Why Am I Still Getting Login Attempts After Hiding My WordPress Login Page?
Content
You installed a login hiding plugin like WPS Hide Login, changed your URL to something complex, and yet your security plugin is still alerting you to a barrage of login attempts. This is a common and confusing experience for many WordPress site owners. The immediate assumption is that the plugin has failed or that the new URL has been leaked.
In the vast majority of cases, the plugin is working correctly. The login attempts are not necessarily targeting your new, hidden URL. Instead, they are likely exploiting another common pathway into your WordPress site. Understanding the difference is key to securing your website effectively.
Why This Happens: It's Usually Not Your Hidden URL
WPS Hide Login successfully does what it promises: it changes the URL of your WordPress login page. Any direct request to yoursite.com/wp-login.php or yoursite.com/wp-admin will return a 404 error, effectively blocking a huge portion of automated bots that only try these default addresses.
However, attackers have more than one way to try to gain access. The most common culprit, as identified in numerous community support threads, is the XML-RPC protocol.
- XML-RPC Attacks: WordPress has a built-in file called
xmlrpc.phpthat enables remote connections to your site. This feature is a legacy system used by some mobile apps and third-party services, but it is also a major target for brute force attacks. Hackers can use this file to submit hundreds of password guesses without ever loading your actual login page. Since these attacks bypass the browser entirely, hiding the login URL does nothing to stop them. Your security plugin will still log these attempts, making it seem like your hidden URL was found. - Other Leakage Points: Your custom login URL might be discovered if it is exposed somewhere publicly on your site. This could happen if it's linked in a visible login button, written in a theme's source code, or accessible through a user registration or comment feature (e.g., a "logged in" link in a comment form).
- It's a Layered Defense: It's important to remember that hiding the login URL is a single layer of security, often called "security through obscurity." It is not an impenetrable shield. A determined attacker or a sophisticated botnet may eventually discover the new path through brute force guessing or other means. This is why it must be used in conjunction with other security measures.
How to Stop the Login Attempts: Actionable Solutions
Based on repeated solutions found in community discussions, here are the most effective steps to take.
- Disable XML-RPC
The number one recommendation across support threads is to disable XML-RPC if you are not using it. You can do this by installing a dedicated plugin like Disable XML-RPC or by adding specific rules to your
.htaccessfile. Many security plugins, such as Wordfence, also include an option to disable XML-RPC pingbacks and authentication within their settings. This single action often stops the vast majority of continued login attempts. - Implement a Limit Login Attempts Plugin
Since hiding the login is not a standalone solution, you must have a way to block brute force attacks. Plugins like Limit Login Attempts Reloaded or WPS Limit Login will automatically ban IP addresses after a certain number of failed login attempts. This protects you against attacks coming through both the hidden login page and XML-RPC.
- Audit Your Site for URL Exposure
View your site's frontend and use your browser's "View Page Source" feature. Search for your custom login slug to see if it appears anywhere in the HTML. Ensure there are no public login forms or links that reveal the URL. Also, check that user registration is disabled in Settings > General if you do not need it.
- Refresh Your Permalinks
If your hidden login page suddenly stops working and the default
wp-adminbecomes accessible again, a simple fix mentioned in the community is to go to Settings > Permalinks and simply click "Save Changes" without making any modifications. This refreshes the rewrite rules and can restore the functionality of WPS Hide Login.
By combining WPS Hide Login with these additional measures—especially disabling XML-RPC and limiting login attempts—you create a robust, multi-layered defense system that will significantly reduce successful attacks and nuisance login attempts.
Related Support Threads Support
-
How to Keep Bots off the Login URLhttps://wordpress.org/support/topic/how-to-keep-bots-off-the-login-url/
-
Wordfence still reports hack attemptshttps://wordpress.org/support/topic/wordfence-still-reports-hack-attempts/
-
hacker still attempting loginhttps://wordpress.org/support/topic/hacker-still-attempting-login/
-
[NSFW] Not sure if this plugin effectivehttps://wordpress.org/support/topic/not-sure-if-this-plugin-effective/
-
Login page being attacked even with plugin activehttps://wordpress.org/support/topic/login-page-being-attacked-even-with-plugin-active/
-
Hackers are finding this admin url that is supposed to be hiddenhttps://wordpress.org/support/topic/hackers-are-finding-this-admin-url-that-is-supposed-to-be-hidden/
-
Plugin doesn’t workhttps://wordpress.org/support/topic/plugin-doesnt-work-290/
-
use for community site?https://wordpress.org/support/topic/use-for-community-site/
-
New login page discovered immediatelyhttps://wordpress.org/support/topic/new-login-page-discovered-immediately/
-
WPS doesn’t stop hackers!https://wordpress.org/support/topic/wps-doesnt-stop-hackers/
-
Not hidden?https://wordpress.org/support/topic/not-hidden/
-
Still Getting People Trying to Log In According to Wordfencehttps://wordpress.org/support/topic/still-getting-people-trying-to-log-in-according-to-wordfence/
-
wp-admin didn’t hide & Plugin didn’t workshttps://wordpress.org/support/topic/wp-admin-didnt-hide-plugin-didnt-works/
-
Can subscribers login through the “new” wp-login replacement URL?https://wordpress.org/support/topic/can-subscribers-login-through-the-new-wp-login-replacement-url/
-
this plugin did any Guarantee for website security level?https://wordpress.org/support/topic/this-plugin-did-any-guarantee-for-website-security-level/
-
Hidden login page still being found by hackershttps://wordpress.org/support/topic/hidden-login-page-still-being-found-by-hackers/
-
Can hackers find out the new login page?https://wordpress.org/support/topic/can-hackers-find-out-the-new-login-page/
-
Still hackers on login pagehttps://wordpress.org/support/topic/still-hackers-on-login-page/
-
It still finds my login with wp hide login, why?https://wordpress.org/support/topic/it-still-finds-my-login-with-wp-hide-login-why/
-
Will plugin resolve issue of host blocking IP due to wp-login.php access attempthttps://wordpress.org/support/topic/will-plugin-resolve-issue-of-host-blocking-ip-due-to-wp-login-php-access-attempt/
-
be aware! This will not help to block hacker/botshttps://wordpress.org/support/topic/be-aware-this-will-not-help-to-block-hacker-bots/
-
How can login attempts be blocked if the login page is hidden?https://wordpress.org/support/topic/how-can-login-attempts-be-blocked-if-the-login-page-is-hidden/
-
Hacker brute force my new login pagehttps://wordpress.org/support/topic/hacker-brute-force-my-new-login-page/
-
Bypassedhttps://wordpress.org/support/topic/bypassed/
-
hackers can find page admin easilyhttps://wordpress.org/support/topic/hackers-can-find-page-admin-easily/
-
Still getting login attempts after changing URLhttps://wordpress.org/support/topic/still-getting-login-attempts-after-changing-url/
-
Log in buttonhttps://wordpress.org/support/topic/log-in-button-2/
-
hackers get by the login easilyhttps://wordpress.org/support/topic/hackers-get-by-the-login-easily/
-
Scrape the url?https://wordpress.org/support/topic/scrape-the-url/
-
Login attempthttps://wordpress.org/support/topic/login-attempt-2/