The WordPress admin login location hiding plugin WPS Hide Login has been found vulnerable. The flaw is making WPS Hide Login completely useless since the plugin’s main purpose is to hide the login page while the flaw shows it. The default login page of the WordPress administration panel is located at « /wp-admin ».
Update the plugin immediately
The 1.9.1 version fixes the WPS Hide Login vulnerability. Users should immediately update to prevent possible attacks targeting the login page.
Changing the login page path is important to prevent brute-force attacks
WordPress administrators generally want to change the login page’s default location as an extra security layer for brute-force login attacks. That process can’t be done under standard WordPress settings. So the administrators use plugins such as WPS Hide Login to hide it.
The other way to hide the admin page is by putting the WordPress into a randomly named directory on the server-side; so the /wp-admin.php appears under « www.xyz.site/random-folder/wp-admin ».
Changing the administrator login page is quite important. The login page is a primary target for hackers and bots who want to try brute-force attacks. Instead of losing time searching the login page, they often try the default login page location. If they can’t find the login page under /wp-admin, they just move on to other websites that use the login page under the default location.