Renaming wp-login.php and wp-admin

Hi All

I know there are many posts on renaming wp-login.php to prevent hacking in this forum, and there is a rename-wp-login plugin. But none of these is what we want.

What we have done:
We renamed wp-login.php to wp-login.php_blocked, wp-admin to wp-admin_blocked, /wp-admin/admin-ajax.php to /wp-admin/admin-ajax.php_blocked. When we need to login to go to dashboard, we undo the renaming. This has been working quite well in protecting our site. According to our access logs, there had been many hacking attempts trying to load wp-login.php and of course they were unsuccessful.

The problem is during these brute force hacking attempts, the CPU usage our co-hosted server almost maxed-out – and we then got a nasty warning from our co-hosting vendor. The reason for the high CPU usages is WordPress does not direct to a error 404 page when it cannot find wp-login.php. WordPress does not let Apache do the loading of wp-login.php. Instead, there is probably some code in WordPress trying to load wp-login.php and it obviously tries very hard to load the page before giving up, thus causing the high CPU usage.

We don’t want to use any plugin to rename wp-login.php and wp-admin. We also don’t want to use SSL for the login page or adding a .htaccess basic authentication. Renaming the wp-login.php to wp-login.php_blocked is, in our opinion, the safest way to harden WordPress in our case (since we only need to login as admin to go to the dashboard, which isn’t very often) – because changing the extension to php_blocked renders the script non-loadable by PHP. We would like to modify the WordPress code which does the loading of the wp-login.php page so that it will not even try to load wp-login.php at all. Can somebody identity the code for us?

Thank you very much in anticipation.