WordPress powers roughly 43% of every website on the internet. For most of those site owners, there’s one URL they type more than any other, and it has nothing to do with their homepage.
It’s the login page.
Whether you’ve just handed over a freshly built site to a client or you’re coming back to update a blog post after three months away, knowing how to reliably get into your WordPress dashboard is non-negotiable. And yet it catches people out more often than you’d think, wrong URLs, forgotten passwords, locked accounts, even custom login paths set by security plugins.
At Keen To Design, we’ve onboarded a lot of Sydney businesses onto WordPress over the years, and the login page is almost always the first thing we walk new clients through. This guide covers everything we cover in those conversations: the standard login URL, what to do when it doesn’t work, what you’re actually looking at once you’re inside, and how to keep that access locked down properly.
The Standard WordPress Login URL
WordPress installs a login page at a predictable address by default. To reach it, take your domain and add /wp-admin or /wp-login.php to the end:
- https://yourdomain.com.au/wp-admin
- https://yourdomain.com.au/wp-login.php
Both work. The /wp-admin path redirects you to wp-login.php if you’re not already authenticated, so either one gets you to the same place.
If we built your site, it’s worth checking with us whether the login URL has been changed. On most sites we deliver to clients, we use WPS Hide Login to rename the login path to something non-default, a straightforward tactic that cuts down automated bot traffic significantly. If /wp-admin returns a 404 error rather than a login form, that’s likely what’s happening.
Logging In: What You Actually Need
The WordPress login screen asks for two things: your username or email address, and your password.
A few things worth knowing here:
- WordPress accepts either your username or the email address tied to your account. Both work in the same field.
- Passwords are case-sensitive. Caps Lock has caused more failed logins than most people want to admit.
- The Remember Me checkbox keeps you logged in for 14 days. On a private computer, it’s a reasonable convenience. On a shared machine, skip it.
Once your credentials check out, WordPress drops you straight into the Dashboard, the main screen of WP-Admin.
When the Login Page Won’t Load or Won’t Accept Your Credentials
This happens. Here’s how to work through it.
You’re getting a 404 error at /wp-admin
As we mentioned above, the login URL may have been changed. If we built your site, get in touch, and we’ll confirm the correct login path for you. If someone else built it, check with them or log in to your hosting control panel. Most hosts, including popular Australian ones like VentraIP and Crucial, give you access to the file manager where you can check whether a redirect is in place.
Your password isn’t working
Use the Lost your password? link on the login page. WordPress will send a reset link to the email address associated with your account. If that email doesn’t arrive within a few minutes, check your spam folder, since transactional emails from WordPress occasionally end up there depending on how your site’s mail is configured.
If you don’t have access to that email account at all, the next step is your hosting provider’s phpMyAdmin tool. Inside the wp_users table, you can manually update the user_pass field. The value needs to be MD5-hashed; any free online MD5 generator will produce the correct format. If this sounds out of your depth, it’s the kind of thing we handle for clients on our maintenance plans regularly, so feel free to reach out.
You’re locked out entirely
Some security plugins lock accounts after a set number of failed login attempts. On sites we manage, we use Limit Login Attempts Reloaded and configure the lockout window to 20 minutes, which is enough to deter bots without being too disruptive if a client miskeys their password a few times. If you’re locked out, the lock typically lifts on its own, but you can also deactivate the plugin temporarily via FTP or your hosting file manager by renaming the plugin’s folder inside /wp-content/plugins/.
What You’re Looking At Once You’re In: The WP-Admin Interface
The WordPress Admin Dashboard isn’t complicated, but it does pack a lot into a small space. It’s worth knowing what each part does. When we hand a completed site over to a client, walking through this interface is part of every handover session we run.
The Toolbar (Top Bar)
The thin bar running across the very top of every admin screen stays with you no matter where you navigate. From left to right:
- The WordPress logo links to WordPress.org documentation
- Your site name toggles between the admin area and your live site, hovering shows a “Visit Site” option
- The + New button is a fast shortcut to create a new post, page, or media upload without navigating through the sidebar
- The comments bubble shows pending comments waiting for moderation
- Your profile name in the top right is where you update your password, email, and admin colour scheme
The Sidebar Navigation
The left-hand menu is where you’ll spend most of your time. It’s grouped by purpose:
Posts and Pages are your content. Posts are date-stamped entries, blog articles, news updates, that sit within categories. Pages are static, About, Contact, Services, that sort of thing. When we build a site, we set up the page structure before handover so clients aren’t starting from a blank slate.
