๐ฅ๐ฒ๐ป๐ฎ๐บ๐ถ๐ป๐ด ๐ช๐ฃ-๐๐ผ๐ด๐ถ๐ป ๐๐ ๐ก๐ผ๐ ๐๐ป๐ผ๐๐ด๐ต
Many users ask how to hide wp-admin. Most get the same advice. Install a plugin to rename the login URL. This helps. It is not a complete fix.
Renaming the URL moves the form. It does not hide your site from scanners.
Here are three leaks a login rename leaves open:
Server load. The default path still loads WordPress. Your server boots the system to show a 404 error. Ten thousand probes a day will drain your CPU. Block the path at the server level instead. Use .htaccess or Nginx. This stops the request before PHP runs.
Fingerprinting. Bots do not quit when they miss the form. They look at your page source. They see plugin folders. They see theme styles. They see version numbers. Most vulnerabilities live in plugins. Scanners match your list to known flaws in milliseconds.
Hidden signals. WordPress has other markers. The generator tag tells bots your version. The REST API reveals usernames. A login renamer ignores these signals.
A renamer moves one door. A full security layer hides the whole building.
Test your site in an incognito window. Use curl to check for generator tags. Check if the login path boots PHP. Check for username enumeration.
Moving the form is a first step. It is not a full shield.
Source: https://dev.to/cifi/renaming-wp-login-isnt-the-same-as-making-wp-admin-disappear-2gg8