Title: Mask My Admin – WordPress Login Security & URL Protection
Author: Dropals Hosting
Published: March 24, 2026
Last modified: March 27, 2026
---
Search plugins
# Mask My Admin – WordPress Login Security & URL Protection
By [Dropals Hosting](https://profiles.wordpress.org/dropalshosting/)
[Download](https://downloads.wordpress.org/plugin/maskmyadmin.1.2.3.zip)
* [Details](https://pcd.wordpress.org/plugins/maskmyadmin/#description)
* [Reviews](https://pcd.wordpress.org/plugins/maskmyadmin/#reviews)
* [Development](https://pcd.wordpress.org/plugins/maskmyadmin/#developers)
[Support](https://wordpress.org/support/plugin/maskmyadmin/)
## Description
**MaskMyAdmin** is a lightweight WordPress plugin designed to enhance your login
page security by:
– Replacing the default `wp-admin` and `wp-login.php` URLs with a custom login path
of your choice
– Enforcing IP-based access controls for the WordPress dashboard
and login screen – Preventing unauthorized access or brute-force attempts by obscuring
default login endpoints
Designed for site owners and developers who want to hide their admin panel from
bots, attackers, or curious users.
Whether you’re running a blog, WooCommerce store, or enterprise WordPress install—
MaskMyAdmin gives you a simple, intuitive way to lock down your admin entry points.
**Features:**
* Change wp-admin login path to a custom one (e.g., `/secure-login`)*
Optional IP-based whitelist — restrict dashboard access to specific IPs only * Redirect
blocked attempts to a custom page or homepage * Progressive brute-force lockout (
15 min 1 hour 24 hours) * Activity log for login attempts and settings changes*
Email notifications for blocked IPs, failed logins, and settings changes * Configurable
proxy/CDN header for accurate IP detection (Cloudflare, Nginx, etc.) * WP-CLI commands
for emergency recovery and management * Emergency disable via `wp-config.php` constant*
Defense-in-depth .htaccess rules for Apache servers (PHP handles all server types)*
Lightweight and fast — minimal performance impact * Clean uninstall — all data removed
when plugin is deleted
## Screenshots
* [[
* Settings screen to configure your custom login URL and redirection
* [[
* IP whitelist management with proxy/CDN configuration
* [[
* Activity log showing login attempts and settings changes
* [[
* [[
## FAQ
### How do I change the admin URL?
After activating the plugin, go to **MaskMyAdmin** in the admin menu and enter your
desired login slug (e.g., `my-login`). Your admin URL will become `yourdomain.com/
my-login`.
### What happens to wp-login.php and wp-admin?
Both `wp-login.php` and `/wp-admin` access will redirect to the homepage or a custom
URL (configurable), effectively hiding them from bots or attackers.
### How do I enable IP whitelisting?
Under the plugin settings (Advanced Security tab), you can enable IP whitelisting
and enter allowed IP addresses. Only visitors from these IPs will be able to access
the login page.
### I’m behind Cloudflare / a proxy. How do I get the correct IP?
Go to **Advanced Security Proxy / CDN Configuration** and select the appropriate
header for your setup (e.g., “Cloudflare” for CF-Connecting-IP).
### What if I get locked out?
You have several recovery options:
1. **WP-CLI:** Run `wp maskmy disable` to disable all protections
2. **wp-config.php:** Add `define('MASKMY_DISABLE', true);` to bypass the plugin entirely
3. **FTP:** Rename the plugin folder via FTP or your hosting File Manager
### Does this work with Nginx?
Yes. The plugin uses PHP for all URL masking and IP enforcement, which works on
any server. The .htaccess rules are an additional layer for Apache servers only.
### How long are activity logs kept?
Log entries older than 30 days are automatically cleaned up daily via WP-Cron.
### What WP-CLI commands are available?
MaskMyAdmin registers the `wp maskmy` command namespace with the following subcommands:
* `wp maskmy status` — Show current configuration (login slug, redirect mode, IP
whitelist status, allowed IPs, proxy header)
* `wp maskmy reset` — Reset the login URL back to the WordPress default (`wp-login.
php`)
* `wp maskmy add-ip ` — Add an IP address or CIDR range to the whitelist (e.
g., `wp maskmy add-ip 192.168.1.100` or `wp maskmy add-ip 10.0.0.0/24`)
* `wp maskmy remove-ip ` — Remove an IP address or CIDR range from the whitelist(
auto-disables whitelist if the list becomes empty)
* `wp maskmy disable` — Disable all protections immediately (resets login slug,
redirect, and IP whitelist — useful for emergency recovery)
* `wp maskmy enable --slug=` — Re-enable protections with a custom login
slug (e.g., `wp maskmy enable --slug=my-login`). If `--slug` is omitted, re-enables
with the previously saved slug.
