How to set "Login url" to WordPress Address (URL) not Site Address (URL)

I’m not sure why exactly you want to use site_url()… There were some issues with SSL which I fixed a few minutes ago. Maybe you could update the plugin and see if it solves your problem?

Thank you for your prompt reply.

Reason for setting “Login url” to WordPress Address (URL):

1) This is where WP is installed and admin is handled.
2) Cloudflare free account does not allow https for secure login to backend.

Updated to most recent, however both wp-login.php and custom “Login url” are both accessible at domain.com as well as www.domain.com. Currently, SSL is not a concern and appears to work just fine, but hoping to get it working correctly including wp-login.php not displaying login. Again, many thanks.

I don’t understand what 2 has to do with that. Could you elaborate?
Sorry, updating to v2.2.6 will prevent wp-login.php from displaying the form.

If cloudflare doesn’t allow that, then it won’t work for wp-login.php either?

Sorry, I should have been more clear in my explanation. Cloudflare free account does not support https as that is a premium paid feature however since it is only applied to the www.domain.com and not the root domain.com we use root domain.com for secure login to backend through https. Hence, it is necessary to use root domain.com for wp-login.php and not the www subdomain. Thank you.

So your settings are:

WordPress Address: https://www.domain.com
Site Address: https://domain.com

?

You’ll need to set them both to https://www.domain.com…

Actually, settings are just the opposite:

WordPress Address (URL): https://domain.com
Site Address (URL): https://www.domain.com

Unfortunately, current setup prevents use of https for secure login on www subdomain with Cloudflare free account. Currently, this setup works with the site using https://www.domain.com and WP backend using https://domain.com/wp-login.php. However, initial interest in using your great plugin was to hide wp-login.php and continue to use https://domain.com/”Login url”/ for secure login. I hope this is possible. Thank you.

Oh prevents on www. Okay, yeah, then it’s the other way around.
Can’t you switch both to https://domain.com?

I will definitely play with the WP URL settings after the update to 2.2.6 to effectively see the plugin not display wp-login.php, but since requiring using www subdomain for the site and requiring secure https for WP backend login while using Cloudflare I believe this is how it needs to be setup to work properly. Either way, site needs to be www subdomain and as long as I can login using https while using Cloudflare which has to be non-www that is what is needed. Many thanks to you for your kind help.

Okay, updated to most recent 2.2.7 and it appears to work properly for SSL and not display the wp-login.php. However, I still have the issue with the login form and logout link wanting to use https://www.domain.com which is definitely not possible as it will never complete due to using Cloudflare free account on www subdomain. For this reason, I would need to change the “Login url” default to root domain.com which should fix any affected URLs. Please advise if this may be possible and what code I may try to change to see if it will function correctly. Thank you very much.

Honestly, the easiest thing you could do is to just set both of them to the root.

WordPress Address (URL): https://domain.com
Site Address (URL): https://domain.com

And your problem is solved.

You could change the plugin by replacing all instances of home_url with site_url in rename-wp-login.php, but I really don’t recommend it. You’ll also need to modify the plugin every time it updates. I could place a filter there so you could add a filter somewhere else, but I don’t think there’s a lot of people who set their site_url to root and home_url to www. The reason I don’t set it to site_url is because people expect the login page to be where their other pages are, not https://domain.com/path/to/wordpress/directory/login/.

Thank you and I agree that this may not be typical, however after careful research I believe some key points regarding WordPress backend management using https secure protocol with an active Cloudflare free account:

1) Cloudflare free account typical setup uses subdomain www to function as it can only work with CNAMEs. Since root domains are an A record it is not possible to use root domain.com with Cloudflare.

2) Cloudflare free account does not work with https secure protocol therefore https on subdomain www is not an option and will fail unless you purchase this premium Cloudflare feature. However, since most security certificates apply to both root domain.com and include subdomain www the simple workaround for this is to use your root domain.com when requiring any https secure protocol.

3) To secure your WordPress backend including login and admin the easiest way to accomplish this is to use root domain.com for https secure protocol due to the limitations placed by Cloudflare free account on subdomain www.

4) To ensure WordPress settings including plugins do not get wrapped around the use of secure https://www.domain.com as it will not function properly it is necessary to set WordPress Address (URL) or site_url to root domain.com and set Site Address (URL) or home_url to subdomain www.

If wanting https secure protocol for WordPress backend login and admin with an active Cloudflare free account then this appears to be a solution which has worked well so far. Are there any negatives to using this method, you decide.

Perhaps a filter for this situation as suggested may be of interest. Also, wouldn’t having the login page located separate of where other pages are expected only be of more help in regards to security.

Also, wouldn’t having the login page located separate of where other pages are expected only be of more help in regards to security.

Not at all. Why?

I’ll consider adding a filter, but for now you’ll have to replace home_url manually.

I always propose the easier it is for intruders, the more likely they are to try. Hence, WordPress is very simple and highly popular that is why it needs to be protected as it is likely to be attacked more for this reason. Surely it could not hurt anything. Regardless, I look forward to your continued improvements with this much needed plugin as well as a filter for those of us requiring this setting. Thank you very much for your great efforts and excellent support you are an asset to the WordPress community.

Update: All features of your plugin appear to function properly including changing the home_url manually as suggested.

The only fault at this time that I can find is FORCE_SSL_ADMIN set to true option is not forcing the URLs in your plugin to secure https protocol for some reason.

Thanks.