Title: Mask My Admin – WordPress Login Security & URL Protection
Author: Dropals Hosting
Published: 2026 年 3 月 24 日
Last modified: 2026 年 3 月 27 日
---
搜索插件
# Mask My Admin – WordPress Login Security & URL Protection
作者:[Dropals Hosting](https://profiles.wordpress.org/dropalshosting/)
[下载](https://downloads.wordpress.org/plugin/maskmyadmin.1.2.3.zip)
* [详情](https://cn.wordpress.org/plugins/maskmyadmin/#description)
* [评价](https://cn.wordpress.org/plugins/maskmyadmin/#reviews)
* [开发进展](https://cn.wordpress.org/plugins/maskmyadmin/#developers)
[支持](https://wordpress.org/support/plugin/maskmyadmin/)
## 描述
**MaskMyAdmin** is a lightweight WordPress plugin designed to enhance your login
page security by:
– Replacing the default `wp-admin` and `wp-login.php` URLs with a custom login path
of your choice
– Enforcing IP-based access controls for the WordPress dashboard
and login screen – Preventing unauthorized access or brute-force attempts by obscuring
default login endpoints
Designed for site owners and developers who want to hide their admin panel from
bots, attackers, or curious users.
Whether you’re running a blog, WooCommerce store, or enterprise WordPress install—
MaskMyAdmin gives you a simple, intuitive way to lock down your admin entry points.
**Features:**
* Change wp-admin login path to a custom one (e.g., `/secure-login`)*
Optional IP-based whitelist — restrict dashboard access to specific IPs only * Redirect
blocked attempts to a custom page or homepage * Progressive brute-force lockout (
15 min 1 hour 24 hours) * Activity log for login attempts and settings changes*
Email notifications for blocked IPs, failed logins, and settings changes * Configurable
proxy/CDN header for accurate IP detection (Cloudflare, Nginx, etc.) * WP-CLI commands
for emergency recovery and management * Emergency disable via `wp-config.php` constant*
Defense-in-depth .htaccess rules for Apache servers (PHP handles all server types)*
Lightweight and fast — minimal performance impact * Clean uninstall — all data removed
when plugin is deleted
## 屏幕截图
[⌊Settings screen to configure your custom login URL and redirection⌉⌊Settings screen
to configure your custom login URL and redirection⌉[
Settings screen to configure your custom login URL and redirection
[⌊IP whitelist management with proxy/CDN configuration⌉⌊IP whitelist management
with proxy/CDN configuration⌉[
IP whitelist management with proxy/CDN configuration
[⌊Activity log showing login attempts and settings changes⌉⌊Activity log showing
login attempts and settings changes⌉[
Activity log showing login attempts and settings changes
[[
[[
## 常见问题
### How do I change the admin URL?
After activating the plugin, go to **MaskMyAdmin** in the admin menu and enter your
desired login slug (e.g., `my-login`). Your admin URL will become `yourdomain.com/
my-login`.
### What happens to wp-login.php and wp-admin?
Both `wp-login.php` and `/wp-admin` access will redirect to the homepage or a custom
URL (configurable), effectively hiding them from bots or attackers.
### How do I enable IP whitelisting?
Under the plugin settings (Advanced Security tab), you can enable IP whitelisting
and enter allowed IP addresses. Only visitors from these IPs will be able to access
the login page.
### I’m behind Cloudflare / a proxy. How do I get the correct IP?
Go to **Advanced Security Proxy / CDN Configuration** and select the appropriate
header for your setup (e.g., “Cloudflare” for CF-Connecting-IP).
### What if I get locked out?
You have several recovery options:
1. **WP-CLI:** Run `wp maskmy disable` to disable all protections
2. **wp-config.php:** Add `define('MASKMY_DISABLE', true);` to bypass the plugin entirely
3. **FTP:** Rename the plugin folder via FTP or your hosting File Manager
### Does this work with Nginx?
Yes. The plugin uses PHP for all URL masking and IP enforcement, which works on
any server. The .htaccess rules are an additional layer for Apache servers only.
### How long are activity logs kept?
Log entries older than 30 days are automatically cleaned up daily via WP-Cron.
### What WP-CLI commands are available?
MaskMyAdmin registers the `wp maskmy` command namespace with the following subcommands:
* `wp maskmy status` — Show current configuration (login slug, redirect mode, IP
whitelist status, allowed IPs, proxy header)
* `wp maskmy reset` — Reset the login URL back to the WordPress default (`wp-login.
php`)
* `wp maskmy add-ip ` — Add an IP address or CIDR range to the whitelist (e.
g., `wp maskmy add-ip 192.168.1.100` or `wp maskmy add-ip 10.0.0.0/24`)
* `wp maskmy remove-ip ` — Remove an IP address or CIDR range from the whitelist(
auto-disables whitelist if the list becomes empty)
* `wp maskmy disable` — Disable all protections immediately (resets login slug,
redirect, and IP whitelist — useful for emergency recovery)
* `wp maskmy enable --slug=` — Re-enable protections with a custom login
slug (e.g., `wp maskmy enable --slug=my-login`). If `--slug` is omitted, re-enables
with the previously saved slug.
