Wordfence is another WordPress security plugin with a focus on site scans and file integrity.


Be warned: Using multiple WordPress security plugins may have unpredictable results.


You must understand that 1 WordPress plugin doesn't have inherent understanding of what another plugin does.  So when 1 feature from 1 plugin doesn't seem to work well with another related feature of another plugin, this is perfectly normal.


Known Compatibility Issues

The following are known issues and confusing scenarios you may get when using certain Wordfence features.


1) When I rename the WordPress login page, Wordfence still sends me alerts about blocking IP addresses for login attempts with invalid usernames. How are they "finding" my login page when I've hidden it?


The assumption here is that they found your login page because you got a notification. This is wrong.  They simply tried to log into your standard wp-login.php, which Wordfence is designed to detect. And it did.


Everything is working normally here. You received an email from Wordfence, but this doesn't mean the attempted WordPress login was processed normally.  It only means that Wordfence sent you the email and blocked the IP address.


Think of the Wordfence options as instead of saying:

"Immediately lock out invalid usernames"

it says:

"Immediately lock out invalid usernames when they're posted to the wp-login.php page, regardless of whether I've renamed the real login page"