Description
Most “hide login” plugins only do one thing: change the URL of wp-login.php. HSArticle Login Warden does that too, but it’s built around a wider goal — make it harder for anyone to find or confirm who has access to your WordPress admin in the first place. Hiding the login form doesn’t help much if your usernames are still leaking out through three other doors, so HSArticle Login Warden closes those too, all as optional one-click toggles.
It doesn’t rename or modify any core files, and it doesn’t add rewrite rules — it simply intercepts requests for wp-login.php and /wp-admin and shows a 404 (or redirects) to logged-out visitors, while your chosen custom URL loads the real login form.
Custom login URL
- Set any custom login URL slug
- Choose what logged-out visitors see when they hit the old login page or /wp-admin: a 404 page, a redirect to your homepage, or a redirect to any custom URL
- Your current login URL is always visible on the settings page with a one-click Copy button, so you never lose track of it
- Built-in conflict check — you can’t accidentally set your login slug to something that collides with an existing page or post
Optional hardening toggles
- Disable XML-RPC (xmlrpc.php) — a second, often-forgotten login door and a common brute-force target
- Generic login error messages — stops WordPress confirming whether a failed login had a real username or not
- Block username enumeration via ?author=1, ?author=2, etc. — stops one of the most common ways real usernames get discovered
- Hide the /wp-json/wp/v2/users REST endpoint from logged-out requests — this lists every username on your site by default
None of these toggles track, log, or store anything about your visitors — they simply stop information from leaking out. All logged-in functionality (dashboard, admin, post editing) works completely normally; every toggle here only affects logged-out visitors.
Deactivating the plugin brings your site back to its default state immediately.
Installation
- Go to Plugins > Add New.
- Search for “HSArticle Login Warden”.
- Install and activate.
- You’ll be redirected to Settings > HSArticle Login Warden — set your new login URL there and save.
- Bookmark your new login URL before you log out!
FAQ
-
I forgot my login URL!
-
Check the
hsarlowa_settingsrow in your site’swp_optionsdatabase table, or deactivate the plugin (via FTP/file manager if needed) to restore the default wp-login.php URL. -
Does this work with caching plugins?
-
Yes, but if you use a page-caching plugin, exclude your new login URL from the cache the same way you would for any dynamic page.
-
Will disabling XML-RPC break anything?
-
It will stop the classic WordPress mobile apps, the old XML-RPC based publishing tools, and some Jetpack features that rely on it from working. Most modern sites using the REST API instead are unaffected. Leave it unchecked if you’re unsure.
-
No. Only the numeric query-string form (?author=1) is blocked for logged-out visitors. Normal pretty-permalink author pages (/author/yourname/) keep working exactly as before.
-
Will hiding the REST users endpoint break the block editor?
-
No. /wp/v2/users/me (used by the block editor for the currently logged-in user) is untouched. Only the endpoints that list every username to logged-out requests are hidden.
-
Will this break my site if I forget to bookmark the new URL?
-
No. Deactivating the plugin (via FTP/file manager if needed, by renaming the plugin folder) immediately restores the default wp-login.php URL.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“HSArticle Login Warden” is open source software. The following people have contributed to this plugin.
ContributorsTranslate “HSArticle Login Warden” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.0.0
- Initial release.
