Block Access to wp-login.php
This plugin does the following:
- Locates wp-login.php in your WordPress installation and duplicates it
- Locates .htaccess and inserts lines to block the default wp-login.php and creates a new secret address to use for legitimate login
- Will email the site admin if an administrator signs in with an un-recognised IP address
When installed your server will return “403 Forbidden“ when attempts are made to access the default wp-login.php file. This has two benefits; it prevents hackers from using brute force methods to hack your website and it reduces the load on the server when such brute force attacks are launched on your site as WordPress isn't run at all.
Please note, this plugin uses .htaccess so is only compatible with Apache web servers, it is not compatible with Nginx web servers.
Easily prevent access to the default wp-login.php file:
- Install Block wp-login automatically or by uploading the ZIP file.
- Activate the plugin through the ‘Plugins’ menu in WordPress.
- Once activated, visit “Settings - Permalinks” in the admin menu.
- At the bottom of the page enter a new login address next to “Block wp-login” or click to create a random address.
- Make sure you make a note of the new address you will need to use to sign in.
- Save the settings.
Although this plugin now detects when WordPress has been upgraded and re-installs itself, when upgrading WordPress core, you should still make sure you deactivate this plugin first just in case there is an issue.