Title: MSC Stealth Login
Author: djm56
Published: <strong>28 می 2026</strong>
Last modified: 28 می 2026

---

جستجوی افزونه‌ها

![](https://ps.w.org/msc-stealth-login/assets/banner-772x250.png?rev=3552383)

![](https://ps.w.org/msc-stealth-login/assets/icon-256x256.png?rev=3552383)

# MSC Stealth Login

 توسط [djm56](https://profiles.wordpress.org/djm56/)

[دانلود](https://downloads.wordpress.org/plugin/msc-stealth-login.1.0.8.zip)

 * [جزئیات](https://fa.wordpress.org/plugins/msc-stealth-login/#description)
 * [نقد و بررسی‌ها](https://fa.wordpress.org/plugins/msc-stealth-login/#reviews)
 *  [نصب](https://fa.wordpress.org/plugins/msc-stealth-login/#installation)
 * [توسعه](https://fa.wordpress.org/plugins/msc-stealth-login/#developers)

 [پشتیبانی](https://wordpress.org/support/plugin/msc-stealth-login/)

## توضیحات

MSC Stealth Login provides comprehensive protection for your WordPress login page,
blocking attackers while keeping your site accessible to legitimate users.

**Stealth Login URL**

Change your login page from `/wp-login.php` to a custom URL like `/secure-login/`.
Attackers scanning for standard WordPress login pages will be blocked before they
can even attempt a brute force attack.

**wp-admin Protection**

Block direct access to `/wp-admin/` for users who aren’t logged in. They’ll be redirected
to your custom login page instead, preventing exposure of your admin area.

**Brute Force Protection**

After failed login attempts, MSC Stealth Login progressively increases lockout durations.
First-time offenders wait 15 minutes, repeat offenders face increasingly longer 
delays. This stops automated attacks while minimizing disruption to real users who
mistype their password.

**Email Notifications**

Stay informed about security events with configurable email alerts:

 * Lockout notifications when IPs are blocked
 * Admin login alerts for every administrator sign-in
 * New IP alerts when users log in from previously unseen locations

**Login History & Export**

Track all login attempts with detailed logging. Filter by IP address, username, 
result type, or date range. Export reports to CSV for security audits.

**XML-RPC & REST API Protection**

Disable vulnerable XML-RPC endpoints commonly exploited for brute force attacks.
Block REST API user enumeration that lets attackers harvest usernames.

**IP Whitelist**

Bypass protection for trusted IP addresses. Add your office, home, or server IPs
to ensure uninterrupted access while maintaining maximum security for everyone else.

**Progressive Lockout System**

Unlike simple lockouts that reset immediately, MSC Stealth Login uses a multiplier
system. Each successive lockout doubles the wait time (15 min  30 min  60 min  120
min). The multiplier resets after 24 hours without an attempt, balancing security
with usability.

**Recovery URL**

Forgot your custom login URL? No problem. The recovery system lets you regain access
through a secure bypass URL that’s displayed in your WordPress admin bar when logged
in.

### Privacy

MSC Stealth Login collects the following data to provide its security features:

 * **IP Addresses**: Logged for every login attempt (successful, failed, and locked
   out) to enable brute force protection and login history.
 * **Usernames**: Logged with each login attempt to help administrators identify
   targeted accounts.
 * **User Agents**: Logged with each login attempt for security auditing.
 * **Login History**: All login attempts are stored in the database and can be viewed
   in the History tab or exported as CSV.

Data collection only occurs when the plugin is active. All collected data is stored
in your WordPress database and is not sent to any external services. Administrators
can clear login history at any time from the History tab.

This plugin does not use cookies or third-party tracking.

## عکس‌های صفحه

 * [[
 * Settings tab – Configure your custom login URL and security options
 * [[
 * Advanced tab – Enable brute force protection and security features
 * [[
 * Email tab – Configure email notifications for lockouts and alerts
 * [[
 * History tab – View login attempts with filters and CSV export

## نصب

 1. **Upload** the plugin files to `/wp-content/plugins/msc-stealth-login/` directory
 2. **Activate** the plugin through the ‘Plugins’ menu in WordPress
 3. **Navigate** to Settings  MSC Stealth Login
 4. **Configure** your custom login URL (e.g., `/secure-login/`)
 5. **Enable** additional security features as needed (brute force protection, email
    alerts, etc.)
 6. **Save** your recovery URL somewhere safe — bookmark it or store it securely

**Important:** After activation, immediately bookmark your new login URL and save
your recovery URL in a secure location.

## سوالات متداول

### How does the stealth login work?

MSC Stealth Login uses WordPress rewrite rules to redirect requests from the standard`/
wp-login.php` to your custom URL. When visitors try to access the old login page,
they’re blocked and redirected. The custom URL only works when you explicitly configure
it.

