Title: Defyn Security Manager – Hide Login, 2FA & Brute-Force Protection Author: Defyn Published: June 24, 2026 Last modified: June 24, 2026 --- Search plugins ![](https://ps.w.org/defyn-security-manager/assets/banner-772x250.png?rev=3585503) ![](https://ps.w.org/defyn-security-manager/assets/icon-256x256.png?rev=3585503) # Defyn Security Manager – Hide Login, 2FA & Brute-Force Protection By [Defyn](https://profiles.wordpress.org/defyndigital/) [Download](https://downloads.wordpress.org/plugin/defyn-security-manager.1.1.0.zip) * [Details](https://wordpress.org/plugins/defyn-security-manager/#description) * [Reviews](https://wordpress.org/plugins/defyn-security-manager/#reviews) * [Installation](https://wordpress.org/plugins/defyn-security-manager/#installation) * [Development](https://wordpress.org/plugins/defyn-security-manager/#developers) [Support](https://wordpress.org/support/plugin/defyn-security-manager/) ## Description **Defyn Security Manager is a lightweight WordPress security plugin that hides your login page and locks down the back end.** Most attacks on WordPress start at one predictable place: `/wp-admin` and `/wp-login.php`. Defyn Security Manager moves that door, throttles attackers, adds two-factor authentication, and records every attempt so you always know who is knocking. No bloat, no upsell walls, and no account required. Install it, choose a secret login slug, and your login page disappears from bots and scanners. #### What it does * **Hide the WordPress login URL.** Replace `/wp-admin` and `/wp-login.php` with any custom login URL you choose, so automated bots and brute-force scripts hit a dead end. * **Decoy or 404 the old URLs.** Decide what attackers see at the original login addresses: a 404, a redirect, or a decoy login screen. * **Brute-force protection.** Limit login attempts and automatically lock out IP addresses after repeated failures, with a one-click control to clear active lockouts. * **Two-factor authentication (2FA).** Add TOTP-based two-factor authentication using Google Authenticator, Authy, 1Password, Microsoft Authenticator or Bitwarden, complete with backup codes and per-role enforcement. * **REST API and XML-RPC protection.** Extend two-factor enforcement to the REST API and XML-RPC, with optional API hiding to shrink your attack surface. * **Time-window access control.** Only allow logins during the hours and days you actually work, and block everything else. * **IP allowlisting.** Optionally restrict back-end access to trusted IP addresses or CIDR ranges. * **Activity log and audit trail.** See login attempts, lockouts, scans of your old login URLs, and settings changes in one searchable log. * **Email alerts.** Get notified about lockouts, scans, and logins from new IP addresses. #### Why choose Defyn Security Manager * **Fast and focused.** A purpose-built login-security and login-hardening plugin, not a heavyweight suite that slows your site down. * **Recovery built in.** A documented emergency kill switch means you can never permanently lock yourself out. * **Privacy friendly.** Your data stays on your site. Nothing is sent to a third- party service. * **Built by an agency.** Maintained by [Defyn](https://defyn.com.au), an Australian web design and development studio that runs this plugin on client sites every day. Defyn Security Manager is ideal for anyone who wants to hide wp-admin, stop brute- force login attempts, limit login attempts, add 2FA to WordPress, and keep a clear security audit trail. ## Installation 1. In your dashboard, go to **Plugins, Add New**, search for “Defyn Security Manager”, then click **Install Now** and **Activate**. You can also upload the plugin folder to `/wp-content/plugins/` via SFTP. 2. Go to **Defyn Security, Settings** and set your custom hidden login URL. 3. Choose what visitors see at the old `/wp-admin` and `/wp-login.php` addresses, then turn on brute-force throttling, time-window access, or IP allowlisting as needed. 4. Open the **Two-Factor** tab to enable 2FA and, if you want, enforce it per role. 5. Bookmark your new login URL and store your 2FA backup codes somewhere safe before you log out. ## FAQ ### How do I hide the WordPress login page? Activate the plugin, open **Defyn Security, Settings**, and enter a custom slug for your login URL. From then on your login page lives at that secret address, and`/ wp-admin` and `/wp-login.php` return a 404, a redirect, or a decoy screen, whichever you choose. ### I have locked myself out. How do I recover? The fastest fix is to add this line to `wp-config.php`: ``` define( 'DEFYN_BEM_DISABLE', true ); ``` This bypasses all login interception so `/wp-admin` and `/wp-login.php` work normally again. A yellow admin notice reminds you to remove the line once you are back in. Your settings and 2FA data are kept. If you cannot edit `wp-config.php`, rename the plugin folder over SFTP from `defyn- security-manager` to `defyn-security-manager.disabled`. WordPress deactivates the plugin on the next page load. Rename it back when you are ready to re-enable. ### Does it work behind Cloudflare or a load balancer? Yes. Define `DEFYN_BEM_TRUST_PROXY` in `wp-config.php` so the plugin honours `X- Forwarded-For` and `CF-Connecting-IP` headers when detecting the visitor IP address. ### Which authenticator apps work with the 2FA feature? Any app that supports standard RFC 6238 TOTP, including Google Authenticator, Authy, 1Password, Microsoft Authenticator and Bitwarden. ### Will hiding the login URL break my site or REST API? No. Front-end pages, the REST API and normal site behaviour keep working. Only the human login entry points move, and you can layer two-factor enforcement on top of the REST API and XML-RPC separately. ### Does it slow down my website? No. The plugin only runs its checks on login and admin requests, so it has no measurable impact on front-end page speed. ### Can I use it on a multisite network? This release supports single-site activation only. Network-wide multisite support is on the roadmap. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “Defyn Security Manager – Hide Login, 2FA & Brute-Force Protection” is open source software. The following people have contributed to this plugin. Contributors * [ Defyn ](https://profiles.wordpress.org/defyndigital/) [Translate “Defyn Security Manager – Hide Login, 2FA & Brute-Force Protection” into your language.](https://translate.wordpress.org/projects/wp-plugins/defyn-security-manager) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/defyn-security-manager/), check out the [SVN repository](https://plugins.svn.wordpress.org/defyn-security-manager/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/defyn-security-manager/) by [RSS](https://plugins.trac.wordpress.org/log/defyn-security-manager/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.1.0 * Added: two-factor enforcement for the REST API and XML-RPC. * Added: opt-in API hiding to reduce the attack surface. * Added: “Clear lockouts” control in the admin UI. * Fixed: authentication filters now run at priority 95 and 96 so a WP_Error survives the full filter chain. * Fixed: login URL interception now hooks on setup_theme instead of plugins_loaded for more reliable behaviour. #### 1.0.0 * Initial release. ## Meta * Version **1.1.0** * Last updated **13 hours ago** * Active installations **Fewer than 10** * WordPress version ** 5.8 or higher ** * Tested up to **6.8.5** * PHP version ** 7.4 or higher ** * Tags * [Brute Force](https://wordpress.org/plugins/tags/brute-force/)[hide login](https://wordpress.org/plugins/tags/hide-login/) [login](https://wordpress.org/plugins/tags/login/)[security](https://wordpress.org/plugins/tags/security/) [two factor](https://wordpress.org/plugins/tags/two-factor/) * [Advanced View](https://wordpress.org/plugins/defyn-security-manager/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/defyn-security-manager/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/defyn-security-manager/reviews/) ## Contributors * [ Defyn ](https://profiles.wordpress.org/defyndigital/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/defyn-security-manager/)