Description

MSC Stealth Login provides comprehensive protection for your WordPress login page, blocking attackers while keeping your site accessible to legitimate users.

Stealth Login URL

Change your login page from /wp-login.php to a custom URL like /secure-login/. Attackers scanning for standard WordPress login pages will be blocked before they can even attempt a brute force attack.

wp-admin Protection

Block direct access to /wp-admin/ for users who aren’t logged in. They’ll be redirected to your custom login page instead, preventing exposure of your admin area.

Brute Force Protection

After failed login attempts, MSC Stealth Login progressively increases lockout durations. First-time offenders wait 15 minutes, repeat offenders face increasingly longer delays. This stops automated attacks while minimizing disruption to real users who mistype their password.

Email Notifications

Stay informed about security events with configurable email alerts:

Lockout notifications when IPs are blocked
Admin login alerts for every administrator sign-in
New IP alerts when users log in from previously unseen locations

Login History & Export

Track all login attempts with detailed logging. Filter by IP address, username, result type, or date range. Export reports to CSV for security audits.

XML-RPC & REST API Protection

Disable vulnerable XML-RPC endpoints commonly exploited for brute force attacks. Block REST API user enumeration that lets attackers harvest usernames.

IP Whitelist

Bypass protection for trusted IP addresses. Add your office, home, or server IPs to ensure uninterrupted access while maintaining maximum security for everyone else.

Progressive Lockout System

Unlike simple lockouts that reset immediately, MSC Stealth Login uses a multiplier system. Each successive lockout doubles the wait time (15 min 30 min 60 min 120 min). The multiplier resets after 24 hours without an attempt, balancing security with usability.

Recovery URL

Forgot your custom login URL? No problem. The recovery system lets you regain access through a secure bypass URL that’s displayed in your WordPress admin bar when logged in.

Privacy

MSC Stealth Login collects the following data to provide its security features:

IP Addresses: Logged for every login attempt (successful, failed, and locked out) to enable brute force protection and login history.
Usernames: Logged with each login attempt to help administrators identify targeted accounts.
User Agents: Logged with each login attempt for security auditing.
Login History: All login attempts are stored in the database and can be viewed in the History tab or exported as CSV.

Data collection only occurs when the plugin is active. All collected data is stored in your WordPress database and is not sent to any external services. Administrators can clear login history at any time from the History tab.

This plugin does not use cookies or third-party tracking.

Screenshots

Settings tab – Configure your custom login URL and security options
Advanced tab – Enable brute force protection and security features
Email tab – Configure email notifications for lockouts and alerts
History tab – View login attempts with filters and CSV export

Installation

Upload the plugin files to /wp-content/plugins/msc-stealth-login/ directory
Activate the plugin through the ‘Plugins’ menu in WordPress
Navigate to Settings MSC Stealth Login
Configure your custom login URL (e.g., /secure-login/)
Enable additional security features as needed (brute force protection, email alerts, etc.)
Save your recovery URL somewhere safe — bookmark it or store it securely

Important: After activation, immediately bookmark your new login URL and save your recovery URL in a secure location.

FAQ

How does the stealth login work?: MSC Stealth Login uses WordPress rewrite rules to redirect requests from the standard /wp-login.php to your custom URL. When visitors try to access the old login page, they’re blocked and redirected. The custom URL only works when you explicitly configure it.
Will this break my site or existing plugins?: The plugin is designed to work with standard WordPress installations and popular plugins. The custom login URL and wp-admin protection may conflict with plugins that have their own login flows. Always test on a staging site first, and keep your recovery URL bookmarked.
What happens if I forget my custom login URL?: Use the recovery URL system. When logged in, your WordPress admin bar shows the recovery URL. Alternatively, access your site via FTP or hosting control panel and rename the plugin folder to disable it temporarily.
How do I recover access if I’m locked out?: Wait for the lockout period to expire (starts at 15 minutes and increases with repeat attempts). If you need immediate access, disable the plugin via FTP by renaming the plugin folder. Your IP can also be added to the whitelist if you have database access.
Does this work with caching plugins?: Yes, but ensure your login pages aren’t cached. Most caching plugins have options to exclude specific pages. You’ll want to exclude your custom login URL and wp-admin directory from caching.
Can I use this with Wordfence/other security plugins?: Generally yes, but some security plugins have overlapping features. You may want to disable redundant features (like brute force protection) in one plugin to avoid conflicts. Test thoroughly before deploying to production.
How do the email notifications work?: Navigate to Settings MSC Stealth Login Email tab. Enable the notifications you want and customize the subject and body using placeholders: {ip}, {attempts}, {time}, {site_name}, {site_url}. Notifications are sent immediately when events occur.
Is there a premium version?: No, all features are included in the free version. There is no premium version or paid upgrade.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“MSC Stealth Login” is open source software. The following people have contributed to this plugin.

djm56

Translate “MSC Stealth Login” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Change log

1.0.8

Fixed: Updated plugin metadata to WordPress 7.0 compatibility (Tested up to: 7.0).
Fixed: Renamed global init callback to prefixed function name for Plugin Check naming compliance.
Fixed: Removed discouraged load_plugin_textdomain() call for WordPress.org translation loading compliance.
Fixed: Refactored login history SQL query assembly to avoid interpolated dynamic WHERE fragments and ensure placeholder/replacement parity in $wpdb->prepare().
Fixed: Replaced direct usermeta cleanup queries in uninstall with delete_metadata() API.
Updated: Release version bumped to 1.0.8.