Media is your image and file library. Everything you upload through the editor lands here and can be searched, replaced, or deleted. We always recommend clients compress images before uploading, tools like Squoosh are free and take seconds to use.
Comments is for sites with commenting enabled, where you approve, reply to, or bin visitor responses. For most of the business sites we build, we turn comments off by default unless the client specifically wants them.
Appearance covers themes, menus, and the Customizer. The Customizer gives you a live preview of design changes before publishing them, which is useful when adjusting header colours or font sizes. That said, we’d always recommend checking with us before making changes here on a custom-built site, since theme customisations can sometimes conflict with bespoke code.
Plugins is the extension market for WordPress. From contact forms like Gravity Forms and WPForms, to e-commerce via WooCommerce, to SEO tools like Yoast and Rank Math, plugins are what turn a basic WordPress install into a fully featured business site. We select and configure these during the build, but keeping them updated is something every site owner needs to stay on top of. Outdated plugins are one of the most common entry points for site compromises, and it’s something we catch regularly on sites that come to us after being neglected.
Users lets you manage who has access and at what level. WordPress uses five built-in roles: Administrator, Editor, Author, Contributor, and Subscriber. We follow a simple rule on every site we build: the client gets one Administrator account, we retain one for ongoing support, and everyone else gets the minimum role they actually need.
Settings is the configuration layer. Settings > General is where your site title and timezone live. Settings > Permalinks controls your URL structure, and on every site we launch, we set this to Post name as a standard. It’s cleaner, more readable, and better for SEO than the default numeric structure WordPress uses out of the box.
The Dashboard Home Screen
The first screen after login pulls together recent activity, draft posts, site health warnings, and any news from WordPress.org. The Screen Options tab in the top right corner lets you hide the widgets you don’t use. We typically leave the Site Health Status widget on for clients since it surfaces real issues, outdated PHP versions, insecure configurations, and the like, and we turn off the WordPress news feed, which most people never read.
Is It Safe to Stay Logged In?
WordPress sessions expire after a period of inactivity, around 48 hours without the “Remember Me” option checked, or 14 days with it. After that, you’ll be prompted to log in again.
From a security standpoint, staying logged in on your own private device is generally fine. On a shared computer, always log out manually when you’re done. The logout option sits under your profile name in the top right corner of the toolbar.
Keeping Your Login Secure
Access to WP-Admin is access to everything, your content, your users, your theme files, your settings. These are the security habits we build into every site we deliver:
Use a strong, unique password. We recommend 1Password or Bitwarden to clients who ask. Both are well-supported, reasonably priced, and remove the temptation to reuse passwords across accounts, which is the single highest-risk behaviour we see from site owners.
Enable Two-Factor Authentication (2FA). On sites where we manage security, we install WP 2FA as standard. It adds a second verification step so that even a compromised password doesn’t hand someone full access to the site.
Limit login attempts. As mentioned above, we use Limit Login Attempts Reloaded on client sites. Bots constantly probe WordPress installations with common username and password combinations, and rate-limiting failed attempts quickly cuts down that attack surface.
Change the default login URL. We use WPS Hide Login on most sites we build. It won’t stop a determined attacker, but it does eliminate the vast majority of automated attempts that target the default /wp-login.php path, and that alone reduces server noise considerably.
A Note on Hosting-Based Login
If you’ve completely lost access and the password reset process isn’t working, most Australian hosts provide an alternative route. cPanel-based hosting lets you access phpMyAdmin directly, bypassing the WordPress login screen entirely. From there, you can reset passwords, create new admin users, or investigate whether a plugin has locked you out.
For clients on managed WordPress hosting, WP Engine, Kinsta, and Flywheel all offer their own dashboards with one-click login. We often set clients up on these platforms for high-traffic or business-critical sites, since the hosting-level access provides a useful safety net for situations like this.
Logging into WordPress is a small thing, until it isn’t. Knowing the standard URL, understanding why it might not work, and keeping your credentials properly secured means you’re never caught off guard when your site needs attention. The dashboard itself, once you’re inside, is well-organised, and five minutes exploring the sidebar gives you a solid working map of everything under your control.
If any of this has raised questions about your own site, or you’re not sure whether your WordPress install is set up securely, we’re always happy to take a look.
