Defender Gets Fierce New Security Features (Login Masking and Forced Two-factor)

Defender is flexing some serious muscle when it comes to protecting WordPress. His layered security toolkit, automated scans and alert notifications are best in class. Plus, with 9.5+ million events (that can’t be modified or deleted by hackers) being logged per day, Defender’s Audit Logging is a one-of-a-kind power feature serious WordPress users can’t live without.

Tens of thousands of sites now depend on Defender as the total security solution, and today we’re excited to announce it now comes packed with forced two-factor verification, login screen masking and a bunch more – 100% free and available now on (and for our Pro users via the Hub)!

Not to mention the special bonus white label feature we tucked in there just for our members.

So let’s pop the top and look at what’s new in Defender 1.8 security, monitoring, and hack protection for WordPress.

Defender Forced Two-Factor Verification

In 1.7 we added Defender’s smash hit two-factor verification. Our users absolutely love his simple integration with Google’s two-factor tool. But when Google announced that over 90% of Gmail users don’t use this simple added layer of security we thought, “there must be a better way!”

Now you can set Defender to enforce the use of two-factor authentication.

Introducing: Forced Two-Factor Verification for WordPress! Defender now comes with the ability to require two-factor verification by user role. We made it *super* easy for you to force users with access to the backend of your site to use this effective security feature. No more *hoping* your staff, team members, writers, editors or subscribes are following best practices. Set Defender to enforce it!

Login Screen Masking

Screen masking is a favorite among security experts. By moving your login screen off the wp-login URL, bots have a much harder time deploying a bruteforce attack. Defender now lets you create a custom login screen extension and moves access to the backend of your site to a unique location.

Mask your login screen for an added layer of security.

This is not only great for security, it also gives you the opportunity to reinforce your brand by giving your site (client sites) a special welcome screen URL.

Pro Member Bonus Feature

Say “Goodbye” to the Defender icon on the two-factor verification screen! Not everyone is as enamored with Defender’s big muscles as we are. ;) So we’ve made it easy to replace the iconic masked security mogul with your custom branding.

Now Defender Pro users can easily add a custom two-factor icon.

Pair this with our Ultimate Branding plugin and you can easily customize and rebrand the entire WordPress login and admin dashboard.

Smart Security For WordPress

You don’t have to be a security expert to give your WordPress site full-scale protection. Defender provides the tools you need for quickly setting up an effective layered security plan. Download Defender for free on to protect your site.

Are you a WordPress power-user who needs more? Try Defender Pro’s hack protected Audit logs, additional scans and automated reporting free for 30-days and get full access to our complete suite of security, performance, SEO and site management tools.

No need to wait. Get started with Defender security!

Can you pinpoint a specific security measure that saved your site from being hacked? What security measures do you take when setting up a new site?

21 Responses

  • The Incredible Code Injector


    Thanks for the updated Defender and this article, but as usual, I don’t really know what is being discussed.


    On my sites, I am the sole administrator and, as far as I know, the only person with access to my back-end.

    • Why would I need Two-Factor Verification?
    • What exactly does it do?
    • Who would it affect?
    • Would I have to have a smartphone to log into the back-end of my blogs?
    • Would a subscriber have to have a smartphone simply to read my blogs?


    You wrote, “By moving your login screen off the wp-login URL, bots have a much harder time deploying a bruteforce attack. Defender now lets you create a custom login screen extension and moves access to the backend of your site to a unique location.”

    • What does that mean?
    • Who does it affect?
    • Me?
    • Subscribers?

    Thanks in advance!


    • Author

      Hi Neil!

      Thanks for reading. Sorry to confuse you! This post is more of an announcement about new features than a tutorial. Both two-factor and login masking do not effect vistors/readers. These are security features.

      Forced Two-factor verification is important if you have multiple people working on your blog. If you set up Google Two-factor Verification it requires you to enter a verification code when you are logging on to your site. Your account would require both your password and a fresh verification code that is being changed every 30 seconds. You can use the phone app or have a code sent to your email. This feature is to prevent unauthorized users from logging on to your account…even if they have your username and password they would also need access to your connected device or email account. If you ever add a contributor or partner to your website, the Forced Two-Factor option would “force” them to use two-factor login feature.

      Login Masking moves your login screen off of the default WordPress login URL. If you normally type to login to your site, Login Masking will let you move it to or anything else you want to make it. This can help confuse hacking bots that are looking for WordPress sites to crack. Because so many sites on the web use WordPress, it is an easy target. By moving the login screen you are adding another layer of security.

      I hope that helps explain a bit of the “why” and “who” these features impact. Defender is all about securing and protecting your site. If you need support or have any further questions about Defender our support team is here to help. :)

  • Site Builder, Child of Zeus

    Always glad to see improvements being made.

    I’ve tried two-factor logins before and found it to be annoying to have to have my phone with me everytime I go to login. Sometimes I will login to a site several times in an hour, making changes. So, a nice feature to have available, but not something I will use. Great for security, annoying for the user.

    I used another plugin years ago to mask login. Nice concept. I used it on a site I rarely visit and would always forget what the login page was. I basically, locked myself out of my own site. Luckily, I had it written down somewhere. I changed it back to wp-admin.

    I’ve read on more than one blog that login masking provides minimal if any, security. I guess if you are concerned, it may provide a deterrent to nooby hackers.

    Even if I do not use these new enhancements, it is nice to see new features added.

  • New Recruit

    Nice updates. Was happy to see the login masking. Although it’s only one a minor technique in a layered approach it will significantly reduce the number of bot related brute Force login attempts. Many hackers just won’t take the time to find the login URL to point the scripts.

    The biggest gain I’ve made in security was implementing Google OAuth login and completely bypassing the WP login. Of course this requires the organization uses G Suite but all my clients do. When they go to login they are redirected to the Google login and the WP login prompt is never seen. That along with immediate lockouts for “admin” “administrator” and domain name login attempts immediately dropped the number of invalid login attempts from hundreds per day to virtually none.

    Now I don’t worry about who’s knocking at the door.

  • The Bug Hunter

    Nice to see good developments, although some developments are already done by great companies who are developing their security plugin with Multisite owners in mind too.
    I chose Wordfence long before WPMUDEV introduced Defender and I see no real added value compared to a security plugin developed for an affordable price by the first-class company like Wordfence.
    Personally, I will never disable Wordfence, all security measurements are taken care off. And they have a very fast responsive support too. In that way, I would suggest, just like WPMUDEV overinvested in the Upfront theme, don’t overinvest on the security plugin. Competitors are just far ahead.
    For other multisite plugins, WPMUDEV is my go-to place. So I hope those unique (affordable) plugins will get the needed upgrades the community is looking for.

Comments are closed.