When using a custom login page and redirecting the default one to 404, the latter can still be accessed via wp-login.php?action=login, which defeats the purpose of this security mechanism. Same goes for wp-login.php?action=lostpassword.
Another issue is that the custom login form lets an attacker know if a certain username/email exists on the website. This should be improved by displaying a more generic error message like “Wrong username or password”. Also, the lost password link should be removed from the error message.
On the other hand, the custom lost password form works well. You can set a generic success message like “If the email exists, you will receive a link for resetting your password”, which is displayed after each submission, whether the email exists or not.
I am aware that this is a WordPress problem, but it would be great if Bricks could address it.
@Matej just tested this and it works great! It now fixes the age-old WP security problem by not letting one know whether a certain username/email exists on the site, which is awesome!
However, a random value for the action parameter still opens the default login page, eg. wp-login.php?action=foobar. If this can be fixed as well, this will be a rock-solid WP auth security solution.