Title: wp-login Last modified: August 22, 2016 --- # wp-login * [Dahu73](https://wordpress.org/support/users/dahu73/) * (@dahu73) * [11 years, 3 months ago](https://wordpress.org/support/topic/wp-login-13/) * Hello, * I use the free version, and I use the option that Hide login Area : * _Hides the login page (wp-login.php, wp-admin, admin and login) making it harder to find by automated attacks and making it easier for users unfamiliar with the WordPress platform._ * it’s ok for : – wp-admin – admin – login * **but not working for : /wp-login** * Can you help me please ? Best regards, Olivier * [https://wordpress.org/plugins/better-wp-security/](https://wordpress.org/plugins/better-wp-security/) Viewing 11 replies - 1 through 11 (of 11 total) * [dwinden](https://wordpress.org/support/users/dwinden/) * (@dwinden) * [11 years, 3 months ago](https://wordpress.org/support/topic/wp-login-13/#post-5695790) * Olivier, * Are you referring to /wp-login or /wp-login.php ? * I guess you’re saying that despite enabling the iTSec plugin “Hide Login Area” setting, the /wp-login.php URL still allows access to the WP login screen ? * Please clarify. * dwinden * [Kurpa](https://wordpress.org/support/users/kurpa/) * (@kurpa) * [11 years, 3 months ago](https://wordpress.org/support/topic/wp-login-13/#post-5696003) * I have the same issue the wp-login.php URL still allowing access to the WP login screen. * Thanks * [dwinden](https://wordpress.org/support/users/dwinden/) * (@dwinden) * [11 years, 3 months ago](https://wordpress.org/support/topic/wp-login-13/#post-5696005) * Please make sure the “Enable the hide backend feature” checkbox is ticked in the Settings tab, “Hide Login Area” section. * Are you using any caching plugin ? Which browser are you using ? Have you already tried clearing the browser cache ? Also confirm you are using iTSec 4.5.10 (or higher) in WP 4.1 * If possible please provide me with your URL. * dwinden * Thread Starter [Dahu73](https://wordpress.org/support/users/dahu73/) * (@dahu73) * [11 years, 3 months ago](https://wordpress.org/support/topic/wp-login-13/#post-5696017) * Hi, * Thanks for your help. I give you some response below * >> Are you referring to /wp-login or /wp-login.php ? [https://www.domain.com/wp-login](https://www.domain.com/wp-login) [https://www.domain.com/wp-login/](https://www.domain.com/wp-login/) this 2 URL still allows access to the WP login screen * but it work for : [https://www.domain.com/wp-login.php](https://www.domain.com/wp-login.php) => produce a 404 * >>make sure the “Enable the hide backend feature” checkbox is ticked It’s ok * >> Are you using any caching plugin ? No. I’m on a preprod server * >> Have you already tried clearing the browser cache ? Yes. Local cache is clear. * >> Also confirm you are using iTSec 4.5.10 (or higher) in WP 4.1 Version 4.6.2 in WP 4.1 * >>If possible please provide me with your URL. Sorry. Not possible : not accessible form external * [dwinden](https://wordpress.org/support/users/dwinden/) * (@dwinden) * [11 years, 3 months ago](https://wordpress.org/support/topic/wp-login-13/#post-5696024) * If the iTSec plugin was not installed recently and it has been updated in the past there may be some outdated RewriteRule lines left in the .htaccess file eg: * RewriteRule ^wp-login/?$ /wp-login.php?awxz3zc03winl3fq0gwcr [R,L] * That would explain … Remove such outdated RewriteRule lines from the .htaccess file. Or post the content of the .htaccess file and I’ll take a look at it … * dwinden * Thread Starter [Dahu73](https://wordpress.org/support/users/dahu73/) * (@dahu73) * [11 years, 3 months ago](https://wordpress.org/support/topic/wp-login-13/#post-5696042) * Thanks for your response. I give you my htaccess file below : * ``` # BEGIN iThemes Security # BEGIN Hide Backend # Rules to hide the dashboard RewriteRule ^(/actualite/)?tagadac/?$ /actualite/wp-login.php [QSA,L] # END Hide Backend # BEGIN Tweaks # Rules to block access to WordPress specific files Order allow,deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all # Rules to disable XML-RPC Order allow,deny Deny from all # Rules to disable directory browsing Options -Indexes RewriteEngine On # Rules to protect wp-includes RewriteRule ^wp-admin/includes/ - [F] RewriteRule !^wp-includes/ - [S=3] RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php RewriteRule ^wp-includes/[^/]+\.php$ - [F] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F] RewriteRule ^wp-includes/theme-compat/ - [F] # Rules to prevent php execution in uploads RewriteRule ^(.*)/uploads/(.*).php(.?) - [F] # Rules to block unneeded HTTP methods RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC] RewriteRule ^(.*)$ - [F] # Rules to block suspicious URIs RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR] RewriteCond %{QUERY_STRING} etc/passwd [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC] RewriteCond %{QUERY_STRING} !