=== HSArticle Login Warden ===
Contributors: hsarticle
Tags: hide login, login security, wp-login, custom login url, xmlrpc
Requires at least: 5.6
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.0.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Hide your login URL and stop leaking your admin usernames. Custom login URL, XML-RPC lockdown, and enumeration blocking.

== Description ==

Most "hide login" plugins only do one thing: change the URL of wp-login.php. HSArticle Login Warden does that too, but it's built around a wider goal — make it harder for anyone to find or confirm who has access to your WordPress admin in the first place. Hiding the login form doesn't help much if your usernames are still leaking out through three other doors, so HSArticle Login Warden closes those too, all as optional one-click toggles.

It doesn't rename or modify any core files, and it doesn't add rewrite rules — it simply intercepts requests for wp-login.php and /wp-admin and shows a 404 (or redirects) to logged-out visitors, while your chosen custom URL loads the real login form.

**Custom login URL**

* Set any custom login URL slug
* Choose what logged-out visitors see when they hit the old login page or /wp-admin: a 404 page, a redirect to your homepage, or a redirect to any custom URL
* Your current login URL is always visible on the settings page with a one-click Copy button, so you never lose track of it
* Built-in conflict check — you can't accidentally set your login slug to something that collides with an existing page or post

**Optional hardening toggles**

* Disable XML-RPC (xmlrpc.php) — a second, often-forgotten login door and a common brute-force target
* Generic login error messages — stops WordPress confirming whether a failed login had a real username or not
* Block username enumeration via ?author=1, ?author=2, etc. — stops one of the most common ways real usernames get discovered
* Hide the /wp-json/wp/v2/users REST endpoint from logged-out requests — this lists every username on your site by default

None of these toggles track, log, or store anything about your visitors — they simply stop information from leaking out. All logged-in functionality (dashboard, admin, post editing) works completely normally; every toggle here only affects logged-out visitors.

Deactivating the plugin brings your site back to its default state immediately.

== Installation ==

1. Go to Plugins > Add New.
2. Search for "HSArticle Login Warden".
3. Install and activate.
4. You'll be redirected to Settings > HSArticle Login Warden — set your new login URL there and save.
5. Bookmark your new login URL before you log out!

== Frequently Asked Questions ==

= I forgot my login URL! =

Check the `hsarlowa_settings` row in your site's `wp_options` database table, or deactivate the plugin (via FTP/file manager if needed) to restore the default wp-login.php URL.

= Does this work with caching plugins? =

Yes, but if you use a page-caching plugin, exclude your new login URL from the cache the same way you would for any dynamic page.

= Will disabling XML-RPC break anything? =

It will stop the classic WordPress mobile apps, the old XML-RPC based publishing tools, and some Jetpack features that rely on it from working. Most modern sites using the REST API instead are unaffected. Leave it unchecked if you're unsure.

= Will blocking ?author= links break my author archive pages? =

No. Only the numeric query-string form (?author=1) is blocked for logged-out visitors. Normal pretty-permalink author pages (/author/yourname/) keep working exactly as before.

= Will hiding the REST users endpoint break the block editor? =

No. /wp/v2/users/me (used by the block editor for the currently logged-in user) is untouched. Only the endpoints that list every username to logged-out requests are hidden.

= Will this break my site if I forget to bookmark the new URL? =

No. Deactivating the plugin (via FTP/file manager if needed, by renaming the plugin folder) immediately restores the default wp-login.php URL.

== Changelog ==

= 1.0.0 =
* Initial release.
