For some sites you may never want to provide the standard WordPress login form.  An example of this might be a site that requires a custom OAuth login flow.

In any case, if you’ve found this blog post then you have your own reasons for disabling the login form.  Below is a simple approach to get you started. This code will hook into WordPress right before the login form is shown, and cleanly stops the execution of the rest of the page.

Also included in this approach is a mechanism for providing a secret url that you can use to see the normal login form, in case of an emergency.

About the Author

Jonathan Daggerhart

Long time Drupal and WordPress developer. I like to write modules and plugins, and I dabble in frontend and design.

8 thoughts on “How To Disable The WordPress Login Form

  • Ray

    Hi Jonathan,

    Can you add some info about where/how to place it? I tried putting it at the top of wp-login as an include (to keep code clean) but it’s not executing and instead showing as plain text once the page renders. I tried both include and copied the require(dirname … and both fail.

    • Jonathan Daggerhart

      Hi Ray,

      You’ll want to include this code in a custom plugin, or your theme’s functions.php file. You definitely shouldn’t put it directly into wp-login.php because it will get lost next time you update WordPress.

      Important: When putting this code on your site, make sure to remove the top <?php line of code.

      • Timothy Shaw

        Thanks for this. I’ve been searching for this for a while.

        Strangely, I’m still getting alerts from Wordfence about failed login attempts, from people trying to hack the site. I’m assuming somehow they’re finding the hidden login. How would I alter the code above to remove the login completely?

        thanks!

        • Jonathan Daggerhart

          That’s not very difficult, but if you do it how would you login yourself?

          Regardless, here is the code:

          < ?php
          add_filter( 'wp_login_errors', 'my_login_form_lock_down', 90, 2 );
          /**
           * Completely lock down the WordPress login form by hijacking the page 
           * and only executing the the login header, footer, and necessary 
           * closing tags.
           */
          function my_login_form_lock_down( $errors, $redirect_to ){
            login_header(__('Log In'), '', $errors);
            echo "</div>";
            do_action( 'login_footer' );
            echo "</body></html>";
            exit;
          }
          

          If you’re still getting login errors, the attempts may be coming from another source. It’s possible to submit forms to other sites, also WordPress has XML-RPC authentication. I think a better approach to this code for solving your login errors could be to use iThemes Security, or another plugin, to protect the form and disable XML-RPC.

          I’d expect a plugin that is dedicated to the task will have better results than this code snippet.

          • Timothy Shaw

            Thanks for the info. I almost never need to login – it’s a client site – and if I do, I can go in via ftp and take this code out. What I really need is to make sure the site doesn’t get hacked. It’s an old hosting environment and I can’t use the IP Geo Block plugin, which cuts out the vast majority of login hack attempts.

            Anyway, thanks for the plugin recommend, too. I’ll check it out

  • Budji

    This is brilliant and with no plugins required, thank you!

  • Mark

    Hello
    I have also used your code – thank you! I’d already installed a plugin to change my login url to a ‘secret’ one, but it has left the Log In instruction and link on the Leave a Comment box that I have on my posts; that link now takes visitors direct to the secret login URL! I only want my site’s members to be able to post comments, and they will book mark the necessary URL to login. Any advice on how to remove the link that people see in the Leave a Comment box? I’ve tried adapting your code to rediect people to just the homepage, but still it redirects to the secret URL, even though there is no Login Form there now. I want the URL to remain secret!

    • Jonathan Daggerhart

      The only great way I see to remove that link is to modify your comment template.

      1. Find comments.php in your theme
      2. Find comment_form(); in that template, and pass the ‘must_log_in’ key in the arguments array with an empty string as the value.

      Resulting in something like this: comment_form( array( 'must_log_in' => '' ) );

      That should get rid of the login link.

      See the comment_form() function in the codex for more information on what is happening there.

Leave a Reply

Your email address will not be published. Required fields are marked *