مەزمۇنغا ئاتلاش
WordPress.org

ئۇيغۇرچە

  • ئۆرنەكلەر
  • قىستۇرمىلار
  • خەۋەرلەر
  • قوللاش
  • ھەققىدە
  • WordPress كە ئېرىشىش
WordPress كە ئېرىشىش
WordPress.org

Plugin Directory

Defyn Security Manager – Hide Login, 2FA & Brute-Force Protection

  • قىستۇرما تاپشۇرۇڭ
  • ياقتۇرغانلىرىم
  • تىزىمغا كىرىڭ
  • قىستۇرما تاپشۇرۇڭ
  • ياقتۇرغانلىرىم
  • تىزىمغا كىرىڭ

Defyn Security Manager – Hide Login, 2FA & Brute-Force Protection

يازغۇچى Defyn
چۈشۈر
  • تەپسىلاتلار
  • باھالاشلار
  • ئورنىتىش
  • ئىجادىيەت
قوللاش

چۈشەندۈرۈش

Defyn Security Manager is a lightweight WordPress security plugin that hides your login page and locks down the back end. Most attacks on WordPress start at one predictable place: /wp-admin and /wp-login.php. Defyn Security Manager moves that door, throttles attackers, adds two-factor authentication, and records every attempt so you always know who is knocking.

No bloat, no upsell walls, and no account required. Install it, choose a secret login slug, and your login page disappears from bots and scanners.

What it does

  • Hide the WordPress login URL. Replace /wp-admin and /wp-login.php with any custom login URL you choose, so automated bots and brute-force scripts hit a dead end.
  • Decoy or 404 the old URLs. Decide what attackers see at the original login addresses: a 404, a redirect, or a decoy login screen.
  • Brute-force protection. Limit login attempts and automatically lock out IP addresses after repeated failures, with a one-click control to clear active lockouts.
  • Two-factor authentication (2FA). Add TOTP-based two-factor authentication using Google Authenticator, Authy, 1Password, Microsoft Authenticator or Bitwarden, complete with backup codes and per-role enforcement.
  • REST API and XML-RPC protection. Extend two-factor enforcement to the REST API and XML-RPC, with optional API hiding to shrink your attack surface.
  • Time-window access control. Only allow logins during the hours and days you actually work, and block everything else.
  • IP allowlisting. Optionally restrict back-end access to trusted IP addresses or CIDR ranges.
  • Activity log and audit trail. See login attempts, lockouts, scans of your old login URLs, and settings changes in one searchable log.
  • Email alerts. Get notified about lockouts, scans, and logins from new IP addresses.

Why choose Defyn Security Manager

  • Fast and focused. A purpose-built login-security and login-hardening plugin, not a heavyweight suite that slows your site down.
  • Recovery built in. A documented emergency kill switch means you can never permanently lock yourself out.
  • Privacy friendly. Your data stays on your site. Nothing is sent to a third-party service.
  • Built by an agency. Maintained by Defyn, an Australian web design and development studio that runs this plugin on client sites every day.

Defyn Security Manager is ideal for anyone who wants to hide wp-admin, stop brute-force login attempts, limit login attempts, add 2FA to WordPress, and keep a clear security audit trail.

ئورنىتىش

  1. In your dashboard, go to Plugins, Add New, search for «Defyn Security Manager», then click Install Now and Activate. You can also upload the plugin folder to /wp-content/plugins/ via SFTP.
  2. Go to Defyn Security, Settings and set your custom hidden login URL.
  3. Choose what visitors see at the old /wp-admin and /wp-login.php addresses, then turn on brute-force throttling, time-window access, or IP allowlisting as needed.
  4. Open the Two-Factor tab to enable 2FA and, if you want, enforce it per role.
  5. Bookmark your new login URL and store your 2FA backup codes somewhere safe before you log out.

FAQ

How do I hide the WordPress login page?

Activate the plugin, open Defyn Security, Settings, and enter a custom slug for your login URL. From then on your login page lives at that secret address, and /wp-admin and /wp-login.php return a 404, a redirect, or a decoy screen, whichever you choose.

I have locked myself out. How do I recover?

The fastest fix is to add this line to wp-config.php:

define( 'DEFYN_BEM_DISABLE', true );

This bypasses all login interception so /wp-admin and /wp-login.php work normally again. A yellow admin notice reminds you to remove the line once you are back in. Your settings and 2FA data are kept.

If you cannot edit wp-config.php, rename the plugin folder over SFTP from defyn-security-manager to defyn-security-manager.disabled. WordPress deactivates the plugin on the next page load. Rename it back when you are ready to re-enable.

