{"id":314739,"date":"2026-06-24T23:52:50","date_gmt":"2026-06-24T23:52:50","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/defyn-security-manager\/"},"modified":"2026-06-24T23:52:11","modified_gmt":"2026-06-24T23:52:11","slug":"defyn-security-manager","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/defyn-security-manager\/","author":23220588,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.1.0","stable_tag":"1.1.0","tested":"6.8.5","requires":"5.8","requires_php":"7.4","requires_plugins":null,"header_name":"Defyn Security Manager","header_author":"Defyn","header_description":"Hide the WordPress login behind a custom URL. Throttle brute-force attempts, enforce two-factor authentication, restrict access by IP and time, and audit every login event from a built-in activity log.","assets_banners_color":"102c37","last_updated":"2026-06-24 23:52:11","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/defyn.com.au\/plugins\/defyn-security-manager","header_author_uri":"https:\/\/defyn.com.au","rating":0,"author_block_rating":0,"active_installs":0,"downloads":32,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.1.0":{"tag":"1.1.0","author":"defyndigital","date":"2026-06-24 23:52:11"}},"upgrade_notice":{"1.1.0":"<p>Adds REST API and XML-RPC two-factor enforcement, opt-in API hiding, and a one-click clear-lockouts control.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3585503,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3585503,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3585503,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3585503,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.1.0"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"Settings screen for choosing your hidden login URL and the response for the old login addresses.","2":"Brute-force protection and login-limit controls, including the clear-lockouts button.","3":"Two-factor authentication setup with TOTP and backup codes.","4":"Activity log showing login attempts, lockouts and scans."}},"plugin_section":[],"plugin_tags":[2439,25642,602,600,9217],"plugin_category":[38,54],"plugin_contributors":[263223],"plugin_business_model":[],"class_list":["post-314739","plugin","type-plugin","status-publish","hentry","plugin_tags-brute-force","plugin_tags-hide-login","plugin_tags-login","plugin_tags-security","plugin_tags-two-factor","plugin_category-authentication","plugin_category-security-and-spam-protection","plugin_contributors-defyndigital","plugin_committers-defyndigital"],"banners":{"banner":"https:\/\/ps.w.org\/defyn-security-manager\/assets\/banner-772x250.png?rev=3585503","banner_2x":"https:\/\/ps.w.org\/defyn-security-manager\/assets\/banner-1544x500.png?rev=3585503","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/defyn-security-manager\/assets\/icon-128x128.png?rev=3585503","icon_2x":"https:\/\/ps.w.org\/defyn-security-manager\/assets\/icon-256x256.png?rev=3585503","generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p><strong>Defyn Security Manager is a lightweight WordPress security plugin that hides your login page and locks down the back end.<\/strong> Most attacks on WordPress start at one predictable place: <code>\/wp-admin<\/code> and <code>\/wp-login.php<\/code>. Defyn Security Manager moves that door, throttles attackers, adds two-factor authentication, and records every attempt so you always know who is knocking.<\/p>\n\n<p>No bloat, no upsell walls, and no account required. Install it, choose a secret login slug, and your login page disappears from bots and scanners.<\/p>\n\n<h4>What it does<\/h4>\n\n<ul>\n<li><strong>Hide the WordPress login URL.<\/strong> Replace <code>\/wp-admin<\/code> and <code>\/wp-login.php<\/code> with any custom login URL you choose, so automated bots and brute-force scripts hit a dead end.<\/li>\n<li><strong>Decoy or 404 the old URLs.<\/strong> Decide what attackers see at the original login addresses: a 404, a redirect, or a decoy login screen.<\/li>\n<li><strong>Brute-force protection.<\/strong> Limit login attempts and automatically lock out IP addresses after repeated failures, with a one-click control to clear active lockouts.<\/li>\n<li><strong>Two-factor authentication (2FA).<\/strong> Add TOTP-based two-factor authentication using Google Authenticator, Authy, 1Password, Microsoft Authenticator or Bitwarden, complete with backup codes and per-role enforcement.<\/li>\n<li><strong>REST API and XML-RPC protection.<\/strong> Extend two-factor enforcement to the REST API and XML-RPC, with optional API hiding to shrink your attack surface.<\/li>\n<li><strong>Time-window access control.<\/strong> Only allow logins during the hours and days you actually work, and block everything else.<\/li>\n<li><strong>IP allowlisting.<\/strong> Optionally restrict back-end access to trusted IP addresses or CIDR ranges.<\/li>\n<li><strong>Activity log and audit trail.<\/strong> See login attempts, lockouts, scans of your old login URLs, and settings changes in one searchable log.<\/li>\n<li><strong>Email alerts.<\/strong> Get notified about lockouts, scans, and logins from new IP addresses.<\/li>\n<\/ul>\n\n<h4>Why choose Defyn Security Manager<\/h4>\n\n<ul>\n<li><strong>Fast and focused.<\/strong> A purpose-built login-security and login-hardening plugin, not a heavyweight suite that slows your site down.<\/li>\n<li><strong>Recovery built in.<\/strong> A documented emergency kill switch means you can never permanently lock yourself out.<\/li>\n<li><strong>Privacy friendly.