Use case · Security

Shut the door on brute-force bots.

Bots hammer wp-login.php on every WordPress site, all day. Move the login out of reach, cap failed attempts, and block the worst offenders, three commands that make the front door much harder to force.

Take command in minutes See login security

Built into WordPress No coding required Part of TrueCommander

Hide the loginMove it off wp-login.php

Limit attemptsLock out repeat guessing

Block bad IPsShut out repeat offenders

Hard to forceLayered, and enforced

The problem

One predictable URL. Endless guessing.

WordPress puts the login at the same address on every site, so bots target it relentlessly: thousands of automated guesses against common passwords, around the clock. A weak password and enough attempts is all it takes. Already breached rather than bracing for it? Start with the incident steps in the emergency WordPress lockdown.

Default WordPress

Unlimited password guesses, no lockout

No way to block an abusive address

Each layer needs another security plugin

Protection only as good as you remember to renew

With TrueCommander

Failed attempts capped with an automatic lockout

Block or unblock any IP from the command bar

All three layers in one plugin, not three

IP blocking can re-apply itself on startup

What you get

A login-hardening toolkit, in one bar.

Each control is a command you run from the navigator, with no settings maze to hunt through.

Hidden login URL

hide login -slug=manage moves the login and 404s the default address, cutting bot noise.

Attempt limiting

limit login attempts caps failures with a configurable window and lockout length.

IP blocking

block ip and unblock ip shut out repeat offenders, individually or all at once.

Password protection

password protect puts a password wall in front of the whole site, ideal for staging.

Maintenance mode

maintenance mode closes the front end while you work, in one command.

Enforced on startup

Put block ip in a startup command so your denylist re-applies on every load.

How it works

Three commands. One hard door.

Open the navigator with the keyboard shortcut and run them in order.

Move the login
Run hide login -slug=manage. The default URL 404s; bookmark the new one.
Cap the attempts
Run limit login attempts -max=5 with a window and lockout. It is a setting, so set it once.
Block and enforce
Block repeat offenders with block ip, and drop it into a startup command so it re-applies every load.

The Math

One plugin. Login security and nine more modules.

Brute-force lockdown is not a separate purchase. It is one workflow inside TrueCommander.

Extra security plugins to license

No standalone hide-login, attempt-limiter, or firewall plugin. It is built into TrueCommander

Modules in the one license

Navigator, macros, scheduling, email builder, and more. Login security is one of many

Inside your WordPress admin

Hiding, limiting, and IP blocking. No cloud service or monthly fee

$59/yr

Layered login security, plus nine more modules. Lockdown is just one of ten. See pricing

FAQ

Questions, answered.

What if I forget my new login URL?

The new path is the only way in, so choose a slug you will remember and bookmark it. You can change it again at any time by running hide login with a different -slug from the command bar.

Could a lockout lock me out too?

A lockout applies to the address that exceeds the failed-attempt limit, so as long as you log in correctly you are unaffected. If you do trigger it, the lockout clears after the window you set, or you can lift a block immediately with unblock ip.

How does this compare to a dedicated security plugin?

For login hardening, these commands cover the common ground. A dedicated tool goes deeper on forensic logs or a cloud reputation list, see how it stacks up against Limit Login Attempts Reloaded and WPS Hide Login. They can run alongside TrueCommander.

Is hiding the login enough on its own?

It cuts the bot noise dramatically, but it is one layer. Pairing it with an attempt limit and IP blocking is what actually hardens the door, which is why this playbook runs all three rather than just moving the URL.

Ready?

Make the front door hard to force.

Hide the login, cap the guessing, block the offenders, all from one command bar.

Take command in minutes All use cases

14-day money-back guarantee We stand behind TrueCommander. If it's not the right fit within 14 days, request a refund through our support. Terms apply per our refund policy.