Skip to main content
Blog|
How-to guides
How-to guides

How to access the WordPress dashboard

|
Apr 28, 2026|10 min read
HOW-TO GUIDESHow to access the WordPressdashboardHOSTNEYhostney.comApril 28, 2026

The WordPress dashboard is the admin area where you write posts, install themes and plugins, manage users, and change settings. Reaching it on a fresh, untouched WordPress install is as simple as adding /wp-admin to the end of your domain. Reaching it on a site that has been around for a while, that someone else built, or that has any kind of security plugin installed, can be less obvious. This article covers every common way to get into the dashboard, what to do when the standard URL does not work, how to find the login URL on a site you inherited, and how to recover access when two-factor authentication is no longer working for you.

The default way: append /wp-admin to your domain#

For 95% of WordPress sites, this is the entire answer:

https://yourdomain.com/wp-admin

Open that in your browser. WordPress redirects you to /wp-login.php , shows a login form, and after you submit valid credentials it sends you to /wp-admin/ where the dashboard lives.

The two URLs you may see referenced in tutorials are functionally interchangeable for getting in:

  • https://yourdomain.com/wp-admin redirects you to the login form when you are signed out, and goes straight to the dashboard when you are signed in
  • https://yourdomain.com/wp-login.php is the login form itself; after a successful login it sends you to /wp-admin/

Either works. /wp-admin is the friendlier address to remember.

If the site is in a subfolder (for example https://yourdomain.com/blog/ is a separate WordPress install), the login URL follows the install:

https://yourdomain.com/blog/wp-admin

If WordPress is on a subdomain, the login URL lives on the subdomain:

https://shop.yourdomain.com/wp-admin

The rule is simple: wherever the WordPress install lives, append /wp-admin to that URL.

What if /wp-admin does not load the login page?#

Several common reasons. Walk through them in order.

A security plugin renamed the login URL

Plugins like WPS Hide Login, iThemes Security (now Solid Security), and Wordfence often offer to change the login URL from /wp-login.php to something custom like /secret-portal-9281 . The reason is that bots constantly hammer /wp-login.php looking for weak credentials, so hiding the URL behind something only the owner knows removes the low-hanging fruit. The mechanics, plus the limits of this approach, are covered in WordPress login URL: where to find wp-admin and how to change it.

If the standard URL returns a 404 or “Page not found” error, the URL was almost certainly renamed. A few ways to find the real one:

  • Check the bookmarks of whoever built the site. The custom URL usually lives in the developer’s browser history or a saved password manager entry.
  • Look in your email. When WordPress sends a password reset link, the email body contains a link with the actual login URL embedded.
  • Check the active security plugin’s settings. If you have FTP, SSH, or hosting-panel file access, look in the plugin’s options table or its dashboard.
  • If you have database access, the renamed URL is often stored in wp_options under a name like whl_page (WPS Hide Login) or itsec_hide_backend_slug (Solid Security). Run a quick query to find it.

The site is a multisite network

On a multisite install, individual sites use the standard /wp-admin URL, but the network admin area is at /wp-admin/network/ . The two are different dashboards with different scopes.

The wp-admin folder is being blocked at the server level

Some hosts and security setups restrict /wp-admin access to specific IP addresses. If you are working from a different network than usual (a coffee shop, a VPN, your phone’s hotspot), you might be blocked at the server level before the request even reaches WordPress. The fix is to add your current IP to the allowed list, which usually means logging into the hosting control panel from the original allowed network or asking whoever set up the restriction.

The site is using HTTPS but you typed HTTP

If the site forces HTTPS (which it should), http://yourdomain.com/wp-admin may redirect oddly or fail outright depending on how the redirect is configured. Always type https:// explicitly when in doubt.

The redirect loop trap

If the login page loads but submitting credentials sends you back to the login page over and over, that is a different problem from the URL being wrong. The credentials may even be correct; the login is not failing, the redirect logic is broken. The full diagnostic for this is in WordPress login page refreshing and redirecting: how to fix it.

