# Hide Login Page:
One of the easiest way to know whether a site uses WordPress or not is by adding /wp-login.php to the site URL. If you enable ‘Hide Login Page’ option, www.YourDomain.com/wp-login.php will return 404 error page.
You’ll only be able to access the login page using the secret key. The secret key is a combination of “Login Query” and “Admin Login Key”. For example, if “Login Query” is set to ‘hide_my_wp’ and “Admin Login Key” is set to ‘1234’, then the login URL will be:
Note: This is the default login URL if you apply one of the pre-made settings.
# Hide Admin:
Like wp-login.php, you can also prevent direct access to /wp-admin by enabling “Hide Admin” option.
# Spy Notify:
If you enable this option an email will be sent to site admin whenever someone visits 404 page. This email includes some details about URL and user so you can find broken links and user who is researching about your site. Please note that if you have a high traffic website then a broken link may send lots of email.
Enabling this option will block automatic spam in comments section. Disable this option if you are using another anti-spam plugin.
# Full Hide:
If your site can be discovered by CMS finder tools. Use this feature for even more privacy
# Hide Other Files:
There are some WP files that are not PHP file (like license.txt, wp-includes, /wp-content/debug.log, etc.) but can be used to indicate whether it’s a WordPress site or not. Enabling this option will hide such files.
# Directory List:
Enable this option to disable directory listing and to hide other .txt files.
# Canonical Redirect:
If you enable permalink structure, WordPress redirects old queries URLs (like ?p=2) to new one. If you want to use queries URLs then you should enable this option.
# Hide Admin Bar:
Enable this option to hide admin bar for untrusted users.
# 404 Page Template:
When a user requests the hidden or unavailable files HMWP displays 404 page instead. You can use default 404 page from your current theme (this is default setting) or make a new page in your WordPress admin and use it as 404 page.
# Trusted User Roles:
If you hide wp-admin folder other members can’t see WordPress admin (even if they logged in successfully). You should choose their roles here to allow them to use admin panel. Administrators are trusted by default.
# Replace Mode:
HMWP automatically replaces old URLs with new addresses. If you use a shared hosting or don’t have any cache plugin this may make your site a little slow. Here you have two choices: Partial mode and Full Page mode. First option
will only replace URLs when needed but second option scan all the output. In most cases Quick mode is enough and will work correctly but if you are using plugin that generates old URLs then Full Page mode will be helpful. If you use a caching plugin (even with minimum configuration) you can freely ignore all quick modes.
# Customized htaccess:
Enable this option if you don’t want to allow HMWP to auto-update htaccess file. In this case, you’ll need to manually add HMWP rules in htaccess file by clicking on “manual configuration” button and following the steps mentioned there.
# CDN Path:
If you are using CDN then enter your CDN URL here.
# Email sender name / Email sender address:
Enter the email sender’s name and email address here. Default sender address is firstname.lastname@example.org. You can change it to email@example.com, firstname.lastname@example.org or something similar.
# Hide PHP Files:
This is an important feature and blocks direct access to all PHP files. This option greatly increase security but you should use it carefully. Some plugins/theme need direct access to php files (e.g. for importing feeds there is an import.php or for AJAX operations an ajax.php). To make these plugins work you need to know these files and add their path to “Exclude Files” list.
Please note that index.php and other PHP files used by WP are in exception list by default. wp-login.php will be controlled by it’s own option in General Settings tab.
There are also two options that helps you to use this feature without compatibility issues (exclude theme files and exclude plugins files).