Description
Secure Login Shield helps you lock down your WordPress login page.
By default, WordPress exposes /wp-login.php and /wp-admin/. Bots hammer these URLs every day.
This plugin gives you a private login slug (e.g. /dragon-lair) and hides the default login endpoint:
- Defaults to
/wp-login.phpuntil you change it. - Once changed, only your custom slug works.
- Direct access to
/wp-login.phpshows a 404 Not Found (stealth mode). - Logged-out visitors hitting
/wp-admin/are redirected to the homepage. - Deactivate the plugin everything reverts to normal.
Made with ❤️ by Ben Treder
Features
- Private login slug (e.g.
/dragon-lair,/control-center,/secret-gate) - Stealth 404 protection: Bots hitting
/wp-login.phpsee “Not Found” - Homepage redirect:
/wp-admin/(logged out) homepage - Easy settings page under Settings Secure Login Shield
- Safe activation/deactivation: no core hacks, auto-reverts when disabled
Contribute & Support
- Website: BenTreder.com
- Author: Ben Treder
- Issues & Feature Requests: Please open a ticket on BenTreder.com
- Like this plugin? ⭐ Leave a review and help spread the word!
- ☕ Support development: Buy Me a Coffee
Screenshots
Settings page showing the default login slug (/wp-login.php) 
Settings page with a custom private slug (/dragon-lair)
Installation
- Upload the
secure-login-shieldfolder to the/wp-content/plugins/directory or install via Plugins Add New Upload. - Activate the plugin through the «Plugins» menu in WordPress.
- Go to Settings Secure Login Shield.
- Set your private slug (example:
dragon-lair). - Go to Settings Permalinks Save Changes (refresh rewrite rules).
- If you use a caching plugin or CDN, clear cache to avoid stale redirects.
- Log in using
https://yoursite.com/dragon-lair.
Important: Bookmark your new login URL! If you forget it, you’ll need to disable the plugin via FTP or database.
FAQ
-
Will this break my site?
-
No. By default it uses
/wp-login.phpuntil you change it. Deactivating the plugin instantly reverts WordPress to normal behavior. -
Can I completely block /wp-login.php?
-
Yes. Once you set a slug,
/wp-login.php(and actions) return a 404 Not Found. -
What if I forget my private slug?
-
Deactivate the plugin via FTP (delete or rename
secure-login-shield). WordPress will go back to/wp-login.php. -
Does this work with caching plugins or CDNs?
-
Yes, but after changing your slug, you should clear cache/CDN to avoid serving stale redirects.
Reviews
Contributors & Developers
“Secure Login Shield” is open source software. The following people have contributed to this plugin.
Contributors
Translate “Secure Login Shield” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
2.0.5
- Corrected WordPress.org release versioning after the Secure Login Shield audit.
- Confirmed WordPress 7.0 compatibility metadata.
- Kept the free plugin focused on private login URL protection, stealth 404 behavior, and logged-out wp-admin redirect protection.
1.3.0
- Rebrand to Secure Login Shield by Ben Treder
- Default slug remains
/wp-login.php(safe on first install) - Added activation notice: Save permalinks + clear cache after activation
- Stealth 404 mode enforced when custom slug is chosen
- Homepage redirect for logged-out visits to
/wp-admin/
1.2.0
- Added stealth 404 mode
- Improved security enforcement
1.1.0
- Redirected /wp-admin/ homepage for logged-out users
1.0.0
- Initial release with custom login slug + wp-login.php block