Finding the login URL on a site you inherited#

When you take over a site from a previous developer or owner, the login URL is one of the first things you need. If the standard URL does not work, here is how to find the real one without having to ask.

View the site’s robots.txt. Some security plugins exclude the renamed login URL from robots.txt explicitly, which means it appears as a Disallow: line. Visit https://yourdomain.com/robots.txt and look for anything that resembles a login path.

View the page source on the front end. Some themes add a “Log in” or “My Account” link in the footer that points at the actual login URL. Right-click anywhere on the front-end site, choose View Page Source, and search for login .

Check the site’s HTML comments. Some plugins leave hints in HTML comments at the top of the page source. Search the source for wp- or login to surface them.

Look at your hosting control panel. Many managed-WordPress hosts have a one-click login button that bypasses the login URL entirely. If the site is on a managed host, log into the host’s control panel and look for a “Log in to WordPress” or “Open admin” button. More on that in the Hostney section below.

Search the database. If you have phpMyAdmin or SSH access to the database, run:

SELECT option_name, option_value
FROM wp_options
WHERE option_name LIKE '%login%'
   OR option_name LIKE '%hide%';

That surfaces the most common security-plugin entries that store renamed login slugs.

Check the file system for known security plugins. SSH or FTP into the site, list /wp-content/plugins/ , and look for: wps-hide-login , better-wp-security , solid-security , wordfence , all-in-one-wp-security-and-firewall . The plugin’s name tells you which login-renaming feature is in play, which tells you where the slug is stored.

When you are locked out#

A few specific scenarios deserve their own walk-through.

You forgot your password. Click “Lost your password?” on the login form, enter your email or username, and WordPress sends a reset link. The full step-by-step including what to do when the reset email never arrives is in how to reset the WordPress admin password.

Two-factor authentication is no longer working for you. This happens when you change phones, lose your authenticator app, or forget the backup codes. Most 2FA plugins include a recovery-code system, but if those are also lost, you have to disable 2FA from outside the dashboard. The two practical options:

  1. Through the database. Find the user-meta entry for your 2FA plugin (it usually has a name like _two_factor_enabled_providers or similar) and delete the row. Next login, 2FA is gone and you can log in with just your password.
  2. By disabling the plugin from the file system. SSH or FTP into the site, rename /wp-content/plugins/two-factor/ (or whatever your 2FA plugin is called) to something like /wp-content/plugins/two-factor.disabled/ . WordPress detects the plugin is missing and silently disables it. Log in normally, fix your 2FA setup, then rename the folder back.

You have lost your password AND email access. This is the worst case. The recovery path is documented in locked out of WordPress admin: how to get back in, which covers resetting the password directly in the database, creating a brand-new admin user via SQL, and several other options for when the standard “Lost your password?” flow is not available to you.

The wp-admin area is throwing a fatal error. The login form loads, your credentials work, but as soon as the dashboard tries to render you get a white screen or a fatal error. That is not a login problem; it is a plugin or theme conflict triggered by the dashboard load. Disable the most recently activated plugin via the file system (rename its folder), reload, and the dashboard should come back. Then track down which plugin and version was responsible.

How to access the WordPress dashboard on Hostney managed WordPress#

If your site runs on Hostney’s managed WordPress, you do not have to remember the login URL or your WordPress password at all. Hostney provides single sign-on directly from the control panel: open the hosting dashboard, find the WordPress site you want to manage, and click the Login button next to it. The control panel generates a one-time, short-lived token, redirects you to https://yoursite.com/hostney-login?token=... , and your WordPress install validates the token and signs you in as your WordPress admin user automatically. No login form, no password to remember, no need to know the renamed login URL.

The mechanics under the hood: the token is a single-use, hashed value with a 60-second time-to-live, scoped to your control-panel session and your account. Once it is consumed (or the 60 seconds elapse) it cannot be reused. The handler runs in an isolated location at the server level, separate from the rest of WordPress, so it does not interfere with the regular /wp-login.php flow if you ever need to use that too.

