Found a way that hackers are able to figure out the "hidden" login folder url! :(

[eturner69]

If you are allowing people to register on your site (for instance you are using woocommerce to sell things) then all someone has to do is use this and it then shows the 'hidden' folder name in the URL!
http://yoursite.com/wp-register.php

I noticed some hacking activity which wordfence blocked as someone was hammering at the 'hidden' login. After looking at their activity history it was quite obvious this is how they figured it out.

Not sure how to go about getting this fixed?

[Presskopp]

see also #27

[maximejobin]

This could be enhanced to make the URL harder to find.

[elgaspar]

http://example.com/wp-register.php page of WordPress is auto redirecting to http://example.com/login . By changing slug from 'login' to something else, it doesn't redirect to the login page.
Obviously, this is not a proper fix, but it can work for some people that don't necessarily need the 'login' slug for the login page..

#35

[stanwmusic]

I can confirm, http://oneofmywebsites/wp-register.php just took me to the login page and I logged in and I have registration disabled on that site and "login" renamed to a different name.