Skip to content
WordPress.org
  • Showcase
  • Plugins
  • Themes
  • Hosting
  • News
    • Learn WordPress
    • Documentation
    • Education
    • Forums
    • Developers
    • Blocks
    • Patterns
    • Photos
    • Openverse ↗︎
    • WordPress.tv ↗︎
    • About WordPress
    • Make WordPress
    • Events
    • Five for the Future
    • Enterprise
    • Gutenberg ↗︎
    • Job Board ↗︎
    • Swag Store ↗︎
  • Get WordPress
Get WordPress
WordPress.org

Plugin Directory

HSArticle Login Warden

  • Submit a plugin
  • My favorites
  • Log in
  • Submit a plugin
  • My favorites
  • Log in

HSArticle Login Warden

By hsarticle
Download
  • Details
  • Reviews
  • Installation
  • Development
Support

Description

Most “hide login” plugins only do one thing: change the URL of wp-login.php. HSArticle Login Warden does that too, but it’s built around a wider goal — make it harder for anyone to find or confirm who has access to your WordPress admin in the first place. Hiding the login form doesn’t help much if your usernames are still leaking out through three other doors, so HSArticle Login Warden closes those too, all as optional one-click toggles.

It doesn’t rename or modify any core files, and it doesn’t add rewrite rules — it simply intercepts requests for wp-login.php and /wp-admin and shows a 404 (or redirects) to logged-out visitors, while your chosen custom URL loads the real login form.

Custom login URL

  • Set any custom login URL slug
  • Choose what logged-out visitors see when they hit the old login page or /wp-admin: a 404 page, a redirect to your homepage, or a redirect to any custom URL
  • Your current login URL is always visible on the settings page with a one-click Copy button, so you never lose track of it
  • Built-in conflict check — you can’t accidentally set your login slug to something that collides with an existing page or post

Optional hardening toggles

  • Disable XML-RPC (xmlrpc.php) — a second, often-forgotten login door and a common brute-force target
  • Generic login error messages — stops WordPress confirming whether a failed login had a real username or not
  • Block username enumeration via ?author=1, ?author=2, etc. — stops one of the most common ways real usernames get discovered
  • Hide the /wp-json/wp/v2/users REST endpoint from logged-out requests — this lists every username on your site by default

None of these toggles track, log, or store anything about your visitors — they simply stop information from leaking out. All logged-in functionality (dashboard, admin, post editing) works completely normally; every toggle here only affects logged-out visitors.

Deactivating the plugin brings your site back to its default state immediately.

Installation

  1. Go to Plugins > Add New.
  2. Search for “HSArticle Login Warden”.
  3. Install and activate.
  4. You’ll be redirected to Settings > HSArticle Login Warden — set your new login URL there and save.
  5. Bookmark your new login URL before you log out!

FAQ

I forgot my login URL!

Check the hsarlowa_settings row in your site’s wp_options database table, or deactivate the plugin (via FTP/file manager if needed) to restore the default wp-login.php URL.

Does this work with caching plugins?

Yes, but if you use a page-caching plugin, exclude your new login URL from the cache the same way you would for any dynamic page.

Will disabling XML-RPC break anything?

It will stop the classic WordPress mobile apps, the old XML-RPC based publishing tools, and some Jetpack features that rely on it from working. Most modern sites using the REST API instead are unaffected. Leave it unchecked if you’re unsure.

Will blocking ?author= links break my author archive pages?

No. Only the numeric query-string form (?author=1) is blocked for logged-out visitors. Normal pretty-permalink author pages (/author/yourname/) keep working exactly as before.

Will hiding the REST users endpoint break the block editor?

No. /wp/v2/users/me (used by the block editor for the currently logged-in user) is untouched. Only the endpoints that list every username to logged-out requests are hidden.

Will this break my site if I forget to bookmark the new URL?

No. Deactivating the plugin (via FTP/file manager if needed, by renaming the plugin folder) immediately restores the default wp-login.php URL.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“HSArticle Login Warden” is open source software. The following people have contributed to this plugin.

Contributors
  • hsarticle

Translate “HSArticle Login Warden” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.0.0

  • Initial release.

Meta

  • Version 1.0.0
  • Last updated 14 hours ago
  • Active installations Fewer than 10
  • WordPress version 5.6 or higher
  • Tested up to 7.0.2
  • PHP version 7.4 or higher
  • Tags
    custom login urlhide loginlogin securitywp loginxmlrpc
  • Advanced View

Ratings

No reviews have been submitted yet.

Your review

See all reviews

Contributors

  • hsarticle

Support

Got something to say? Need help?

View support forum

  • About
  • News
  • Hosting
  • Privacy
  • Showcase
  • Themes
  • Plugins
  • Patterns
  • Learn
  • Documentation
  • Developers
  • WordPress.tv ↗
  • Get Involved
  • Events
  • Donate ↗
  • Five for the Future
  • WordPress.com ↗
  • Matt ↗
  • bbPress ↗
  • BuddyPress ↗
WordPress.org
WordPress.org
  • Visit our X (formerly Twitter) account
  • Visit our Bluesky account
  • Visit our Mastodon account
  • Visit our Threads account
  • Visit our Facebook page
  • Visit our Instagram account
  • Visit our LinkedIn account
  • Visit our TikTok account
  • Visit our YouTube channel
  • Visit our Tumblr account
Code is Poetry
The WordPress® trademark is the intellectual property of the WordPress Foundation.