Unicorn Secure URL

Unicorn Secure URL

What does plugin do?

Unicorn Secure URL is a lightweight WordPress security plugin that hardens the login page against brute-force attacks and bots by letting site owners replace the default login path with a custom, hard-to-guess URL.

Core functionality:

  1. Custom login URL – Site admins choose their own login slug (e.g. yoursite.com/my-secret-login) from Settings → Secure URL, with a live preview as they type.
  2. Hides the default login path – Direct requests to wp-login.php or /wp-admin/ (while logged out) return a standard 404 page instead of the login form, so automated attacks can’t even confirm a login page exists.
  3. Password-eye toggle removal (optional) – Hides the password-visibility “eye” icon on the login form to reduce the risk of accidental password exposure (e.g., shoulder-surfing).
  4. Safe fallback / no lock-out risk – Core WordPress emails (password reset, activation links, etc.) are automatically rewritten to use the new login URL, so users are never sent a broken link.
  5. Multisite support – The custom login slug can be applied network-wide or per individual site.
  6. Forbidden-slug validation – Prevents admins from accidentally choosing a slug that collides with WordPress’s own reserved query variables.

Why it’s useful: obscuring the standard login path is a well-established, low-overhead first layer of defense against credential-stuffing and brute-force bots that specifically target /wp-login.php and /wp-admin/.