Skip to content

WordPress.org

Occitan

  • Acuèlh
  • Benvenguda
  • Contacte
  • Installacion
  • About

Plugins

  • Mos favorits
  • Beta Testing
  • Desvolopaires
Download

Block wp-login

Per webd.uk
  • Details
  • Reviews
  • Installation
  • Support
  • Development

Descripcion

Block Access to wp-login.php

This plugin does the following:

1) Locates wp-login.php in your WordPress installation and duplicates it
2) Locates .htaccess and inserts lines to block the default wp-login.php and creates a new secret address to use for legitimate login
3) Allows you to reduce load on the server by optionally blocking admin-ajax.php, wp-cron.php, xmlrpc.php and robots.txt

When installed your server will return “403 Forbidden“ when attempts are made to access the default wp-login.php file. This has two benefits; it prevents hackers from using brute force methods to hack your website and it reduces the load on the server when such brute force attacks are launched on your site as WordPress isn’t run at all.

Installacion

Easily prevent access to the default wp-login.php file:

1) Install Block wp-login automatically or by uploading the ZIP file.
2) Activate the plugin through the ‘Plugins’ menu in WordPress.
3) Once activated, visit “Settings – Permalinks” in the admin menu.
4) At the bottom of the page tick the box next to “Block wp-login”
5) Make sure you make a note of the new address you will need to use to sign in and confirm
6) Choose if you would also like to block admin-ajax.php, wp-cron.php, xmlrpc.php and robots.txt
6) Save the settings

Although this plugin now detects when WordPress has been upgraded and re-installs itself, when upgrading WordPress core, you should still make sure you deactivate this plugin first.

FAQ

  • What is /wp-login.php ?
    This is the login page for WordPress; hundreds or thousands of hits to this page is not normal and is almost certainly a brute force attempt to hack the admin password.

  • What is /wp-admin/admin-ajax.php ?
    This is a WordPress core feature which is used to provide functionality to the control panel when things need to happen without you leaving the current page. Features include (but are not limited to) automatic saving of posts, updating of plugins on the plugin page and viewing of the media library when adding media to a page. Some WordPress Themes and Plugins also make use of this script so you should thoroughly test your site if you decide to block admin-ajax.php.

  • What is /wp-cron.php ?
    This is a WordPress core feature which is used to perform scheduled tasks in the background. Tasks include (but are not limited to) scheduling of posts to go live in the future and automatic updates of the WordPress core. If you’re not too bothered about scheduled posts and you manually keep your WordPress core up-to-date, you can probably block this script however, popular plugins like Wordfence make use of it to keep an eye on your website and inform you when things need attention.

  • What is /xmlrpc.php ?
    This is a WordPress core feature which allows users to publish to their WordPress website remotely. This feature has been abused in the past and has been used to brute force admin passwords. If you don’t use another program to publish content to your WordPress website then we believe you should block this script.

  • What is /robots.txt ?
    This file tells search engines what can and can’t be crawled and indexed from your website. So excessive hits to this file are quite normal but can be very detrimental to the load on your server if the file doesn’t exist. Why? Because WordPress will create an automatic version of this file which fires up the entire WordPress core to in turn serve a very small file. So, if you don’t have a robots.txt file, you may as well block access to it.

Reviews

Great protection against hackers

andybull 8 genièr 2018
Adds a reassuring additional level of security against hackers

A valuable tool

f5nn9s3f8 21 abril 2017
A valuable tool to combat security issues facing WordPress users.

Great way to secure login page

wchetwode 17 abril 2017
Works a treat, thanks for this clever plugin. Highly recommended !

Great

domic2303 13 abril 2017
great, easy and supportive.

Neat way to secure the login page

mikepepler 11 abril 2017
This is a useful plugin, making it easy to hide your wp login page, for protection from brute-force attacks. Well worth installing!
Read all 5 reviews

Contributors & Developers

“Block wp-login” is open source software. The following people have contributed to this plugin.

Contributors
  • Oliver Campion

“Block wp-login” has been translated into 1 locale. Thank you to the translators for their contributions.

Translate “Block wp-login” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.3.7

  • Yet more fixes for compatibility with WordPress 5.3

1.3.6

  • Further fixes for compatibility with WordPress 5.3

1.3.5

  • Fixed a bug that blocked Admin Email Verification in WordPress 5.3

1.3.4

  • Integrated plugin with new Deny All Firewall plugin

1.3.3

  • Plugin now allows password protected posts and pages to work

1.3.2

  • Important security update

1.3.1

  • Important security update

1.3.0

  • Automated upgrade activation facility
  • Bug fixes

1.2.4

  • Bug fix

1.2.3

  • Updating new developer / activation domain
  • Updating tested version

1.2.2

  • Bug fixes.

1.2.1

  • WordPress upgrade email re-worded

1.2.0

  • Plugin now automatically detects when WordPress has been upgraded and re-installs itself.
  • Bug fixed for when wp_mail() isn’t working

1.1.7

  • Bug fixes.

1.1.6

  • Plugin now upgrades automatically when activated if licensed.

1.1.5

  • Plugin is now internationalised ready for translation.
  • Help banner admin notice now appears until plugin has been configured.
  • Added help links on the settings page and added this information to the FAQ.
  • Minor bug fixes.

1.1.4

  • Blocking admin-ajax.php now allows commands when inniated from /wp-admin/.
  • Blank user or site owner emails won’t break saving settings.
  • Duplicate emails are not sent now when site owner and user email addresses are the same.
  • Options to block admin-ajax.php, wp-cron.php, xmlrpc.php and robots.txt are disabled until wp-login.php block is activated.

1.1.3

  • Plugin now emails all Administrators and the email set in General Settings with the new login URL.

1.1.2

  • Added option to block admin-ajax.php, wp-cron.php, xmlrpc.php and robots.txt for the free plugin.

1.1.1

  • Bug fixes.
  • Option to block wp-cron.php, admin-ajax.php and robots.txt for upgraded plugin.

1.1.0

  • Plugin re-written to make use of « Settings – Permalinks » so upgraded plugin can choose custom login slug.
  • Plugin now reverses changes when deactivated.
  • Plugin creates random login slug.

1.0.0

  • First, beta version of the plugin.

Mèta

  • Version : 1.3.7
  • Last updated: 4 setmanas ago
  • Active installations: 500+
  • WordPress Version: 3.5.0 or higher
  • Tested up to: 5.3.1
  • Languages:

    English (UK) and English (US).

    Translate into your language

  • Tags:
    login securitysecuresecuritysecurity pluginwordpress security
  • Advanced View

Ratings

See all
  • 5 estelas 5
  • 4 estelas 0
  • 3 estelas 0
  • 2 estelas 0
  • 1 estela 0

Contributors

  • Oliver Campion

Support

Got something to say? Need help?

View support forum

Far un don

Would you like to support the advancement of this plugin?

Donate to this plugin

  • About
  • Blog
  • Hosting
  • Donate
  • Support
  • Developers
  • Get Involved
  • Showcase
  • Plugins
  • Themes
  • WordCamp
  • WordPress.TV
  • BuddyPress
  • bbPress
  • WordPress.com
  • Matt
  • Privacy
  • Public Code
  • @WordPress
  • WordPress

Encodar es un Art.

Anar a la barra d’aisinas
  • A prepaus de WordPress
    • A prepaus de WordPress
    • WordPress.org
    • Documentacion
    • Support
    • Remarca
  • Se connectar
  • Inscripcion