugin should handle the custom login path?
WP Ghost. It handles the login path change at the server rewrite level, which is both faster and more thorough than PHP-level redirects other plugins use. Disable the custom login feature in the other plugin and let WP Ghost own the URL. For plugin-specific setup, see WP Ghost with Wordfence, WP Ghost with Solid Security, or the full compatible plugins list.
Can I use LoginPress with WP Ghost on the same login path?
Yes, this is the only safe case. LoginPress is a styling plugin, not a security plugin. It does not touch rewrite rules or redirect logic, so it cannot conflict with WP Ghost’s path security. You can point both at the same custom login URL. If you want to skip the extra plugin, WP Ghost has its own Login Page Design feature that covers the same ground.
Should I also hide the default /wp-login.php path?
Yes, always. Setting a custom login path without hiding the original is doing half the job. Bots still find the default URL because it is the first thing they check. Go to WP Ghost > Change Paths > Login Security and enable the option to return a 404 for /wp-login.php and /login. See the change and hide wp-login path tutorial for the full walkthrough.
Can WP Ghost run alongside Wordfence, Solid Security, or Sucuri?
Yes, and it works well. WP Ghost is a hack prevention plugin focused on reducing your attack surface, while Wordfence, Solid Security, and Sucuri are malware scanners and monitoring tools. The rule is simple: do not duplicate features. Let WP Ghost handle path security, firewall, 2FA, and brute force protection. Let the other plugin handle malware scanning and file monitoring. See the compatibility list for tested setups.
Does WP Ghost modify WordPress core files?
No. WP Ghost uses server-level rewrite rules and WordPress filters to change and hide paths. No core files are touched. Deactivating WP Ghost restores every original path instantly.