Description
This plugin forbids access to https://example.com/wp-login.php and creates new urls, like https://example.com/login or https://example.com/logout.
This is a great way to limit bots trying to brute-force your login (trying to guess your login and password). Of course, the new URLs are easier to remember too.
Also remember: the use of this plugin does NOT exempt you to use a strong password. Moreover, never use “admin” as login, this is the first attempt for bots.
By the way, if you are looking for a complete security solution, take a look at SecuPress: Move Login is included inside.
Multisite
Yes! The plugin must be activated from your network.
Note 1: this plugin deals only with wp-login.php, not with wp-signup.php nor with wp-activate.php (yet). That means https://example.com/register will still redirect to https://example.com/wp-signup.php. I think this will be the next step though, but no ETA.
Note 2: if users/sites registrations are open, you shouldn’t use this plugin yet. There are some places where the log in address is hard coded and not filterable. A bug ticket is open.
Requirements
- As of version 2.4, at least PHP 5.3 is required.
- You will need a FTP access: if the
.htaccess/web.configfile is not writable (you will need to add the given rules manually), or if something is wrong and you can’t log in anymore (see the FAQ in that case). - Should work on IIS7+ servers but not tested (I guess you should probably save a copy of your
web.configfile before the plugin activation). - For Nginx servers, the rewrite rules are not written automatically of course, but they are provided as information in the plugin settings page.