Security Tip: Hiding the Control Panel in WordPress, ExpressionEngine, and Craft CMS

Posted on September 15, 2025

Caroline C. Blaker

Security Tip: Hiding the Control Panel in WordPress, ExpressionEngine, and Craft CMS Image

Security through obscurity is a basic step that can decrease website attacks.

Content Management Systems - some are more secure out of the box than others. Regardless of their design for security, nearly all are published with a default URL to login to the the control panel - the area where the content is managed. No matter how securely the CMS is designed, the default control panel login exists in order to properly document the CMS - and it's used as a point of reference to guide new users to be able to use their software. Therefore, in most cases, if you know what software the website uses, you can quickly learn where the login URL is by doing a quick google search.

How it works

If your domain's login url can be looked up quickly and accessed by you, anyone can get to your login page and try username/password combinations without asking your permission. Furthermore, robots made by hackers can scan your site (and thousands of others!) for this URL and automate these attacks. They may be able to access your site by guessing your username and password combinations through an automated series of tries. Even without gaining access, they may be able to overwhelm your website with this kind of attack, causing your website's server resources to become exhausted. At this point, your website goes offline. This is what is sometimes referred to as a DDOS (Distributed Denial of Service) attack. Without taking measures to prevent these attacks, any website can be vulnerable.

While hiding the login page for your Content Management System is just one step of many to secure your website, many developers don't bother taking this basic action. It's especially important if your CMS is exceedingly popular, like WordPress, which publishes about half of the internet. Weak passwords, weak security, and outdated software all contribute to as many as 90,000 attacks per minute on WordPress websites. Hiding a site's login URL may deprive a would-be hacker from being able to guess your password, depriving them of the form they would need to make the guess. While it doesn't provide 100% website security lockdown, it is as we say at Aquarian, "10 out of 10 on the better-than-nothing scale."

Changing your Login URL for Craft CMS

Per the Craft 5 docs, a change of the cpTrigger variable in Craft CMS' general config is all that it takes to change the login URL to Craft CMS.


// -- config/general.php --
return [
 '*' => [
 // Applies to all environments:
 'cpTrigger' => 'myCP',
 ],


 'production' => [
 // Optional:Only applies to the production environment:
 'cpTrigger' => 'secret-word',
 ],
];

Security considerations for Craft CMS are top notch and highly flexible. This environment variable can be changed by developers to anything, any time.

Changing your Login URL for ExpressionEngine

The first step in this short process is to rename your admin.php file into whatever you want it to be, like myCP.php in this example.

Next, specify this change outright in the ExpressionEngine config file, located at /system/user/config/config.php


//-- /system/user/config/config.php

$config['cp_url'] = 'https://example.com/myCP.php';

More details (and security-enhancing overrides) can be found in the EE Docs.

A detailed, step-by-step walk-through on how to install ExpressionEngine for Security can be found on our blog.

Changing your Login URL for WordPress

Nobody can agree on one way to change your WordPress Login URL. Or that it's a proper action, at all.

Directly in WordPress

This methodology looks something like the ExpressionEngine one, above. However, it involves changing files that are not meant to be edited and may be replaced in future (compulsory) WordPress updates, breaking your changes:

  1. The first step is to rename wp-login.php to something else, like myCP.php
  2. Next, find-and-replace all instances of wp-login.php to your new filename in WordPress.
  3. Create new forgot-password and logout hooks using PHP code, per this tutorial. It also recommends making a backup of your wp-login.php file, just in case.

As I've already noted, maintaining this approach may be challenging due to its changing of files that are not meant to be changed, and thusly could be changed, or partially-changed during one of those convenient one-click updates.

Using a plugin

Plugins exist to change the WordPress login location to something more custom. No single one stands out above others for a few reasons:

  1. They all work generally the same way.
  2. No single plugin does it better than any other plugin.
  3. Any of these plugins can interfere with other plugins that rely on wp-login.php being the place to login.
  4. Experts agree that it's not enough to just do this, so they recommend WordFence or other full solutions.

However, plugins are easy to deactivate, and adding one of these instead of modifying your core can provide more ease of release if you need to abandon ship. Just deactivate!

Design for Security

Internet content management softwares that are designed for security allow for multiple ways to secure access to critical areas, as well as having code written to purposefully not be attackable. Experts agree that hiding the Login URL to the website's control panel is not a full security solution for any website, but it's part of an array of security measures that can be chosen and implemented layer by layer. It can help conserve server resources and at least partially hide which Content Management System is in use, since default login URLs are different but consistent from software to software.

ExpressionEngine and Craft CMS exhibit flexible, sustainable security configurations in their architecture, while being written for security under the hood. While developers may discuss what a perfect set of measures adds up to, these can be configured as choices without threat to the workings and future updates of the website. They can be adopted anywhere along the lifecycle of the website without compromising other functionality. WordPress, which promotes developer experience above most else, fields attacks at extraordinary frequency and requires a paid subscription to assist with securing the website. It's for this reason that Aquarian recommends a migration to Craft CMS or ExpressionEngine for compromised WordPress websites.

Let us help!

We are lifelong ExpressionEngine and Craft CMS experts - and can secure your website while maintaining everything you love about it.

Can We Take A Look?

Please specify the URL that you are inquiring about

Please enter your email so we can get in touch.