=== Defyn Security Manager - Hide Login, 2FA & Brute-Force Protection ===
Contributors: defyndigital
Tags: security, login, two-factor, brute-force, hide-login
Requires at least: 5.8
Tested up to: 6.8
Requires PHP: 7.4
Stable tag: 1.1.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Hide wp-admin behind a custom login URL and stop brute-force attacks with two-factor authentication, login limits, IP rules and an activity log.

== Description ==

**Defyn Security Manager is a lightweight WordPress security plugin that hides your login page and locks down the back end.** Most attacks on WordPress start at one predictable place: `/wp-admin` and `/wp-login.php`. Defyn Security Manager moves that door, throttles attackers, adds two-factor authentication, and records every attempt so you always know who is knocking.

No bloat, no upsell walls, and no account required. Install it, choose a secret login slug, and your login page disappears from bots and scanners.

= What it does =

* **Hide the WordPress login URL.** Replace `/wp-admin` and `/wp-login.php` with any custom login URL you choose, so automated bots and brute-force scripts hit a dead end.
* **Decoy or 404 the old URLs.** Decide what attackers see at the original login addresses: a 404, a redirect, or a decoy login screen.
* **Brute-force protection.** Limit login attempts and automatically lock out IP addresses after repeated failures, with a one-click control to clear active lockouts.
* **Two-factor authentication (2FA).** Add TOTP-based two-factor authentication using Google Authenticator, Authy, 1Password, Microsoft Authenticator or Bitwarden, complete with backup codes and per-role enforcement.
* **REST API and XML-RPC protection.** Extend two-factor enforcement to the REST API and XML-RPC, with optional API hiding to shrink your attack surface.
* **Time-window access control.** Only allow logins during the hours and days you actually work, and block everything else.
* **IP allowlisting.** Optionally restrict back-end access to trusted IP addresses or CIDR ranges.
* **Activity log and audit trail.** See login attempts, lockouts, scans of your old login URLs, and settings changes in one searchable log.
* **Email alerts.** Get notified about lockouts, scans, and logins from new IP addresses.

= Why choose Defyn Security Manager =

* **Fast and focused.** A purpose-built login-security and login-hardening plugin, not a heavyweight suite that slows your site down.
* **Recovery built in.** A documented emergency kill switch means you can never permanently lock yourself out.
* **Privacy friendly.** Your data stays on your site. Nothing is sent to a third-party service.
* **Built by an agency.** Maintained by [Defyn](https://defyn.com.au), an Australian web design and development studio that runs this plugin on client sites every day.

Defyn Security Manager is ideal for anyone who wants to hide wp-admin, stop brute-force login attempts, limit login attempts, add 2FA to WordPress, and keep a clear security audit trail.

== Installation ==

1. In your dashboard, go to **Plugins, Add New**, search for "Defyn Security Manager", then click **Install Now** and **Activate**. You can also upload the plugin folder to `/wp-content/plugins/` via SFTP.
2. Go to **Defyn Security, Settings** and set your custom hidden login URL.
3. Choose what visitors see at the old `/wp-admin` and `/wp-login.php` addresses, then turn on brute-force throttling, time-window access, or IP allowlisting as needed.
4. Open the **Two-Factor** tab to enable 2FA and, if you want, enforce it per role.
5. Bookmark your new login URL and store your 2FA backup codes somewhere safe before you log out.

== Frequently Asked Questions ==

= How do I hide the WordPress login page? =

Activate the plugin, open **Defyn Security, Settings**, and enter a custom slug for your login URL. From then on your login page lives at that secret address, and `/wp-admin` and `/wp-login.php` return a 404, a redirect, or a decoy screen, whichever you choose.

= I have locked myself out. How do I recover? =

The fastest fix is to add this line to `wp-config.php`:

`define( 'DEFYN_BEM_DISABLE', true );`

This bypasses all login interception so `/wp-admin` and `/wp-login.php` work normally again. A yellow admin notice reminds you to remove the line once you are back in. Your settings and 2FA data are kept.

If you cannot edit `wp-config.php`, rename the plugin folder over SFTP from `defyn-security-manager` to `defyn-security-manager.disabled`. WordPress deactivates the plugin on the next page load. Rename it back when you are ready to re-enable.

= Does it work behind Cloudflare or a load balancer? =

Yes. Define `DEFYN_BEM_TRUST_PROXY` in `wp-config.php` so the plugin honours `X-Forwarded-For` and `CF-Connecting-IP` headers when detecting the visitor IP address.

= Which authenticator apps work with the 2FA feature? =

Any app that supports standard RFC 6238 TOTP, including Google Authenticator, Authy, 1Password, Microsoft Authenticator and Bitwarden.

= Will hiding the login URL break my site or REST API? =

No. Front-end pages, the REST API and normal site behaviour keep working. Only the human login entry points move, and you can layer two-factor enforcement on top of the REST API and XML-RPC separately.

= Does it slow down my website? =

No. The plugin only runs its checks on login and admin requests, so it has no measurable impact on front-end page speed.

= Can I use it on a multisite network? =

This release supports single-site activation only. Network-wide multisite support is on the roadmap.

== Screenshots ==

1. Settings screen for choosing your hidden login URL and the response for the old login addresses.
2. Brute-force protection and login-limit controls, including the clear-lockouts button.
3. Two-factor authentication setup with TOTP and backup codes.
4. Activity log showing login attempts, lockouts and scans.

== Changelog ==

= 1.1.0 =
* Added: two-factor enforcement for the REST API and XML-RPC.
* Added: opt-in API hiding to reduce the attack surface.
* Added: "Clear lockouts" control in the admin UI.
* Fixed: authentication filters now run at priority 95 and 96 so a WP_Error survives the full filter chain.
* Fixed: login URL interception now hooks on setup_theme instead of plugins_loaded for more reliable behaviour.

= 1.0.0 =
* Initial release.

== Upgrade Notice ==

= 1.1.0 =
Adds REST API and XML-RPC two-factor enforcement, opt-in API hiding, and a one-click clear-lockouts control.
