I've hidden the login page, but hackers are still finding it

I’m not entirely sure of the cause here, but please read this:
https://icontrolwp.freshdesk.com/solution/articles/3000046573-wordfence

This is using multiple plugins that affect the same WordPress subsystem.

Just to further add to this, we use our automatic black list system to handle this scenario anyway as failed login attempts for whatever reason, trigger a transgression.
https://www.icontrolwp.com/blog/wordpress-security-plugin-update-automatically-block-malicious-visitors/

Thanks, that’s helpful.

If the hacker got the correct login/password details, posting in this way to wp-login.php even though the login page has moved, would they successfully log in?

(I don’t want to assume.)

They wouldn’t be successful because our plugin will detect that it’s a login to the wrong URL and ultimately return it a 404.

They wouldn’t be successful because our plugin will detect that it’s a login to the wrong URL and ultimately return it a 404.

Great. And if they navigated away from the 404, to wp-admin, would they be in a logged-in state?

Sorry for the persistent questions. I’m a firm believer not only in doing security thoroughly, but also in Murphy’s Law :-).