Hide wp-admin and wp-login.php from Source Code

WP Ghost can hide wp-admin and wp-login.php references from your site’s HTML source code. After changing these paths with WP Ghost, the original URLs should no longer appear in the frontend source. If they still show up, it’s usually because a theme or plugin is outputting the paths directly instead of using WordPress functions. This guide covers how to hide the paths, verify they’re hidden, and fix cases where they still appear.

Why Admin Paths Appear in Source Code

Step 1: Change and Hide the Paths

First, make sure you’ve changed and hidden both admin paths in WP Ghost:

• Change and hide the wp-admin path
• Change and hide the wp-login.php path

Both paths need to be changed (renamed to custom URLs) and hidden (original paths return 404 or a custom page) for maximum protection.

Step 2: Verify with Security Check

After hiding the paths, run a security check to confirm they no longer appear in the source code:

1. Go to WP Ghost > Security Check.
2. Run the check and review the results.
3. If the paths are correctly hidden, the security check shows them as passing.
4. If the paths still appear, follow the troubleshooting steps below.

You can also verify manually: open your site in an incognito browser window (logged out), view the page source (Ctrl+U), and search for wp-admin and wp-login. If either term appears, something is still outputting the original paths.

Fix Paths Still Showing After Hiding

If wp-admin or wp-login.php still appear in the source code after enabling WP Ghost’s hide options, a theme or plugin is hardcoding the paths instead of using WordPress functions.

To identify the source:

1. Deactivate all plugins except WP Ghost.
2. Check the source code again. If the paths are gone, a plugin was the cause.
3. Reactivate plugins one at a time, checking the source code after each, to identify which plugin exposes the paths.
4. If the paths still appear with all plugins deactivated, your theme is the cause. Switch to a default WordPress theme (Twenty Twenty-Four) temporarily to confirm.

Once you identify the plugin or theme, contact the developer and ask them to use WordPress functions instead of hardcoded paths:

• For wp-admin: use admin_url('/') instead of hardcoding /wp-admin/
• For wp-login.php: use wp_login_url() instead of hardcoding /wp-login.php

When plugins and themes use these WordPress functions, WP Ghost can intercept and replace the paths with your custom URLs automatically.

Text Mapping as a workaround. If the plugin developer can’t fix the hardcoded paths, you can use WP Ghost’s Text and URL Mapping feature to find and replace the remaining wp-admin or wp-login.php references in the HTML output.

Frequently Asked Questions

Does WP Ghost hide paths for logged-in users too?

By default, WP Ghost hides paths in the frontend for all visitors, including logged-out users and bots. Logged-in admin users may still see original paths in the WordPress admin bar. To extend path changes to the admin dashboard, see Change Paths in Admin Dashboard.

What is the correct WordPress function for login URLs?

The correct function is wp_login_url(). This returns the login URL and respects custom login paths set by security plugins like WP Ghost. Some older documentation references home_url('wp-login.php'), but wp_login_url() is the proper WordPress function because it supports filters.

Does WP Ghost modify WordPress core files?

No. WP Ghost replaces paths in the HTML output buffer using WordPress hooks. No core files are modified. The paths are changed dynamically at render time.

Related Tutorials

Admin and login path security:

• Change and Hide the wp-admin Path – Rename and hide wp-admin.
• Change and Hide the Login Path – Rename and hide wp-login.php.
• Text and URL Mapping – Replace hardcoded paths in HTML output.
• Change Paths in Admin Dashboard – Extend path changes to the admin area.