Title here
Summary here
Hide My Login
Replace your predictable wp-login.php URL with a custom login path that only you and your team know. Bots and attackers scanning for WordPress login pages will hit a 404 instead of a login form. Combined with honeypot fields, rate limiting, and IP whitelisting, this module adds multiple layers of protection to your login process.
Use Cases
- Hide Login from Bots – Eliminate the vast majority of automated brute force attacks by removing the standard login URL that bots target
- Custom Branded Login – Create a professional, branded login URL for your organization (e.g.,
/company-login/or/staff-portal/) - Security Through Obscurity – Add an extra barrier that makes your site a harder target, forcing attackers to discover your login URL before they can even begin an attack
How It Works
- Set a custom login slug in the module settings (e.g.,
my-secret-login) - Your login page moves to
yoursite.com/my-secret-login/ - All requests to
wp-login.phpandwp-admin(for non-logged-in users) return a 404 page - Login, registration, and password reset URLs are automatically rewritten across your site
- WordPress email notifications (password resets, new user emails) are updated to use the new URL
- Optional honeypot, rate limiting, and user agent blocking provide additional layers of defense
Where to Find It
Location: Configure the module in Switchboard → Modules → Security → Hide My Login. Set your custom login slug and all login URLs will automatically update.
Access the detailed access logs and statistics at Switchboard → Hide My Login (admin.php?page=switchboard-hide-my-login).
Settings
| Setting | Type | Default | Description |
|---|---|---|---|
| Custom Slug | Text | (empty) | Your custom login URL path (e.g., “my-login”). This becomes yoursite.com/my-login/ |
| Block Default Login | Toggle | Yes | Block direct access to wp-login.php, returning a 404 |
| Block wp-admin | Toggle | Yes | Block wp-admin access for non-logged-in users, returning a 404 |
| IP Whitelist | Textarea | (empty) | IP addresses that can always access the default login pages (one per line). Acts as a recovery bypass |
| Path Whitelist | Text | (empty) | Additional URL paths to allow through the block (comma-separated) |
| User Agent Blocking | Toggle | Yes | Block requests from known bot user agents (curl, wget, python, scrapy, etc.) |
| Referer Check | Toggle | Yes | Verify HTTP referer header on POST requests to the login form |
| Honeypot Enabled | Toggle | Yes | Add a hidden honeypot field to the login form that catches automated bots |
| Rate Limiting | Toggle | Yes | Enable rate limiting per IP address on the custom login URL |
| Rate Limit Threshold | Number | 10 | Maximum login requests allowed per time window |
| Rate Limit Window | Number | 3600 | Time window in seconds for rate limiting (default: 1 hour) |
| Log Attempts | Toggle | Yes | Log all access attempts (blocked and allowed) for review |
| Log Retention Days | Number | 30 | Number of days to keep access logs before automatic cleanup |
| Allow Site Health | Toggle | Yes | Allow WordPress Site Health loopback tests to bypass the login block |
| WooCommerce Compat | Toggle | Yes | Enable compatibility with WooCommerce login and my-account pages |
Security Layers Explained
Custom Login URL
The primary defense. By changing wp-login.php to a custom path, you eliminate the target that automated scanners look for. Most WordPress brute force bots only try the default login URL and move on when they get a 404.
Honeypot Field
A hidden form field is added to the login form. Legitimate users never see or fill it (it is hidden via CSS). Bots that auto-fill all form fields will trigger the honeypot and be blocked immediately.
Rate Limiting
Limits the number of requests a single IP address can make to the login page within a configurable time window. This slows down any attacker who discovers your custom URL and attempts to brute force it.
User Agent Blocking
Blocks requests from common automated tools like curl, wget, python-requests, and scrapy. While user agents can be spoofed, this stops the majority of low-effort automated attacks.
HTTP Referer Check
Verifies that POST requests to the login form include a valid HTTP referer header from your site. This blocks scripts that submit login credentials directly without loading the login page first.
IP Whitelist
Provides a recovery mechanism. If you forget your custom login URL or something goes wrong, whitelisted IP addresses can still access the default wp-login.php page directly.
Always add your own IP address to the IP Whitelist before enabling this module. This ensures you can still access the default login page as a recovery fallback if you forget the custom slug.
Access Logs and Statistics
The dedicated admin page at Switchboard → Hide My Login provides:
- Access log table – Every blocked and allowed request with timestamp, IP, URL, user agent, and status
- Statistics overview – Total blocked requests, top blocked IPs, and access patterns
- CSV export – Download the full access log for offline analysis or reporting
- Log management – Automatic cleanup based on your retention settings
WooCommerce Compatibility
When enabled, the WooCommerce compatibility setting ensures that:
- The My Account page login form works correctly with the custom URL
- WooCommerce checkout login redirects use the custom login path
- Customer registration flows are not disrupted by the login URL change
Recovery Options
If you lock yourself out or forget your custom login slug:
- IP Whitelist – If your IP is whitelisted, navigate to
yoursite.com/wp-login.phpdirectly - FTP/File Manager – Rename or remove the module file at
modules/security/hide-my-login.phpto disable the module - Database – Delete the
switchboard_hide-my-login_settingsoption from thewp_optionstable - WP-CLI – Run
wp option delete switchboard_hide-my-login_settingsif you have command-line access
FAQ
What happens if I forget my custom login URL?
If your IP is on the whitelist, you can still accesswp-login.php directly. Otherwise, you can disable the module via FTP by renaming the module file, or delete the module settings from the database. See the Recovery Options section above for detailed instructions.Does this protect against all brute force attacks?
It eliminates the vast majority of automated attacks that target the default login URL. However, a determined attacker who discovers your custom URL could still attempt a brute force attack. The rate limiting, honeypot, and user agent blocking settings provide additional layers of defense for this scenario. For maximum security, combine this module with Limit Login Attempts and strong passwords.Will this break my WordPress REST API or admin-ajax.php?
No. The module specifically targetswp-login.php and wp-admin for non-logged-in users. The REST API (wp-json/), admin-ajax.php, and admin-post.php continue to work normally. Logged-in users can access wp-admin without any issues.Does this work with multisite installations?
The module is designed for single-site WordPress installations. Multisite support may vary depending on your network configuration. Test thoroughly on a staging environment before enabling on a multisite network.Can I use this with other security plugins?
Yes, but be aware that other plugins that modify the login URL (such as WPS Hide Login) will conflict. Disable any other login URL modification plugins before enabling this module. Firewall plugins like Wordfence or Sucuri work fine alongside Hide My Login.Hiding the login URL is one layer of a defense-in-depth strategy. For comprehensive login security, combine this module with Limit Login Attempts, strong passwords, and consider two-factor authentication.
PRO
Upgrade to Pro
Get access to all 166 modules with a single license