The WordPress WPS Hide Login plugin (500,000 active installations) fixed a vulnerability in version 1.5.4.2 and below that could allow an attacker to bypass its security and access the secret login page.