Does it work behind Cloudflare or a load balancer?

Yes. Define DEFYN_BEM_TRUST_PROXY in wp-config.php so the plugin honours X-Forwarded-For and CF-Connecting-IP headers when detecting the visitor IP address.

Which authenticator apps work with the 2FA feature?

Any app that supports standard RFC 6238 TOTP, including Google Authenticator, Authy, 1Password, Microsoft Authenticator and Bitwarden.

Will hiding the login URL break my site or REST API?

No. Front-end pages, the REST API and normal site behaviour keep working. Only the human login entry points move, and you can layer two-factor enforcement on top of the REST API and XML-RPC separately.

Does it slow down my website?

No. The plugin only runs its checks on login and admin requests, so it has no measurable impact on front-end page speed.

Can I use it on a multisite network?

This release supports single-site activation only. Network-wide multisite support is on the roadmap.

باھالاشلار

بۇ قىستۇرمىغا تېخى باھا يېزىلمىدى.

تۆھپىكار ۋە ئىجادكار

«Defyn Security Manager – Hide Login, 2FA & Brute-Force Protection» كودى ئوچۇق يۇمشاق دېتال. تۆۋەندىكى كىشىلەر بۇ قىستۇرمىغا تۆھپە قوشقان.

تۆھپىكار
  • Defyn

«Defyn Security Manager – Hide Login, 2FA & Brute-Force Protection» نى تىلىڭىزغا تەرجىمە قىلىڭ

ئىجادىيەتكە قىزىقامسىز؟

كودقا كۆز يۈگۈرتۈپ، SVN خەزىنە تەكشۈرۈپ ياكى RSSئارقىلىق ئىجادىيەت خاتىرىسىگە مۇشتەرى بولغىلى بولىدۇ.

ئۆزگىرىش خاتىرىسى

1.1.0

  • Added: two-factor enforcement for the REST API and XML-RPC.
  • Added: opt-in API hiding to reduce the attack surface.
  • Added: «Clear lockouts» control in the admin UI.
  • Fixed: authentication filters now run at priority 95 and 96 so a WP_Error survives the full filter chain.
  • Fixed: login URL interception now hooks on setup_theme instead of plugins_loaded for more reliable behaviour.

1.0.0

  • Initial release.

Meta

  • Version 1.1.0
  • ئاخىرقى يېڭىلانغان ۋاقىت 2 ھەپتە بۇرۇن
  • ئاكتىپ ئورنىتىش سانى 10+
  • WordPress نەشرى 5.8 ياكى يۇقىرى
  • 6.8.5 دا سىنالغان
  • PHP نەشرى 7.4 ياكى يۇقىرى
  • تىل
    English (US)
  • بەلگە
    Brute Forcehide loginloginsecuritytwo factor
  • ئالىي كۆرۈنۈش

دەرىجە

No reviews have been submitted yet.

Your review

بارلىق ئىنكاسنى كۆرسەت

تۆھپىكار

  • Defyn

قوللاش

چۈشەندۈرۈشىڭىز بارمۇ؟ ياردەم لازىممۇ؟

قوللاش مۇنبىرىنى كۆرسەت

  • ھەققىدە
  • خەۋەر
  • مۇلازىمىتىر
  • شەخسىيەت
  • كۆرگەزمە
  • ئۆرنەكلەر
  • قىستۇرمىلار
  • ئەندىزە
  • ئۈگىنىش
  • قوللاش
  • ئىجادكارلار
  • WordPress.tv ↖
  • قاتناشقان
  • پائالىيەت
  • ئىئانە ↖
  • Five for the Future
  • WordPress.com ↖
  • Matt ↖
  • bbPress ↖
  • BuddyPress ↖
WordPress.org
WordPress.org

ئۇيغۇرچە

  • Visit our X (formerly Twitter) account
  • Bluesky ھېساباتىمىزنى زىيارەت قىلىڭ
  • Visit our Mastodon account
  • Threads ھېساباتىمىزنى زىيارەت قىلىڭ
  • Facebook بېتىمىزنى زىيارەت قىلىڭ
  • Instagram ھېساباتىمىزنى زىيارەت قىلىڭ
  • LinkedIn ھېساباتىمىزنى زىيارەت قىلىڭ
  • TikTok ھېساباتىمىزنى زىيارەت قىلىڭ
  • YouTube قانىلىمىزنى زىيارەت قىلىڭ
  • Tumblr ھېساباتىمىزنى زىيارەت قىلىڭ
كود شېئىرغا ئوخشايدۇ.
The WordPress® trademark is the intellectual property of the WordPress Foundation.