1.0.7

Security: Fixed IP spoofing vulnerability — now defaults to REMOTE_ADDR; proxy headers only trusted when explicitly enabled via new trust_proxy option.
Security: Removed broad redirect_to exception that allowed bypassing login block.
Security: Added CSV formula injection prevention for data exports.
Fixed: Added load_plugin_textdomain() so translation files are loaded correctly.
Fixed: Converting closures to named methods for removability.
Fixed: Added settings_errors() output on settings page.
Fixed: Refactored SQL sentinel pattern to dynamic WHERE clauses for index utilisation.
Fixed: URL-safe validation for custom login slug.
Fixed: Synchronized reserved slug list between PHP and JavaScript.
Fixed: Double-escaping in login URL display.
Fixed: esc_attr_e() in JS onclick handlers replaced with esc_js().
Fixed: esc_html__() in plain text email bodies replaced with __().
Fixed: esc_html__() in wp_localize_script() replaced with __().
Fixed: esc_url() in input value attributes replaced with esc_attr().
Fixed: Timezone-sensitive date calculation using gmdate() + DAY_IN_SECONDS.
Fixed: Incomplete translator comment for lockout email.
Fixed: Orphan user meta cleanup on uninstall.
Fixed: delete_transient() instead of delete_option() for transients.

1.0.6

Fixed: Removed inline <script> from data tracking notice and moved dismiss logic to admin.js with localized nonce (WordPress.org review compliance).
Fixed: Replaced hardcoded /wp-login.php URL paths with wp_login_url() + add_query_arg() for subdirectory WordPress compatibility.
Fixed: Added missing translators comment for data tracking notice string (Plugin Check compliance).
Fixed: Added phpcs:ignore comments for custom table direct database queries (Plugin Check compliance).

1.0.5

Fixed: CIDR IP whitelist matching now works correctly for subnet ranges.
Fixed: Recovery token comparison now uses timing-safe comparison (hash_equals).
Fixed: Lockout message output now properly escaped.
Fixed: Recovery token option key renamed from msc_recovery_token to mscsl_recovery_token for namespace consistency, with automatic migration.
Fixed: Plugin header tab character removed for parser compatibility.
Added: Privacy admin notice informing administrators about data collection (IP addresses, usernames, user agents, login history).
Added: Database schema version tracking for future upgrade path.
Added: Privacy Policy section to plugin documentation.

1.0.4

Changed: Inlined CSS styles on error page elements for simpler standalone page rendering.
Removed: External CSS file for error pages (no longer needed).
Removed: Frontend style registration hooks (no longer needed).

1.0.3

Fixed: Extracted inline CSS to external stylesheet file per WordPress.org review requirements.
Fixed: Created template files for lockout and blocked error pages.
Added: X-Frame-Options and X-Content-Type-Options security headers to error pages.

1.0.2

Fixed: Plugin Check errors for unescaped database parameters in query methods.
Fixed: Plugin Check error for fclose() on php://output stream — added phpcs:ignore.
Fixed: DROP TABLE query now uses direct query instead of prepare() (table names cannot be prepared).
Fixed: Added phpcs:ignore comments for nonce verification warnings in frontend security filters.
Fixed: Added cleanup of flush rewrite rules transient in uninstall.

1.0.1

Fixed: Custom login URL now works immediately after plugin activation without manual permalink flush.
Fixed: Custom login URL now works immediately after changing the slug in settings.

1.0.0

Initial release
Custom login URL with rewrite rules
wp-admin blocking and redirect
Brute force protection with configurable lockouts
Email notifications (lockout, admin alert, new IP)
Login history with filtering and CSV export
XML-RPC endpoint disable option
REST API user enumeration blocking
IP whitelist for bypassing protection
Progressive lockout delay multiplier
Recovery URL system for forgotten login URLs

Description

Privacy

Screenshots

Installation

FAQ

How does the stealth login work?

Will this break my site or existing plugins?

What happens if I forget my custom login URL?

How do I recover access if I’m locked out?

Does this work with caching plugins?

Can I use this with Wordfence/other security plugins?

How do the email notifications work?

Is there a premium version?