# JPKCom Hide Login — Guide & Tips > Rename the WordPress login URL, enable brute-force protection and whitelist IPs with JPKCom Hide Login — installation, configuration and WP-CLI. Source: https://www.jpkc.com/db/en/guides/jpkcom-hide-login/ JPKCom Hide Login replaces the default `wp-login.php` URL with a custom slug of your choice and adds built-in brute force protection with IP blocking and an IP whitelist. Bots scanning for `/wp-login.php` receive a plain 404 — with no hint where the login actually lives. ## Guide ### Requirements - WordPress **6.9** or newer (tested up to 7.0) - PHP **8.3** or newer - Full multisite support (the plugin is network-enabled) - Compatible with WooCommerce 8.0+ The plugin modifies **no** core files — it works exclusively through WordPress hooks and filters, so WordPress updates stay safe. ### Installation 1. Download the plugin ZIP from GitHub. 2. In your admin panel: **Plugins → Add New → Upload Plugin**, choose the ZIP, **Install Now**. 3. Click **Activate Plugin**. Alternatively via FTP: upload the `jpkcom-hide-login` folder to `/wp-content/plugins/` and activate it through the **Plugins** menu. **Right after activation:** 1. A success notice shows your new login URL (default: `https://yourdomain.com/jpkcom-login/`). 2. **Bookmark this URL immediately!** 3. Open **Settings → Hide Login** to customize everything. 4. Optionally add your own IP to the whitelist to avoid an accidental lockout. ### Configuration All settings live under **Settings → Hide Login**. #### Custom login slug Enter your desired slug in the **Custom Login URL Slug** field. Forbidden slugs are `login`, `admin`, `dashboard`, `wp-admin` and `wp-login`; the slug must also not clash with an existing page or post URL. After **Save Changes** your login URL becomes `https://yourdomain.com/your-slug/`. #### Brute force protection Protection is automatic. By default the plugin blocks an IP after **5 failed logins** within **60 seconds** for **10 minutes**. Maximum attempts (1–100), the attempt window (1–3600 s) and block duration (1–86400 s) are all configurable. Currently blocked IPs appear under **Currently Blocked IPs**; **Clear All Blocked IPs** lifts every block manually. #### IP whitelist Trusted IPs are never blocked. In the **IP Whitelist** section, enter a single IP (`192.168.1.100`) or a CIDR range (`192.168.1.0/24`, `10.0.0.0/8`) and click **Add to Whitelist**. Your current IP is shown for reference; entries can be removed at any time via **Remove**. #### Multisite Under **Network Admin → Settings → Hide Login (Network)** you can set a network-wide slug for all sites. Leave it empty to let each site choose its own slug. A network-wide slug takes priority over per-site settings. ### Managing via WP-CLI The plugin ships full WP-CLI support: ```bash # Show status and configuration wp jpkcom-hide-login status # Get / set the slug wp jpkcom-hide-login get-slug wp jpkcom-hide-login set-slug my-secure-login # Manage the whitelist (CIDR supported) wp jpkcom-hide-login whitelist list wp jpkcom-hide-login whitelist add 192.168.1.0/24 wp jpkcom-hide-login whitelist remove 192.168.1.100 # Manage blocked IPs wp jpkcom-hide-login blocked list wp jpkcom-hide-login blocked clear # Set thresholds wp jpkcom-hide-login protection max-attempts 10 wp jpkcom-hide-login protection attempt-window 120 wp jpkcom-hide-login protection block-duration 1800 # Clean up expired login attempt data (also runs daily via WP-Cron) wp jpkcom-hide-login cleanup ``` ## Tips & Tricks - **Configure emergency access:** If you forget the login URL, you can force a slug in `wp-config.php` — `define( 'JPKCOM_HIDE_LOGIN_DEFAULT_SLUG', 'emergency-login' );`. As a last resort, renaming the plugin folder via FTP disables the plugin. - **Recover from an IP block:** The block expires on its own after 10 minutes (or your configured duration). Faster routes are SQL — e.g. `DELETE FROM wp_options WHERE option_name = 'jpkcom_hide_login_blocked_ips';` or adding your own IP to `jpkcom_hide_login_ip_whitelist`. - **Custom option names:** The constants `JPKCOM_HIDE_LOGIN_OPTION` and `JPKCOM_HIDE_LOGIN_NETWORK_OPTION` (in `wp-config.php`) let you override the option names for the per-site and network slug. - **REST API & AJAX untouched:** The plugin detects REST, `admin-ajax.php` and WooCommerce AJAX requests and only blocks direct browser access to `wp-login.php` and `wp-admin` for logged-out users. - **WooCommerce compatible:** My Account login, login/logout redirects and the checkout login keep working; password reset emails automatically use the new login URL. - **No overlap with other security plugins:** Disable the dedicated "change login URL" feature in Wordfence, iThemes Security or All in One WP Security so the methods don't interfere. - **Clean uninstall:** On deactivation all options and transients are fully removed — no database residue. ## Further reading - Source code on GitHub: - [This project's changelog](https://www.jpkc.com/db/en/changelog/jpkcom-hide-login/)