Defyn Security Manager – Hide Login, 2FA & Brute-Force Protection
·
Hide wp-admin behind a custom login URL and stop brute-force attacks with two-factor authentication, login limits, IP rules and an activity log.
Defyn Security Manager is a lightweight WordPress security plugin that hides your login page and locks down the back end. Most attacks on WordPress start at one predictable place: /wp-admin and /wp-login.php. Defyn Security Manager moves that door, throttles attackers, adds two-factor authentication, and records every attempt so you always know who is knocking.
No bloat, no upsell walls, and no account required. Install it, choose a secret login slug, and your login page disappears from bots and scanners.
What it does
- Hide the WordPress login URL. Replace
/wp-adminand/wp-login.phpwith any custom login URL you choose, so automated bots and brute-force scripts hit a dead end. - Decoy or 404 the old URLs. Decide what attackers see at the original login addresses: a 404, a redirect, or a decoy login screen.
- Brute-force protection. Limit login attempts and automatically lock out IP addresses after repeated failures, with a one-click control to clear active lockouts.
- Two-factor authentication (2FA). Add TOTP-based two-factor authentication using Google Authenticator, Authy, 1Password, Microsoft Authenticator or Bitwarden, complete with backup codes and per-role enforcement.
- REST API and XML-RPC protection. Extend two-factor enforcement to the REST API and XML-RPC, with optional API hiding to shrink your attack surface.
- Time-window access control. Only allow logins during the hours and days you actually work, and block everything else.
- IP allowlisting. Optionally restrict back-end access to trusted IP addresses or CIDR ranges.
- Activity log and audit trail. See login attempts, lockouts, scans of your old login URLs, and settings changes in one searchable log.
- Email alerts. Get notified about lockouts, scans, and logins from new IP addresses.
Why choose Defyn Security Manager
- Fast and focused. A purpose-built login-security and login-hardening plugin, not a heavyweight suite that slows your site down.
- Recovery built in. A documented emergency kill switch means you can never permanently lock yourself out.
- Privacy friendly. Your data stays on your site. Nothing is sent to a third-party service.
- Built by an agency. Maintained by Defyn, an Australian web design and development studio that runs this plugin on client sites every day.
Defyn Security Manager is ideal for anyone who wants to hide wp-admin, stop brute-force login attempts, limit login attempts, add 2FA to WordPress, and keep a clear security audit trail.