<\/strong> Your data stays on your site. Nothing is sent to a third-party service.<\/li>\n<li><strong>Built by an agency.<\/strong> Maintained by <a href=\"https:\/\/defyn.com.au\">Defyn<\/a>, an Australian web design and development studio that runs this plugin on client sites every day.<\/li>\n<\/ul>\n\n<p>Defyn Security Manager is ideal for anyone who wants to hide wp-admin, stop brute-force login attempts, limit login attempts, add 2FA to WordPress, and keep a clear security audit trail.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>In your dashboard, go to <strong>Plugins, Add New<\/strong>, search for \"Defyn Security Manager\", then click <strong>Install Now<\/strong> and <strong>Activate<\/strong>. You can also upload the plugin folder to <code>\/wp-content\/plugins\/<\/code> via SFTP.<\/li>\n<li>Go to <strong>Defyn Security, Settings<\/strong> and set your custom hidden login URL.<\/li>\n<li>Choose what visitors see at the old <code>\/wp-admin<\/code> and <code>\/wp-login.php<\/code> addresses, then turn on brute-force throttling, time-window access, or IP allowlisting as needed.<\/li>\n<li>Open the <strong>Two-Factor<\/strong> tab to enable 2FA and, if you want, enforce it per role.<\/li>\n<li>Bookmark your new login URL and store your 2FA backup codes somewhere safe before you log out.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"how%20do%20i%20hide%20the%20wordpress%20login%20page%3F\"><h3>How do I hide the WordPress login page?<\/h3><\/dt>\n<dd><p>Activate the plugin, open <strong>Defyn Security, Settings<\/strong>, and enter a custom slug for your login URL. From then on your login page lives at that secret address, and <code>\/wp-admin<\/code> and <code>\/wp-login.php<\/code> return a 404, a redirect, or a decoy screen, whichever you choose.<\/p><\/dd>\n<dt id=\"i%20have%20locked%20myself%20out.%20how%20do%20i%20recover%3F\"><h3>I have locked myself out. How do I recover?<\/h3><\/dt>\n<dd><p>The fastest fix is to add this line to <code>wp-config.php<\/code>:<\/p>\n\n<pre><code>define( 'DEFYN_BEM_DISABLE', true );\n<\/code><\/pre>\n\n<p>This bypasses all login interception so <code>\/wp-admin<\/code> and <code>\/wp-login.php<\/code> work normally again. A yellow admin notice reminds you to remove the line once you are back in. Your settings and 2FA data are kept.<\/p>\n\n<p>If you cannot edit <code>wp-config.php<\/code>, rename the plugin folder over SFTP from <code>defyn-security-manager<\/code> to <code>defyn-security-manager.disabled<\/code>. WordPress deactivates the plugin on the next page load. Rename it back when you are ready to re-enable.<\/p><\/dd>\n<dt id=\"does%20it%20work%20behind%20cloudflare%20or%20a%20load%20balancer%3F\"><h3>Does it work behind Cloudflare or a load balancer?<\/h3><\/dt>\n<dd><p>Yes. Define <code>DEFYN_BEM_TRUST_PROXY<\/code> in <code>wp-config.php<\/code> so the plugin honours <code>X-Forwarded-For<\/code> and <code>CF-Connecting-IP<\/code> headers when detecting the visitor IP address.<\/p><\/dd>\n<dt id=\"which%20authenticator%20apps%20work%20with%20the%202fa%20feature%3F\"><h3>Which authenticator apps work with the 2FA feature?<\/h3><\/dt>\n<dd><p>Any app that supports standard RFC 6238 TOTP, including Google Authenticator, Authy, 1Password, Microsoft Authenticator and Bitwarden.<\/p><\/dd>\n<dt id=\"will%20hiding%20the%20login%20url%20break%20my%20site%20or%20rest%20api%3F\"><h3>Will hiding the login URL break my site or REST API?<\/h3><\/dt>\n<dd><p>No. Front-end pages, the REST API and normal site behaviour keep working. Only the human login entry points move, and you can layer two-factor enforcement on top of the REST API and XML-RPC separately.<\/p><\/dd>\n<dt id=\"does%20it%20slow%20down%20my%20website%3F\"><h3>Does it slow down my website?<\/h3><\/dt>\n<dd><p>No. The plugin only runs its checks on login and admin requests, so it has no measurable impact on front-end page speed.<\/p><\/dd>\n<dt id=\"can%20i%20use%20it%20on%20a%20multisite%20network%3F\"><h3>Can I use it on a multisite network?<\/h3><\/dt>\n<dd><p>This release supports single-site activation only. Network-wide multisite support is on the roadmap.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.1.0<\/h4>\n\n<ul>\n<li>Added: two-factor enforcement for the REST API and XML-RPC.<\/li>\n<li>Added: opt-in API hiding to reduce the attack surface.<\/li>\n<li>Added: \"Clear lockouts\" control in the admin UI.<\/li>\n<li>Fixed: authentication filters now run at priority 95 and 96 so a WP_Error survives the full filter chain.<\/li>\n<li>Fixed: login URL interception now hooks on setup_theme instead of plugins_loaded for more reliable behaviour.<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release.<\/li>\n<\/ul>","raw_excerpt":"Hide wp-admin behind a custom login URL and stop brute-force attacks with two-factor authentication, login limits, IP rules and an activity log.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/314739","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=314739"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/defyndigital"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=314739"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=314739"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=314739"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=314739"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=314739"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=314739"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}