### Will this break my site or existing plugins?

The plugin is designed to work with standard WordPress installations and popular
plugins. The custom login URL and wp-admin protection may conflict with plugins 
that have their own login flows. Always test on a staging site first, and keep your
recovery URL bookmarked.

### What happens if I forget my custom login URL?

Use the recovery URL system. When logged in, your WordPress admin bar shows the 
recovery URL. Alternatively, access your site via FTP or hosting control panel and
rename the plugin folder to disable it temporarily.

### How do I recover access if I’m locked out?

Wait for the lockout period to expire (starts at 15 minutes and increases with repeat
attempts). If you need immediate access, disable the plugin via FTP by renaming 
the plugin folder. Your IP can also be added to the whitelist if you have database
access.

### Does this work with caching plugins?

Yes, but ensure your login pages aren’t cached. Most caching plugins have options
to exclude specific pages. You’ll want to exclude your custom login URL and wp-admin
directory from caching.

### Can I use this with Wordfence/other security plugins?

Generally yes, but some security plugins have overlapping features. You may want
to disable redundant features (like brute force protection) in one plugin to avoid
conflicts. Test thoroughly before deploying to production.

### How do the email notifications work?

Navigate to Settings  MSC Stealth Login  Email tab. Enable the notifications you
want and customize the subject and body using placeholders: `{ip}`, `{attempts}`,`{
time}`, `{site_name}`, `{site_url}`. Notifications are sent immediately when events
occur.

### Is there a premium version?

No, all features are included in the free version. There is no premium version or
paid upgrade.

## نقد و بررسی‌ها

نقد و بررسی‌ای برای این افزونه یافت نشد.

## توسعه دهندگان و همکاران

“MSC Stealth Login” نرم افزار متن باز است. افراد زیر در این افزونه مشارکت کرده‌اند.

مشارکت کنندگان

 *   [ djm56 ](https://profiles.wordpress.org/djm56/)

[ترجمه “MSC Stealth Login” به زبان شما.](https://translate.wordpress.org/projects/wp-plugins/msc-stealth-login)

### علاقه‌ مند به توسعه هستید؟

[Browse the code](https://plugins.trac.wordpress.org/browser/msc-stealth-login/),
check out the [SVN repository](https://plugins.svn.wordpress.org/msc-stealth-login/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/msc-stealth-login/)
by [RSS](https://plugins.trac.wordpress.org/log/msc-stealth-login/?limit=100&mode=stop_on_copy&format=rss).

## گزارش تغییرات

#### 1.0.8

 * **Fixed**: Updated plugin metadata to WordPress 7.0 compatibility (`Tested up
   to: 7.0`).
 * **Fixed**: Renamed global init callback to prefixed function name for Plugin 
   Check naming compliance.
 * **Fixed**: Removed discouraged `load_plugin_textdomain()` call for WordPress.
   org translation loading compliance.
 * **Fixed**: Refactored login history SQL query assembly to avoid interpolated 
   dynamic WHERE fragments and ensure placeholder/replacement parity in `$wpdb->
   prepare()`.
 * **Fixed**: Replaced direct `usermeta` cleanup queries in uninstall with `delete_metadata()`
   API.
 * **Updated**: Release version bumped to `1.0.8`.

#### 1.0.7

 * **Security**: Fixed IP spoofing vulnerability — now defaults to REMOTE_ADDR; 
   proxy headers only trusted when explicitly enabled via new `trust_proxy` option.
 * **Security**: Removed broad `redirect_to` exception that allowed bypassing login
   block.
 * **Security**: Added CSV formula injection prevention for data exports.
 * **Fixed**: Added `load_plugin_textdomain()` so translation files are loaded correctly.
 * **Fixed**: Converting closures to named methods for removability.
 * **Fixed**: Added `settings_errors()` output on settings page.
 * **Fixed**: Refactored SQL sentinel pattern to dynamic WHERE clauses for index
   utilisation.
 * **Fixed**: URL-safe validation for custom login slug.
 * **Fixed**: Synchronized reserved slug list between PHP and JavaScript.
 * **Fixed**: Double-escaping in login URL display.
 * **Fixed**: `esc_attr_e()` in JS onclick handlers replaced with `esc_js()`.
 * **Fixed**: `esc_html__()` in plain text email bodies replaced with `__()`.
 * **Fixed**: `esc_html__()` in `wp_localize_script()` replaced with `__()`.
 * **Fixed**: `esc_url()` in input value attributes replaced with `esc_attr()`.
 * **Fixed**: Timezone-sensitive date calculation using `gmdate()` + `DAY_IN_SECONDS`.
 * **Fixed**: Incomplete translator comment for lockout email.
 * **Fixed**: Orphan user meta cleanup on uninstall.
 * **Fixed**: `delete_transient()` instead of `delete_option()` for transients.

