HSArticle Login Warden
Most «hide login» plugins only do one thing: change the URL of wp-login.php. HSArticle Login Warden does that too, but it’s built around a wider goal — make it harder for anyone to find or confirm who has access to your WordPress admin in the first place. Hiding the login form doesn’t help much if your usernames are still leaking out through three other doors, so HSArticle Login Warden closes those too, all as optional one-click toggles.
It doesn’t rename or modify any core files, and it doesn’t add rewrite rules — it simply intercepts requests for wp-login.php and /wp-admin and shows a 404 (or redirects) to logged-out visitors, while your chosen custom URL loads the real login form.
Custom login URL
- Set any custom login URL slug
- Choose what logged-out visitors see when they hit the old login page or /wp-admin: a 404 page, a redirect to your homepage, or a redirect to any custom URL
- Your current login URL is always visible on the settings page with a one-click Copy button, so you never lose track of it
- Built-in conflict check — you can’t accidentally set your login slug to something that collides with an existing page or post
Optional hardening toggles
- Disable XML-RPC (xmlrpc.php) — a second, often-forgotten login door and a common brute-force target
- Generic login error messages — stops WordPress confirming whether a failed login had a real username or not
- Block username enumeration via ?author=1, ?author=2, etc. — stops one of the most common ways real usernames get discovered
- Hide the /wp-json/wp/v2/users REST endpoint from logged-out requests — this lists every username on your site by default
None of these toggles track, log, or store anything about your visitors — they simply stop information from leaking out. All logged-in functionality (dashboard, admin, post editing) works completely normally; every toggle here only affects logged-out visitors.
Deactivating the plugin brings your site back to its default state immediately.