## 评价
此插件暂无评价。
## 贡献者及开发者
「Mask My Admin – WordPress Login Security & URL Protection」是开源软件。 以下人员
对此插件做出了贡献。
贡献者
* [ Dropals Hosting ](https://profiles.wordpress.org/dropalshosting/)
[帮助将「Mask My Admin – WordPress Login Security & URL Protection」翻译成简体中文。](https://translate.wordpress.org/projects/wp-plugins/maskmyadmin)
### 对开发感兴趣吗?
您可以[浏览代码](https://plugins.trac.wordpress.org/browser/maskmyadmin/),查看[SVN仓库](https://plugins.svn.wordpress.org/maskmyadmin/),
或通过[RSS](https://plugins.trac.wordpress.org/log/maskmyadmin/?limit=100&mode=stop_on_copy&format=rss)
订阅[开发日志](https://plugins.trac.wordpress.org/log/maskmyadmin/)。
## 更新日志
#### 1.2.0
* **Security:** Removed debug backdoor file (debug-mma.php)
* **Security:** Fixed IP spoofing vulnerability — IP detection now uses REMOTE_ADDR
by default with configurable trusted proxy headers
* **Security:** Disabled broken 2FA feature (hardcoded bypass codes removed)
* **Security:** Fixed unescaped output throughout the plugin
* **Security:** Replaced unsafe header() redirects with wp_redirect() / wp_safe_redirect()
* **Security:** Sanitized all $_SERVER values
* **New:** Activity log — tracks login attempts and settings changes
* **New:** Email notifications — configurable alerts for blocks, failed logins,
and settings changes
* **New:** WP-CLI commands — `wp maskmy status`, `reset`, `add-ip`, `remove-ip`,`
disable`, `enable`
* **New:** Emergency recovery constant — `define('MASKMY_DISABLE', true)` in wp-
config.php
* **New:** Progressive brute-force lockout (5 attempts = 15 min, 10 = 1 hour, 20
= 24 hours)
* **New:** Proxy/CDN configuration UI for accurate IP detection behind load balancers
* **New:** Clean uninstall — removes all options, tables, transients, and .htaccess
rules
* **Fix:** Admin JavaScript now properly enqueued (was never loaded before)
* **Fix:** Setup wizard form now actually submits (added form tag, name attribute,
submit button type)
* **Fix:** Fixed broken HTML structure in dashboard (nested cards, stray form tags)
* **Fix:** Removed external Font Awesome CDN dependency — uses built-in Dashicons
* **Fix:** Removed all inline script blocks — moved to properly enqueued admin.
js
* **Fix:** Removed dead/orphaned code (unused functions, unreachable files)
* **Fix:** Htaccess_Manager now uses Singleton pattern consistently
* **Fix:** Secured backup directory with randomized name and Apache 2.2+2.4 compatible
rules
* **Improvement:** Centralized IP utility class replacing duplicate code
* **Improvement:** Consistent WordPress Coding Standards throughout
#### 1.1.0
* Added option to redirect blocked IPs to homepage or custom URL
* Improved compatibility with latest WordPress core
#### 1.0.0
* Initial release with custom login URL and IP whitelist functionality
## 额外信息
* 版本 **1.2.3**
* 最后更新:**3 月前**
* 活跃安装数量 **30+**
* WordPress 版本 ** 6.0 或更高版本 **
* 已测试的最高版本为 **6.9.4**
* PHP 版本 ** 7.4 或更高版本 **
* 语言
* [English (US)](https://wordpress.org/plugins/maskmyadmin/)
* 标签
* [custom login](https://cn.wordpress.org/plugins/tags/custom-login/)[hide wp-admin](https://cn.wordpress.org/plugins/tags/hide-wp-admin/)
[login security](https://cn.wordpress.org/plugins/tags/login-security/)[secure login](https://cn.wordpress.org/plugins/tags/secure-login/)
* [高级视图](https://cn.wordpress.org/plugins/maskmyadmin/advanced/)
## 评级
尚未提交反馈。
[Your review](https://wordpress.org/support/plugin/maskmyadmin/reviews/#new-post)
[查看全部评论](https://wordpress.org/support/plugin/maskmyadmin/reviews/)
## 贡献者
* [ Dropals Hosting ](https://profiles.wordpress.org/dropalshosting/)
## 支持
有话要说吗?是否需要帮助?
[查看支持论坛](https://wordpress.org/support/plugin/maskmyadmin/)
## 捐助
您愿意支持这个插件的发展吗?
[ 捐助此插件 ](https://dropals.com/)