Mask My Admin – WordPress Login Security & URL Protection

by Dropals Hosting

Description

MaskMyAdmin is a lightweight WordPress plugin designed to enhance your login page security by:

– Replacing the default wp-admin and wp-login.php URLs with a custom login path of your choice
– Enforcing IP-based access controls for the WordPress dashboard and login screen
– Preventing unauthorized access or brute-force attempts by obscuring default login endpoints

Designed for site owners and developers who want to hide their admin panel from bots, attackers, or curious users.

Whether you’re running a blog, WooCommerce store, or enterprise WordPress install — MaskMyAdmin gives you a simple, intuitive way to lock down your admin entry points.

Features:
* Change wp-admin login path to a custom one (e.g., /secure-login)
* Optional IP-based whitelist — restrict dashboard access to specific IPs only
* Redirect blocked attempts to a custom page or homepage
* Progressive brute-force lockout (15 min 1 hour 24 hours)
* Activity log for login attempts and settings changes
* Email notifications for blocked IPs, failed logins, and settings changes
* Configurable proxy/CDN header for accurate IP detection (Cloudflare, Nginx, etc.)
* WP-CLI commands for emergency recovery and management
* Emergency disable via wp-config.php constant
* Defense-in-depth .htaccess rules for Apache servers (PHP handles all server types)
* Lightweight and fast — minimal performance impact
* Clean uninstall — all data removed when plugin is deleted

Screenshots

Settings screen to configure your custom login URL and redirection
IP whitelist management with proxy/CDN configuration
Activity log showing login attempts and settings changes

Faq

How do I change the admin URL?

After activating the plugin, go to MaskMyAdmin in the admin menu and enter your desired login slug (e.g., my-login). Your admin URL will become yourdomain.com/my-login.

How do I enable IP whitelisting?

Under the plugin settings (Advanced Security tab), you can enable IP whitelisting and enter allowed IP addresses. Only visitors from these IPs will be able to access the login page.

I’m behind Cloudflare / a proxy. How do I get the correct IP?

Go to Advanced Security Proxy / CDN Configuration and select the appropriate header for your setup (e.g., “Cloudflare” for CF-Connecting-IP).

What if I get locked out?

You have several recovery options:

WP-CLI: Run wp maskmy disable to disable all protections
wp-config.php: Add define('MASKMY_DISABLE', true); to bypass the plugin entirely
FTP: Rename the plugin folder via FTP or your hosting File Manager

Does this work with Nginx?

Yes. The plugin uses PHP for all URL masking and IP enforcement, which works on any server. The .htaccess rules are an additional layer for Apache servers only.

How long are activity logs kept?

Log entries older than 30 days are automatically cleaned up daily via WP-Cron.

What WP-CLI commands are available?

MaskMyAdmin registers the wp maskmy command namespace with the following subcommands:

wp maskmy status — Show current configuration (login slug, redirect mode, IP whitelist status, allowed IPs, proxy header)
wp maskmy reset — Reset the login URL back to the WordPress default (wp-login.php)
wp maskmy add-ip <ip> — Add an IP address or CIDR range to the whitelist (e.g., wp maskmy add-ip 192.168.1.100 or wp maskmy add-ip 10.0.0.0/24)
wp maskmy remove-ip <ip> — Remove an IP address or CIDR range from the whitelist (auto-disables whitelist if the list becomes empty)
wp maskmy disable — Disable all protections immediately (resets login slug, redirect, and IP whitelist — useful for emergency recovery)
wp maskmy enable --slug=<slug> — Re-enable protections with a custom login slug (e.g., wp maskmy enable --slug=my-login). If --slug is omitted, re-enables with the previously saved slug.

Reviews

Changelog

1.2.0

Security: Removed debug backdoor file (debug-mma.php)
Security: Fixed IP spoofing vulnerability — IP detection now uses REMOTE_ADDR by default with configurable trusted proxy headers
Security: Disabled broken 2FA feature (hardcoded bypass codes removed)
Security: Fixed unescaped output throughout the plugin
Security: Replaced unsafe header() redirects with wp_redirect() / wp_safe_redirect()
Security: Sanitized all $_SERVER values
New: Activity log — tracks login attempts and settings changes
New: Email notifications — configurable alerts for blocks, failed logins, and settings changes
New: WP-CLI commands — wp maskmy status, reset, add-ip, remove-ip, disable, enable
New: Emergency recovery constant — define('MASKMY_DISABLE', true) in wp-config.php
New: Progressive brute-force lockout (5 attempts = 15 min, 10 = 1 hour, 20 = 24 hours)
New: Proxy/CDN configuration UI for accurate IP detection behind load balancers
New: Clean uninstall — removes all options, tables, transients, and .htaccess rules
Fix: Admin JavaScript now properly enqueued (was never loaded before)
Fix: Setup wizard form now actually submits (added form tag, name attribute, submit button type)
Fix: Fixed broken HTML structure in dashboard (nested cards, stray form tags)
Fix: Removed external Font Awesome CDN dependency — uses built-in Dashicons
Fix: Removed all inline script blocks — moved to properly enqueued admin.js
Fix: Removed dead/orphaned code (unused functions, unreachable files)
Fix: Htaccess_Manager now uses Singleton pattern consistently
Fix: Secured backup directory with randomized name and Apache 2.2+2.4 compatible rules
Improvement: Centralized IP utility class replacing duplicate code
Improvement: Consistent WordPress Coding Standards throughout

1.1.0

Added option to redirect blocked IPs to homepage or custom URL
Improved compatibility with latest WordPress core

1.0.0

Initial release with custom login URL and IP whitelist functionality