JPKCom DB
View on GitHub

JPKCom Hide Login — Guide & Tips

Rename the WordPress login URL, enable brute-force protection and whitelist IPs with JPKCom Hide Login — installation, configuration and WP-CLI.

JPKCom Hide Login replaces the default wp-login.php URL with a custom slug of your choice and adds built-in brute force protection with IP blocking and an IP whitelist. Bots scanning for /wp-login.php receive a plain 404 — with no hint where the login actually lives.

Guide

Requirements

  • WordPress 6.9 or newer (tested up to 7.0)
  • PHP 8.3 or newer
  • Full multisite support (the plugin is network-enabled)
  • Compatible with WooCommerce 8.0+

The plugin modifies no core files — it works exclusively through WordPress hooks and filters, so WordPress updates stay safe.

Installation

  1. Download the plugin ZIP from GitHub.
  2. In your admin panel: Plugins → Add New → Upload Plugin, choose the ZIP, Install Now.
  3. Click Activate Plugin.

Alternatively via FTP: upload the jpkcom-hide-login folder to /wp-content/plugins/ and activate it through the Plugins menu.

Right after activation:

  1. A success notice shows your new login URL (default: https://yourdomain.com/jpkcom-login/).
  2. Bookmark this URL immediately!
  3. Open Settings → Hide Login to customize everything.
  4. Optionally add your own IP to the whitelist to avoid an accidental lockout.

Configuration

All settings live under Settings → Hide Login.

Custom login slug

Enter your desired slug in the Custom Login URL Slug field. Forbidden slugs are login, admin, dashboard, wp-admin and wp-login; the slug must also not clash with an existing page or post URL. After Save Changes your login URL becomes https://yourdomain.com/your-slug/.

Brute force protection

Protection is automatic. By default the plugin blocks an IP after 5 failed logins within 60 seconds for 10 minutes. Maximum attempts (1–100), the attempt window (1–3600 s) and block duration (1–86400 s) are all configurable. Currently blocked IPs appear under Currently Blocked IPs; Clear All Blocked IPs lifts every block manually.

IP whitelist

Trusted IPs are never blocked. In the IP Whitelist section, enter a single IP (192.168.1.100) or a CIDR range (192.168.1.0/24, 10.0.0.0/8) and click Add to Whitelist. Your current IP is shown for reference; entries can be removed at any time via Remove.

Multisite

Under Network Admin → Settings → Hide Login (Network) you can set a network-wide slug for all sites. Leave it empty to let each site choose its own slug. A network-wide slug takes priority over per-site settings.

Managing via WP-CLI

The plugin ships full WP-CLI support:

# Show status and configuration
wp jpkcom-hide-login status

# Get / set the slug
wp jpkcom-hide-login get-slug
wp jpkcom-hide-login set-slug my-secure-login

# Manage the whitelist (CIDR supported)
wp jpkcom-hide-login whitelist list
wp jpkcom-hide-login whitelist add 192.168.1.0/24
wp jpkcom-hide-login whitelist remove 192.168.1.100

# Manage blocked IPs
wp jpkcom-hide-login blocked list
wp jpkcom-hide-login blocked clear

# Set thresholds
wp jpkcom-hide-login protection max-attempts 10
wp jpkcom-hide-login protection attempt-window 120
wp jpkcom-hide-login protection block-duration 1800

# Clean up expired login attempt data (also runs daily via WP-Cron)
wp jpkcom-hide-login cleanup

Tips & Tricks

  • Configure emergency access: If you forget the login URL, you can force a slug in wp-config.phpdefine( 'JPKCOM_HIDE_LOGIN_DEFAULT_SLUG', 'emergency-login' );. As a last resort, renaming the plugin folder via FTP disables the plugin.
  • Recover from an IP block: The block expires on its own after 10 minutes (or your configured duration). Faster routes are SQL — e.g. DELETE FROM wp_options WHERE option_name = 'jpkcom_hide_login_blocked_ips'; or adding your own IP to jpkcom_hide_login_ip_whitelist.
  • Custom option names: The constants JPKCOM_HIDE_LOGIN_OPTION and JPKCOM_HIDE_LOGIN_NETWORK_OPTION (in wp-config.php) let you override the option names for the per-site and network slug.
  • REST API & AJAX untouched: The plugin detects REST, admin-ajax.php and WooCommerce AJAX requests and only blocks direct browser access to wp-login.php and wp-admin for logged-out users.
  • WooCommerce compatible: My Account login, login/logout redirects and the checkout login keep working; password reset emails automatically use the new login URL.
  • No overlap with other security plugins: Disable the dedicated "change login URL" feature in Wordfence, iThemes Security or All in One WP Security so the methods don't interfere.
  • Clean uninstall: On deactivation all options and transients are fully removed — no database residue.

Further reading