^loggedout=true RewriteCond %{QUERY_STRING} !^action=jetpack-sso RewriteCond %{QUERY_STRING} !^action=rp RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com(.*)$ RewriteRule ^(.*)$ - [F] # END Tweaks # END iThemes Security # BEGIN WordPress RewriteEngine On RewriteBase /actualite/ RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /actualite/index.php [L] # END WordPress ``` * [dwinden](https://wordpress.org/support/users/dwinden/) * (@dwinden) * [11 years, 3 months ago](https://wordpress.org/support/topic/wp-login-13/#post-5696044) * Olivier, * Your .htaccess looks absolutely fine. * If you are using Apache webserver also check your Apache conf file for any “wp- login” redirects … * Also confirm you are using “tagadac” as the new login slug (instead of wp-admin). Test it by accessing: [https://www.domain.com/tagadac](https://www.domain.com/tagadac) or [https://www.domain.com/actualite/tagadac](https://www.domain.com/actualite/tagadac) * If there are no wp-login redirects in Apache conf file try to determin whether this issue is caused by something else than the iTSec plugin by temporarily renaming the “better-wp-security” directory … Then test whether you are still able to access the WP login screen using wp-login …(clear cache). (Don’t forget to rename the directory back to its original name after the test …) * Please confirm you have SSL (https) enabled … * dwinden * Thread Starter [Dahu73](https://wordpress.org/support/users/dahu73/) * (@dahu73) * [11 years, 3 months ago](https://wordpress.org/support/topic/wp-login-13/#post-5696045) * dwinden, * [https://www.domain.com/actualite/tagadac](https://www.domain.com/actualite/tagadac) work fine so SSL is well enabled, and the slug work fine. * I have no rewrite rule in my apache SSL conf about wp-login. * My only pb is [https://www.domain.com/actualite/wp-login](https://www.domain.com/actualite/wp-login) or [https://www.domain.com/actualite/wp-login/](https://www.domain.com/actualite/wp-login/) * don’t redirect to [https://www.domain.com/actualite/tagadac](https://www.domain.com/actualite/tagadac) * Can I add a rule like this ? * RewriteRule ^(/actualite/)?wp-login?$ /actualite/tagadac * Thread Starter [Dahu73](https://wordpress.org/support/users/dahu73/) * (@dahu73) * [11 years, 3 months ago](https://wordpress.org/support/topic/wp-login-13/#post-5696046) * oups * Can I add a rule like this ? * RewriteRule ^(/actualite/)?wp-login?$ /actualite/ * [dwinden](https://wordpress.org/support/users/dwinden/) * (@dwinden) * [11 years, 3 months ago](https://wordpress.org/support/topic/wp-login-13/#post-5696047) * I think it is possible to add such a rule … But it would be better to solve the real issue. As far as know in a vanilla WP 4.1 env (with or without iTSec plugin installed and “Hide login Area” feature enabled) wp-login and\or wp-login/ should not work … (but I could be wrong). * Unless the wp-login folder actually exists … * This looks more and more like a general WP issue … * First disable “Hide login Area” in the iTSec plugin (just to be sure rename the. htaccess as well). Then see whether wp-login and\or wp-login/ still redirect to the WP login screen ? If so, this is not an iTSec plugin issue. * dwinden * [dwinden](https://wordpress.org/support/users/dwinden/) * (@dwinden) * [11 years, 3 months ago](https://wordpress.org/support/topic/wp-login-13/#post-5696050) * To be sure I performed some WP tests (non SSL). * In a vanilla WP 4.1 environment **BEFORE enabling Permalinks**: * – admin, login and wp-login (or wp-login/) result in: NOT FOUND The requested URL /whatever/admin was not found on this server. – wp-admin redirects to wp- login.php * In a vanilla WP 4.1 environment **AFTER enabling Permalinks**: – admin, login and wp-admin redirect to wp-login.php – wp-login (or wp-login/) results in: Oops! That page can’t be found. (But displays as a page in the theme layout. No redirect visible in browser address bar). Apache access_log shows 404. * dwinden Viewing 11 replies - 1 through 11 (of 11 total) The topic ‘wp-login’ is closed to new replies. * ![](https://ps.w.org/better-wp-security/assets/icon.svg?rev=3529351) * [Kadence Security – Password, Two Factor Authentication, and Brute Force Protection](https://wordpress.org/plugins/better-wp-security/) * [Frequently Asked Questions](https://wordpress.org/plugins/better-wp-security/#faq) * [Support Threads](https://wordpress.org/support/plugin/better-wp-security/) * [Active Topics](https://wordpress.org/support/plugin/better-wp-security/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/better-wp-security/unresolved/) * [Reviews](https://wordpress.org/support/plugin/better-wp-security/reviews/) * 11 replies * 3 participants * Last reply from: [dwinden](https://wordpress.org/support/users/dwinden/) * Last activity: [11 years, 3 months ago](https://wordpress.org/support/topic/wp-login-13/#post-5696050) * Status: not resolved