## Reviews
There are no reviews for this plugin.
## Contributors & Developers
“Mask My Admin – WordPress Login Security & URL Protection” is open source software.
The following people have contributed to this plugin.
Contributors
* [ Dropals Hosting ](https://profiles.wordpress.org/dropalshosting/)
[Translate “Mask My Admin – WordPress Login Security & URL Protection” into your language.](https://translate.wordpress.org/projects/wp-plugins/maskmyadmin)
### Interested in development?
[Browse the code](https://plugins.trac.wordpress.org/browser/maskmyadmin/), check
out the [SVN repository](https://plugins.svn.wordpress.org/maskmyadmin/), or subscribe
to the [development log](https://plugins.trac.wordpress.org/log/maskmyadmin/) by
[RSS](https://plugins.trac.wordpress.org/log/maskmyadmin/?limit=100&mode=stop_on_copy&format=rss).
## Changelog
#### 1.2.0
* **Security:** Removed debug backdoor file (debug-mma.php)
* **Security:** Fixed IP spoofing vulnerability — IP detection now uses REMOTE_ADDR
by default with configurable trusted proxy headers
* **Security:** Disabled broken 2FA feature (hardcoded bypass codes removed)
* **Security:** Fixed unescaped output throughout the plugin
* **Security:** Replaced unsafe header() redirects with wp_redirect() / wp_safe_redirect()
* **Security:** Sanitized all $_SERVER values
* **New:** Activity log — tracks login attempts and settings changes
* **New:** Email notifications — configurable alerts for blocks, failed logins,
and settings changes
* **New:** WP-CLI commands — `wp maskmy status`, `reset`, `add-ip`, `remove-ip`,`
disable`, `enable`
* **New:** Emergency recovery constant — `define('MASKMY_DISABLE', true)` in wp-
config.php
* **New:** Progressive brute-force lockout (5 attempts = 15 min, 10 = 1 hour, 20
= 24 hours)
* **New:** Proxy/CDN configuration UI for accurate IP detection behind load balancers
* **New:** Clean uninstall — removes all options, tables, transients, and .htaccess
rules
* **Fix:** Admin JavaScript now properly enqueued (was never loaded before)
* **Fix:** Setup wizard form now actually submits (added form tag, name attribute,
submit button type)
* **Fix:** Fixed broken HTML structure in dashboard (nested cards, stray form tags)
* **Fix:** Removed external Font Awesome CDN dependency — uses built-in Dashicons
* **Fix:** Removed all inline script blocks — moved to properly enqueued admin.
js
* **Fix:** Removed dead/orphaned code (unused functions, unreachable files)
* **Fix:** Htaccess_Manager now uses Singleton pattern consistently
* **Fix:** Secured backup directory with randomized name and Apache 2.2+2.4 compatible
rules
* **Improvement:** Centralized IP utility class replacing duplicate code
* **Improvement:** Consistent WordPress Coding Standards throughout
#### 1.1.0
* Added option to redirect blocked IPs to homepage or custom URL
* Improved compatibility with latest WordPress core
#### 1.0.0
* Initial release with custom login URL and IP whitelist functionality
## Meta
* Version **1.2.3**
* Last updated **1 week ago**
* Active installations **Fewer than 10**
* WordPress version ** 6.0 or higher **
* Tested up to **6.9.4**
* PHP version ** 7.4 or higher **
* Language
* [English (US)](https://wordpress.org/plugins/maskmyadmin/)
* Tags
* [custom login](https://pcd.wordpress.org/plugins/tags/custom-login/)[hide wp-admin](https://pcd.wordpress.org/plugins/tags/hide-wp-admin/)
[login security](https://pcd.wordpress.org/plugins/tags/login-security/)[secure login](https://pcd.wordpress.org/plugins/tags/secure-login/)
* [Advanced View](https://pcd.wordpress.org/plugins/maskmyadmin/advanced/)
## Ratings
No reviews have been submitted yet.
[Add my review](https://wordpress.org/support/plugin/maskmyadmin/reviews/#new-post)
[See all reviews](https://wordpress.org/support/plugin/maskmyadmin/reviews/)
## Contributors
* [ Dropals Hosting ](https://profiles.wordpress.org/dropalshosting/)
## Support
Got something to say? Need help?
[View support forum](https://wordpress.org/support/plugin/maskmyadmin/)
## Donate
Would you like to support the advancement of this plugin?
[ Donate to this plugin ](https://dropals.com/)