Een combinatie van PHP & .htaccess om ongewenste bezoekers aan je wp-login.php (zoals de brute force attackers) weg te leiden van je wp-login.phpCheck http://onexa.nl/wordpress/brute-force-attacks-wp-login-php-verminderen/ voor meer uitleg hier over.

.htaccess

### Blocking Spammers Section ###
 
# Stop protected folders from being narked. Also helps with spammers
ErrorDocument 401 /401.html # this file should be added, check http://halfelf.org/2013/wp-login-protection-htaccess/
 
# Stop spam attack logins and comments - http://halfelf.org/2013/wp-login-protection-htaccess/
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
    RewriteCond %{HTTP_REFERER} !.*(domain1.com|domain2.nl).* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) https://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>

### End Blocking Spammers Section ###

# Redirect the default WP redirect login URL back to the frontpage (domain.com/login/ automatically redirects to the current WP login URL)
RewriteEngine on
RewriteBase /
RewriteRule ^login/?(.*?) https://domain.com/ [R=301,L]


# Rewriting for better login, incl logout & lostpassword support
RewriteRule ^more-secure-login/lostpassword/?$ /wp-login.php?secure=XXXXXXXXX&action=lostpassword [NC,L] # $secret_login + $secret_lostpw
RewriteRule ^more-secure-login/?$ /wp-login.php?secure=XXXXXXXXX [NC,L] # $secret_login
RewriteRule ^custom-logout/?(.*?)/?$ /wp-login.php?secure=XXXXXXXXX&%{QUERY_STRING} [NC,L] # $secret_logout

# -> Default WordPress .htaccess stuff should go here

redirect-wp-login.php

<?php
/*
Plugin Name: Redirect wp-login.php
Description: Redirect non-wanted wp-login.php visitors
Version: 1.0
Author: Onexa
Author URI: https://onexa.nl
*/

global $secret_login, $secret_lostpw, $secret_logout; // making the vars global

# as given in .htaccess -> domain.com/more-secure-login by default (only last part of the URL is needed)
$secret_login = 'more-secure-login';
$secret_lostpw = 'lostpassword'; # for the lost password page, combines $secret_login with $secret_lostpw
$secret_logout = 'custom-logout'; # same, but for the logout URL

$secret_key = 'XXXXXXXXX'; # the secret key-value that's given in the URL, must be the same as in the .htaccess

/**
 * Making sure the wp-login.php is requested with the secure key attached to it 
 *
 * @since 1.0
 * @author Hiranthi Herlaar
 */
function onx_redirect_login()
{
	global $secret_key;
	
	if ( ( ! isset( $_GET['secure'] ) ) && ( $_GET['secure'] != $secret_key ) )
	{
		wp_redirect( get_option( 'home' ) );
		die();
	}
} // end onx_secure_login
add_action( 'login_head', 'onx_redirect_login' );
 
 
/**
 * Filtering the wp-login URL, to make sure the correct URL is given in mails (new registered users, password forgotten)
 *
 * @since 1.0
 * @author Hiranthi Herlaar
 * 
 * @var string $url - contains the login URL (required)
 * @var string $redirect - the URL to redirect to after login (not required)
 */
function onx_login_url( $url, $redirect = '' )
{
	global $secret_login;
	
	$login_url = trailingslashit( get_option( 'home' ) ) . $secret_login;
	
	if ( !empty($redirect) )
		$login_url = add_query_arg( 'redirect_to', urlencode( $redirect ), $login_url );
 
	return $login_url;
} // end onx_login_url
add_filter( 'login_url', 'onx_login_url', 999, 2 );
 
 
 /**
 * Filtering the site_url() and get_site_url() URLs if they contain wp-login.php (ie the form action URL on the login page)
 *
 * @since 1.0
 * @author Hiranthi Herlaar
 * 
 * @var string $url - contains the URL (required)
 */
function onx_login_action_url( $url )
{
	if ( strstr( $url, 'wp-login.php' ) )
	{
		global $secret_login;
		
		return trailingslashit( get_bloginfo('wpurl') ) . $secret_login;
	}
 	
 	// this isn't a URL containing wp-login.php so just return the URL that we already had
	return $url;
} // end onx_login_url
add_filter( 'site_url', 'onx_login_action_url', 999 );
 
 
 
/**
 * Filtering the logout URL, to make sure the correct URL is given in mails (new registered users, password forgotten)
 *
 * @since 1.0
 * @author Hiranthi Herlaar
 * 
 * @var string $url - contains the logout URL (required)
 * @var string $redirect - the URL to redirect to after logout (not required)
 */
function onx_logout_url( $url, $redirect = '' )
{
	global $secret_logout;
	
	$args = array( 'action' => 'logout' );
	if ( !empty($redirect) )
		$args['redirect_to'] = urlencode( $redirect );
 
	$logout_url = trailingslashit( get_option( 'home' ) ) . $secret_logout;
	
	$logout_url = add_query_arg( $args, $logout_url );
	$logout_url = wp_nonce_url( $logout_url, 'log-out' );
 
	return $logout_url;
} // end onx_login_url
add_filter( 'logout_url', 'onx_logout_url', 999, 2 );
 
 
/**
 * Filtering the lost password URL
 *
 * @since 1.0
 * @author Hiranthi Herlaar
 * 
 * @var string $url - contains the lost password URL (required)
 * @var string $redirect - the URL to redirect to (not required)
 */
function onx_lostpassword_url( $url, $redirect = '' )
{
	global $secret_login, $secret_lostpw;
	$args = array( 'action' => 'lostpassword' );
	if ( !empty($redirect) )
		$args['redirect_to'] = urlencode( $redirect );
 
	$url = trailingslashit( get_option( 'home' ) ) . trailingslashit( $secret_login ) . $secret_lostpw;
	
	$url = add_query_arg( $args, $logout_url );
 
	return $url;
} // end onx_login_url
add_filter( 'lostpassword_url', 'onx_lostpassword_url', 999, 2 );