If you prefer, you can also turn on SSO-only login for a WordPress install, which disables the standard /wp-login.php form entirely. Logging in becomes possible only through the control panel. This is the right setting when you want to remove the wp-login.php endpoint as an attack surface entirely – bots scanning for /wp-login.php get a 403, and the only way into the dashboard is via the control panel SSO. It also pairs well with the broader hardening posture covered in is WordPress secure and how to harden it.

For multi-site or agency setups, the SSO works the same way for sites you have delegated access to: a delegate user clicks Login on a site they have permission to manage, gets the same one-click sign-in, and lands in the WordPress dashboard. No need to share WordPress passwords with collaborators.

Common mistakes#

  • Bookmarking /wp-admin/ instead of /wp-login.php . Both work, but if you bookmark the post-login URL, you get a meaningless redirect when your session expires. Bookmark /wp-login.php if you want one URL that always shows the login form.
  • Using a saved password from a different WordPress site. If you manage multiple sites and your browser autofills the wrong credentials, you may try the same wrong password three times and trip a brute-force lockout from your own IP. Always check the autofill suggestion before submitting.
  • Trying the URL on http:// when the site is HTTPS-only. A misconfigured redirect on http:// can drop you into a redirect loop or a 404 even when the site is fine on https:// . Always start with https:// .
  • Assuming the login URL has changed when the actual problem is a 502 or 503. If the whole site is down, the login form will not load either. Check the site front-end first; if that is broken too, the login URL is not the problem.
  • Reinstalling WordPress to “fix” a forgotten password. People do this. Do not. Reset the password through the database or the password-reset email; reinstalling does not change the database and the password stays exactly the same.

Summary#

For a standard WordPress install, the dashboard lives at https://yourdomain.com/wp-admin and https://yourdomain.com/wp-login.php . If those URLs do not load, the most likely cause is a security plugin that renamed the login URL; check robots.txt, the source HTML, the database, or the file system for hints. If you are locked out of the login form because of a forgotten password or a broken 2FA setup, recovery happens through the password-reset email, the database directly, or by disabling the offending plugin from the file system. On Hostney managed WordPress, none of that is necessary in the first place: the control panel provides one-click SSO into every WordPress site you own or have been granted access to, and you can optionally disable the standard wp-login.php form entirely if you want SSO to be the only way in.

Previous

WordPress pingbacks and trackbacks: what they are and why to disable them

Related articles

HOW-TO GUIDESWordPress pingbacks andtrackbacks: what they are andwhy to disable themHOSTNEYhostney.comApril 28, 2026
How-to guides
WordPress pingbacks and trackbacks: what they are and why to disable them
HOW-TO GUIDESHow to embed Google Forms inWordPressHOSTNEYhostney.comApril 27, 2026
How-to guides
How to embed Google Forms in WordPress
HOW-TO GUIDESHow to change the WordPressURL slugHOSTNEYhostney.comApril 27, 2026
How-to guides
How to change the WordPress URL slug
HOW-TO GUIDESHow to insert and edithyperlinks in WordPressHOSTNEYhostney.comApril 26, 2026
How-to guides
How to insert and edit hyperlinks in WordPress
HOW-TO GUIDESWordPress excerpts: how tocontrol themHOSTNEYhostney.comApril 26, 2026
How-to guides
WordPress excerpts: how to control them
HOW-TO GUIDESHow to change the WordPressRead More tagHOSTNEYhostney.comApril 26, 2026
How-to guides
How to change the WordPress Read More tag
HOW-TO GUIDESHow to add animated GIFs toWordPressHOSTNEYhostney.comApril 25, 2026
How-to guides
How to add animated GIFs to WordPress
HOW-TO GUIDESHow to add images to WordPressHOSTNEYhostney.comApril 25, 2026
How-to guides
How to add images to WordPress
HOW-TO GUIDESHow to change the font colorin WordPressHOSTNEYhostney.comApril 25, 2026
How-to guides
How to change the font color in WordPress
HOW-TO GUIDESHow to change the font size inWordPressHOSTNEYhostney.comApril 24, 2026
How-to guides
How to change the font size in WordPress