◦ Comprehensive security
◦ 24/7 support
Magento Guide → Security → Admin Login URL
Change the Magento 2 admin login URL (security checklist)
Changing your Magento 2 admin login URL is one of the easiest ways to block bots and reduce brute force attack attempts. It won’t stop a targeted attacker, but it’s an effective layer of obscurity that helps keep your login screen out of plain sight.
Let’s walk through why this change matters, how to do it safely, and what else you can do to protect your Magento 2 admin panel.
Host Magento at full throttle.
Get secure, reliable Magento hosting so you can scale faster.
Why change the Magento 2 admin login URL?
The default Magento 2 admin login URL is usually something like /admin. Hackers and bots know this, and they’ll often try to brute force their way into your site by targeting this common path with automated login attempts.
Changing the admin login URL makes it harder for attackers to even find your login page. This is called “security through obscurity,” and while it’s not foolproof, it’s a smart first step in any Magento hardening checklist.
Think of it like locking your front door and also moving it to a side alley—not invisible, but less obvious.
Backup your Magento store first
Before making any changes to system files, take a full backup of your Magento store. This ensures you can restore your site if anything goes wrong.
Here’s what to back up:
- Magento codebase (all files in your Magento root directory)
- Magento database
- Any server configurations you plan to modify (like Nginx or Apache configs)
If your hosting provider offers snapshot backups, take a full snapshot of your environment. If you’re working manually:
- Use rsync or scp to back up your Magento files to another location.
- Run the following command to dump your database:
mysqldump -u your_db_user -p your_db_name > backup.sql - Store both backups in a secure place and confirm they’re complete before proceeding.
Locate the current admin URL in env.php
Magento stores the admin login path in a file called env.php. This is located in the /app/etc/ directory of your Magento installation.
To view or change the admin path:
Use the Magento CLI
- Connect to your server using SSH or open your file manager through your hosting control panel.
- Navigate to the app/etc/ folder in your Magento root directory.
- Open the env.php file in a text editor.
- Look for this line:
‘frontName’ => ‘admin’,
This ‘frontName‘ value controls the admin login URL. If it says ‘admin‘, then your login URL is https://yourdomain.com/admin.
Change ‘admin‘ to a unique value. For example:
‘frontName’ => ‘secure-login-87tq’
Choose something unpredictable. Avoid using “admin123” or other common phrases. This value will become the new login path, like https://yourdomain.com/secure-login-87tq. - Save the file and close your editor.
Clear Magento cache and test the new URL
Magento uses cached configurations, so your new login path won’t work until you clear the cache.
To do this:
- Return to your Magento root directory in the terminal.
- Run the cache flush command:
php bin/magento cache:flush
This clears all system caches and applies your env.php changes. - Now, open a browser and visit your new admin login URL (e.g. https://yourdomain.com/secure-login-87tq). You should see the familiar admin login screen.
Important: Bookmark this new URL or store it in a password manager. If you forget it, there’s no login link on the frontend, so you’ll need to re-check or re-edit the env.php file to find it again.
Remove or block the default /admin path
Even if your Magento site no longer uses /admin, attackers might still try to access it. You can further secure your store by blocking or redirecting that path.
Here’s how:
Option 1: Redirect to homepage or 404
- Add a redirect rule to your .htaccess file (Apache) or server block (Nginx) to send /admin requests to your homepage or a 404 page.
Option 2: Deny access to /admin
For Apache, add this to your .htaccess:
RedirectMatch 403 ^/admin
For Nginx, add this inside your server block:
location /admin {
deny all;
}
This adds another layer of defense and ensures bots can’t guess their way into your old login path.
Restrict admin access by IP address (optional)
If you work from a fixed location or VPN, you can limit admin access to just your IP address. This is a stronger security measure than simply hiding the login page.
The exact method depends on your server software:
For Apache:
- Open your Apache config file or .htaccess.
- Add:
<Directory /var/www/html>
<If “%{REQUEST_URI} =~ m#/secure-login-87tq#”>
Require ip 203.0.113.10
Require ip 198.51.100.5
</If>
</Directory> - Replace the IP addresses with your actual IPs.
For Nginx:
- Open your Nginx site config file.
- Inside the server block, add:
location /secure-login-87tq {
allow 203.0.113.10;
allow 198.51.100.5;
deny all;
} - Be sure to reload your server config after making changes:
- Apache: sudo systemctl reload apache2
- Nginx: sudo systemctl reload nginx
If your IP changes frequently, skip this step—or use a VPN with a static IP to avoid getting locked out.
Don’t forget to update saved bookmarks and automation
Once your admin login path changes, everything that relied on the old URL will break.
Make sure you:
- Update your browser bookmarks and password manager entries
- Inform any admins or developers about the new path
- Update automated scripts, cron jobs, or API tools that log in via the admin panel
- Change any hardcoded links inside admin emails or modules (rare, but worth checking)
This avoids confusion later and prevents lockouts for your team or tools.
Top Magento extensions for admin login protection
If you want to go beyond a simple URL change, consider using extensions to add more admin security features. Here are three well-rated options:
| Plugin Name | Folder Type | Drag-and-Drop UI | Media + Post Support | Page Builder Compatible | Free Folder Limit | Pro Features Starting At |
|---|---|---|---|---|---|---|
| FileBird | Virtual | ✅ | Media only | ✅ Elementor, Gutenberg | 10 folders | Unlimited folders, sorting, integrations – Starts at $39/year |
| Media Library Organizer | Virtual | ✅ | Media only | ✅ Gutenberg, WooCommerce | Unlimited (basic) | Nested folders, multisite support – Starts at €49/year |
| WP Media Folder | Virtual + Real | ✅ | Media only | ✅ Elementor, WPBakery | Basic features | Real folders, cloud sync, galleries – Starts at $49/year |
| Folders by Premio | Virtual | ✅ | Media + Pages/Posts | ✅ Elementor, Gutenberg | 10 folders per type | Unlimited folders, color tags – Starts at $39/year |
FAQ: Magento 2 admin URL questions
Next steps for securing your Magento 2 site
Changing your Magento 2 admin login URL is a simple way to reduce your attack surface and stop bots from hammering your login screen. It’s not a complete security solution, but it’s a great start.
Once you’ve changed the URL, follow up by blocking or redirecting the old path and adding extra login protections like reCAPTCHA, IP restrictions, or access logging.
Ready to upgrade your Magento experience? Professional hosting improves speeds, security, and reliability for a website and a brand that people find engaging and trustworthy.
Liquid Web offers the raw infrastructure power you need with mission-critical features that keep your store running smoothly. Most importantly, our in-house Magento experts are standing by to help with both hosting and Magento application roadblocks.
Click through below to explore all of our Magento hosting options, or chat with an expert right now to get answers and advice.
Ready to get started?
Get the fastest, most secure Magento hosting on the market
Additional resources
What is Magento Ecommerce? →
A complete beginner’s guide to the Magento Ecommerce platform
Magento 2 maintenance mode: how to enable/disable →
Understand how to apply Magento security patches to keep your store protected from vulnerabilities and threats.
Best Magento ERP extensions →
Our top 10 compared so you can decide which is best for your business