#### 1.0.6

 * Fixed: Removed inline `<script>` from data tracking notice and moved dismiss 
   logic to admin.js with localized nonce (WordPress.org review compliance).
 * Fixed: Replaced hardcoded `/wp-login.php` URL paths with `wp_login_url()` + `
   add_query_arg()` for subdirectory WordPress compatibility.
 * Fixed: Added missing translators comment for data tracking notice string (Plugin
   Check compliance).
 * Fixed: Added phpcs:ignore comments for custom table direct database queries (
   Plugin Check compliance).

#### 1.0.5

 * Fixed: CIDR IP whitelist matching now works correctly for subnet ranges.
 * Fixed: Recovery token comparison now uses timing-safe comparison (hash_equals).
 * Fixed: Lockout message output now properly escaped.
 * Fixed: Recovery token option key renamed from msc_recovery_token to mscsl_recovery_token
   for namespace consistency, with automatic migration.
 * Fixed: Plugin header tab character removed for parser compatibility.
 * Added: Privacy admin notice informing administrators about data collection (IP
   addresses, usernames, user agents, login history).
 * Added: Database schema version tracking for future upgrade path.
 * Added: Privacy Policy section to plugin documentation.

#### 1.0.4

 * Changed: Inlined CSS styles on error page elements for simpler standalone page
   rendering.
 * Removed: External CSS file for error pages (no longer needed).
 * Removed: Frontend style registration hooks (no longer needed).

#### 1.0.3

 * Fixed: Extracted inline CSS to external stylesheet file per WordPress.org review
   requirements.
 * Fixed: Created template files for lockout and blocked error pages.
 * Added: X-Frame-Options and X-Content-Type-Options security headers to error pages.

#### 1.0.2

 * Fixed: Plugin Check errors for unescaped database parameters in query methods.
 * Fixed: Plugin Check error for fclose() on php://output stream — added phpcs:ignore.
 * Fixed: DROP TABLE query now uses direct query instead of prepare() (table names
   cannot be prepared).
 * Fixed: Added phpcs:ignore comments for nonce verification warnings in frontend
   security filters.
 * Fixed: Added cleanup of flush rewrite rules transient in uninstall.

#### 1.0.1

 * Fixed: Custom login URL now works immediately after plugin activation without
   manual permalink flush.
 * Fixed: Custom login URL now works immediately after changing the slug in settings.

#### 1.0.0

 * Initial release
 * Custom login URL with rewrite rules
 * wp-admin blocking and redirect
 * Brute force protection with configurable lockouts
 * Email notifications (lockout, admin alert, new IP)
 * Login history with filtering and CSV export
 * XML-RPC endpoint disable option
 * REST API user enumeration blocking
 * IP whitelist for bypassing protection
 * Progressive lockout delay multiplier
 * Recovery URL system for forgotten login URLs

## اطلاعات

 *  نگارش **1.0.8**
 *  Last updated **1 روز پیش**
 *  نصب‌های فعال **کمتر از 10**
 *  نگارش وردپرس ** 5.9 یا بالاتر **
 *  Tested up to **7.0**
 *  نگارش PHP ** 7.4 یا بالاتر **
 *  زبان
 * [English (US)](https://wordpress.org/plugins/msc-stealth-login/)
 * Tags
 * [Brute Force](https://fa.wordpress.org/plugins/tags/brute-force/)[login](https://fa.wordpress.org/plugins/tags/login/)
   [security](https://fa.wordpress.org/plugins/tags/security/)[stealth](https://fa.wordpress.org/plugins/tags/stealth/)
   [wp-admin](https://fa.wordpress.org/plugins/tags/wp-admin/)
 *  [نمایش پیشرفته](https://fa.wordpress.org/plugins/msc-stealth-login/advanced/)

## امتیازها

هنوز هیچ نقدی ارسال نشده است.

[Your review](https://wordpress.org/support/plugin/msc-stealth-login/reviews/#new-post)

[مشاهده همه بررسی‌ها](https://wordpress.org/support/plugin/msc-stealth-login/reviews/)

## مشارکت کنندگان

 *   [ djm56 ](https://profiles.wordpress.org/djm56/)

## پشتیبانی

چیزی برای گفتن دارید؟ نیاز به کمک دارید؟

 [مشاهده انجمن پشتیبانی](https://wordpress.org/support/plugin/msc-stealth-login/)

## کمک مالی

آیا تمایل دارید از پیشرفت این افزونه حمایت کنید؟

 [ کمک مالی به این افزونه ](https://anomalous.co.za/donate)