From Login Protection page you can:
- Block access to wp-login.php
- Set a new URL for login page
- Ban IPs that fail to log in multiple times in a given period of time
- Set a specific time, where in between users can log in to WordPress
- Enable a possibility to set up Two Factor Authentication from WordPress site
- Add IP addresses (which should never be blocked no matter how many failed login attempts), to whitelist
- Block certain IP addresses from being able to log in
If you define a new URL for login, it works like a security token for your wp-admin.
Let's say you enter "myadmin" to the New URL field.
Now, to login to your WordPress admin panel, you need to visit "yoursite.com/myadmin".
Once you visit this URL, your IP gets whitelisted and from that moment on, you can login from the regular "yoursite.com/wp-admin" again.
Visitors from other IP addresses need to know your token - in that case "myadmin" - to whitelist their IP and be able to log in to /wp-admin.
Updated 5 months ago