[frereubu]

This plugin allows you to rename the login page - https://wordpress.org/plugins/rename-wp-login/. It says untested with the last three versions of WordPress, but we use it on all our sites and have had no issues. It also doesn't redirect non-logged-in requests for /wp-admin/ to the login URL like the standard setup, so it doesn't make the new login URL available in any way. We were experiencing server slowdowns because of brute force attacks and this plugin really helped.

The best thing to do after that is to set up an .htaccess rule to return a 401 Forbidden error for /wp-login.php, because even with the plugin above the request is processed by PHP, which can still slow things down depending on the intensity of the attack.

This is obviously just security through obscurity, and you need other security measures in place too. Having said that, I find plugins like WordFence are overkill and often confusing, although we build WP sites from scratch so we control a lot of that side of things ourselves, and use a WP-focused hosting service which takes care of the other things like server-level security.

[rograndom]

Do not use that plugin. It has a unintentional back door where you can just bypass it completely and get the login screen. All of the forked plugins that are based on it, that I have seen, have the same issue.

Plus, since it's more than 3 versions old, many of the security plugins will flag it. If it's your site, that's fine. If you have set a site up for someone else, it's hard to explain that it's ok to use this plugin.

[frereubu]

Can you give me more detail than "unintentional back door"? I'm obviously interested, but it's difficult to know what to do without more of a pointer on what the issue is.

Edit: Found this - https://github.com/ellatrix/rename-wp-login/issues/27 - and can reproduce that behaviour, so I'm going to start looking for something new, or potentially taking over that plugin.

Edit 2: This seems to be a maintained fork that is in active development and covers the issues on the original abandoned GitHub repo - https://wordpress.org/plugins/wps-hide-login/

[mr__y]

Could you recommend some real[0] WP-focused providers? Since the company I work for has several WP websites with relatively high traffic we've been looking for such providers, tested some but ended with having some VPSes to have the ability to set them up properly. Since those servers are self-managed this is obviously a sub-optimal solution as we have to maintain them, so a reliable hosting provider would be great.

[0] "real" as opposed to provider that has a great WP-related pitch but in-reality this is just a regular shared hosting with no actual wordpress oriented optimization/enhancements.

[frereubu]

We've been using a VPS-1 on Pagely for a few years now, and are generally very happy with the service. They take away the management of Ubuntu and security hardening etc, but give you control where you need it such as SSH access - I've written a few bash scripts that use WP-CLI to make it easier to manage multiple sites. We've had one or two small issues, but all fixed quickly, and nothing of the sort that made us start looking elsewhere. You sometimes have to be persistent with first-line support, but things generally get escalated appropriately if necessary.

The one real gripe I have is that they rewrote their control panel as an SPA, and I think it's made it much less usable. It's difficult to do things like open a link in a new window, and state doesn't always remain or update in the right way - for example, you can lengthen and sort a list, go to an item, use the back button and you have to lengthen and sort the list again. However, I don't use that control panel enough to make it a serious time drag, and they're apparently writing an API which should cover most of my use cases.