Sign inDocsBlogAboutSupportContact
Use case · Security

Shut the door on brute-force bots.

Bots hammer wp-login.php on every WordPress site, all day. Move the login out of reach, cap failed attempts, and block the worst offenders, three commands that make the front door much harder to force.

Built into WordPress No coding required Part of TrueCommander
Hide the loginMove it off wp-login.php
Limit attemptsLock out repeat guessing
Block bad IPsShut out repeat offenders
Hard to forceLayered, and enforced
The problem

One predictable URL. Endless guessing.

WordPress puts the login at the same address on every site, so bots target it relentlessly: thousands of automated guesses against common passwords, around the clock. A weak password and enough attempts is all it takes. Already breached rather than bracing for it? Start with the incident steps in the emergency WordPress lockdown.

Default WordPress
Login sits at the well-known wp-login.php
Unlimited password guesses, no lockout
No way to block an abusive address
Each layer needs another security plugin
Protection only as good as you remember to renew
With TrueCommander
Login moves to a custom path only you know
Failed attempts capped with an automatic lockout
Block or unblock any IP from the command bar
All three layers in one plugin, not three
IP blocking can re-apply itself on startup
What you get

A login-hardening toolkit, in one bar.

Each control is a command you run from the navigator, with no settings maze to hunt through.

Hidden login URL

hide login -slug=manage moves the login and 404s the default address, cutting bot noise.

Attempt limiting

limit login attempts caps failures with a configurable window and lockout length.

IP blocking

block ip and unblock ip shut out repeat offenders, individually or all at once.

Password protection

password protect puts a password wall in front of the whole site, ideal for staging.

Maintenance mode

maintenance mode closes the front end while you work, in one command.

Enforced on startup

Put block ip in a startup command so your denylist re-applies on every load.

How it works

Three commands. One hard door.

Open the navigator with the keyboard shortcut and run them in order.

  1. Move the login

    Run hide login -slug=manage. The default URL 404s; bookmark the new one.

  2. Cap the attempts

    Run limit login attempts -max=5 with a window and lockout. It is a setting, so set it once.

  3. Block and enforce

    Block repeat offenders with block ip, and drop it into a startup command so it re-applies every load.

The Math

One plugin. Login security and nine more modules.

Brute-force lockdown is not a separate purchase. It is one workflow inside TrueCommander.

Extra security plugins to license
No standalone hide-login, attempt-limiter, or firewall plugin. It is built into TrueCommander
Modules in the one license
Navigator, macros, scheduling, email builder, and more. Login security is one of many
Inside your WordPress admin
Hiding, limiting, and IP blocking. No cloud service or monthly fee
$59/yr
Layered login security, plus nine more modules. Lockdown is just one of ten. See pricing
FAQ

Questions, answered.

Ready?

Make the front door hard to force.

Hide the login, cap the guessing, block the offenders, all from one command bar.

14-day money-back guarantee We stand behind TrueCommander. If it's not the right fit within 14 days, request a refund through our support. Terms apply per our refund policy.
Cookies. The short version.

Essential cookies keep the cart and theme working. Analytics only fire if you say yes. Read our policy.