WordPress has hooks so you don’t need to actually remove wp-login.php. login_head
fires before any HTML is rendered for the login form, and wp_logout
fires after the login session has been destroyed. You can put this code in a custom plugin or in your theme’s functions.php
file to let logout requests continue working but block everything else.
// Allow logout actions but redirect to the home page for all other wp-login.php requests
add_action( 'login_head', 'redirect_home_on_login_form' );
function redirect_home_on_login_form() {
if ( ! isset( $_REQUEST['action'] ) || 'logout' !== $_REQUEST['action'] ) {
wp_redirect( home_url( "https://wordpress.stackexchange.com/" ) );
exit();
}
}
// wp_logout fires after the user's login cookies have been removed
add_action( 'wp_logout', 'redirect_home_on_logout' );
function redirect_home_on_logout() {
wp_redirect( home_url( "https://wordpress.stackexchange.com/" ) );
exit();
}