If you manage a WordPress website, or many of them like me, it doesn’t take long before you understand that there are lots of hackers out there always trying to break your login and gain access to your site. There are brute force protection plugins available, but if you or just a handful of people are the only ones accessing your website, why even let anyone else see the login page at all?
For a while I got in the habit of renaming the wp-login.php page. This stopped access attempts, but the extra steps to open up the login access and then close it again was a pain in the rear. Plus I needed file access to do it.
So I brainstormed and came up with a better idea which seems to be working well so far. It keeps everyone out but me.
The basic idea is a PIN that you pass to the wp-login.php page. If the correct PIN is not in the URL when fetching the page, the user is never shown the login form, instead a simple white page that says “Missing Proper Credentials”.
To reach your website’s login, you add a query string to the URL, like so…
You set the pin you want by simply editing the top line in the plugin’s PHP file before you install it, or use the default PIN which will be revealed upon your purchase.