How to Recover the WordPress Login URL When Using WPS Hide Login Plugin

Home » Security » How to Recover the WordPress Login URL When Using WPS Hide Login Plugin
December 25, 2019 Security, Tips, WordPress
How to Recover the WordPress Login URL When Using WPS Hide Login Plugin

Changing the WordPress login URL is a common security measure — it prevents bots from targeting /wp-login.php with brute-force attacks. The WPS Hide Login plugin handles this cleanly, but it can create a headache if you forget the custom login path. Here are three ways to recover it depending on what access you have.

Problem: The custom WordPress login URL set by the WPS Hide Login plugin has been forgotten — /wp-login.php now returns 404 and there is no way to reach the admin.

Solution: There are three recovery options depending on server access: temporarily rename the plugin folder via FTP or SSH to restore the default login path, read the stored URL directly from the database with a SQL query on the wp_options table, or retrieve it with a WP-CLI command.

Option 1 — File system access. The quickest fix is to temporarily disable the plugin by renaming its folder, which restores access to /wp-login.php. Connect to the server via FTP or SSH and rename:

mv wp-content/plugins/wps-hide-login wp-content/plugins/wps-hide-login-disabled

Log in via /wp-login.php, note the custom URL from Settings → WPS Hide Login, then rename the folder back and reactivate the plugin from the admin.

Option 2 — Theme file access only. Add the following line temporarily to your active theme's functions.php. It reads the stored custom path from the database and prints it at the top of every front-end page:

<?php
// Temporary — remove immediately after retrieving the login URL
add_action( 'wp_footer', function () {
    $login_path = get_option( 'whl_page' );
    if ( $login_path ) {
        echo '<p style="position:fixed;bottom:0;left:0;background:#fff;padding:4px 8px;font-size:13px;">'
           . 'Login URL: ' . esc_url( home_url( '/' . $login_path . '/' ) )
           . '</p>';
    }
} );

Visit any page of the site, note the URL, then remove this code immediately.

Option 3 — Database access. Query the wp_options table directly — via phpMyAdmin, MySQL CLI, or WP-CLI:

SELECT option_value FROM wp_options WHERE option_name = 'whl_page';

# Via WP-CLI
wp option get whl_page

The value returned is the path segment appended to your home URL — e.g. if it returns secret-login your login page is at https://yoursite.com/secret-login/.

NOTE: Hiding the login URL is useful but not a substitute for strong passwords and two-factor authentication. An attacker who discovers the custom URL through other means (e.g. a page source leak or a disclosed config file) will still be able to attempt a brute-force login.

Related posts