WP-Safety

Block wp-login Security & Risk Analysis

wordpress.org/plugins/block-wp-login

This plugin completely blocks access to wp-login.php and creates a new secret login URL

600 active installs v1.5.5 PHP 5.6+ WP 3.5.0+ Updated Dec 4, 2025
block-hackerslogin-securitysecuresecuritysecurity-plugin
99
A · Safe
CVEs total1
Unpatched0
Last CVEJun 27, 2019
Plugin page Download
Safety Verdict

Is Block wp-login Safe to Use in 2026?

Generally Safe

Score 99/100

Block wp-login has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jun 27, 2019Updated 4mo ago
Risk Assessment

The 'block-wp-login' v1.5.5 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all its SQL queries and shows a high percentage of properly escaped output. The absence of external HTTP requests and the presence of nonce and capability checks are also strengths. However, a significant concern arises from the single unprotected AJAX handler, which presents an immediate attack vector. The plugin's vulnerability history includes one high-severity Cross-Site Request Forgery (CSRF) in the past, although it is currently unpatched. While the current static analysis did not reveal critical or high severity taint flows, the unprotected AJAX endpoint combined with the past CSRF vulnerability suggests a potential for exploitation if new vulnerabilities are introduced or if the existing protection mechanisms are bypassed.

Key Concerns

  • Unprotected AJAX handler
  • Past high severity CVE (CSRF)
Vulnerabilities
1

Block wp-login Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

WF-07ea9b9b-e28f-484f-9338-8d40f3f8d6d2-block-wp-loginhigh · 8.8Cross-Site Request Forgery (CSRF)

Block WP Login <= 1.3.0 - Cross-Site Request Forgery

Jun 27, 2019 Patched in 1.3.2 (1671d)
Code Analysis
Analyzed Mar 16, 2026

Block wp-login Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
4 prepared
Unescaped Output
4
140 escaped
Nonce Checks
2
Capability Checks
1
File Operations
2
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared4 total queries

Output Escaping

97% escaped144 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
bwpl_configure_slug (block-wp-login.php:75)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Block wp-login Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_dismiss_bwpl_notice_handlerblock-wp-login.php:59
WordPress Hooks 19
actionadmin_initblock-wp-login.php:32
actionadmin_initblock-wp-login.php:39
filterlogin_urlblock-wp-login.php:43
filterlogout_urlblock-wp-login.php:44
filterwp_redirectblock-wp-login.php:45
filterlogout_redirectblock-wp-login.php:46
filterlostpassword_urlblock-wp-login.php:47
actionadmin_noticesblock-wp-login.php:51
actionadmin_noticesblock-wp-login.php:58
actionwp_loginblock-wp-login.php:63
filterlogin_urlblock-wp-login.php:100
filterlogout_urlblock-wp-login.php:101
filterlogout_redirectblock-wp-login.php:102
filterlostpassword_urlblock-wp-login.php:103
filterlogout_urlblock-wp-login.php:465
filterlogout_redirectblock-wp-login.php:466
filterlostpassword_urlblock-wp-login.php:467
actionadmin_noticesblock-wp-login.php:614
filterplugin_row_metaincludes\class-bwpl-common.php:283
Maintenance & Trust

Block wp-login Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 4, 2025
PHP min version5.6
Downloads20K

Community Trust

Rating94/100
Number of ratings9
Active installs600
Alternatives

Block wp-login Alternatives

Virus Finder

Virus Finder

virus-finder

A
100

Find viruses in your WordPress easily. Virus scan, malware finder.

100 No CVEs
BulletProof Security

BulletProof Security

bulletproof-security

A
89

WordPress Security Protection: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam...

30K 12 CVEs
SX User Name Security

SX User Name Security

user-name-security

A
100

SX User Name Security prevents WordPress from showing your real Login everywhere. It ovverides the body_class function, User Nicename, Nickname and Di &hellip;

1K No CVEs
Integrity Checker

Integrity Checker

integrity-checker

A
100

The WordPress Integrity Checker checks your WordPress installation by detecting modified files, permissions issues and other common problems.

200 No CVEs
GuardianKey

GuardianKey

guardiankey

A
100

GuardianKey is a service to protect systems in real-time against authentication attacks. It implements GK Auth Security for login protection and GKTin &hellip;

20 No CVEs
Developer Profile

Block wp-login Developer Profile

Oliver Campion

12 plugins · 43K total installs

79
trust score
Avg Security Score
100/100
Avg Patch Time
869 days
View full developer profile
Detection Fingerprints

How We Detect Block wp-login

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/block-wp-login/css/bwpl.css
Script Paths
/wp-content/plugins/block-wp-login/js/bwpl.js
Version Parameters
block-wp-login/css/bwpl.css?ver=block-wp-login/js/bwpl.js?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- wp:paragraph --><!-- /wp:paragraph --><!-- wp:image {"id":123,"sizeSlug":"full","linkDestination":"media"} --><!-- /wp:image -->+2 more
Data Attributes
data-bwpl-optiondata-bwpl-option-value
JS Globals
bwpl_admin
FAQ

Frequently Asked Questions about Block wp-login