According to the 6.3.0 Changelog:
Important: The way that Hide Backend functions changes in this release. Previously, if your Hide Backend Login Slug was wplogin, going to example.com/wplogin would result in the URL remaining example.com/wplogin. The new implementation of this feature results in a redirect to a URL that looks as follows: example.com/wp-login.php?itsec-hb-token=wplogin. While this may not be desireable for some users, this change was necessary to fix longstanding compatibility issues with other plugins. Once you access the login page using the Login Slug page, a cookie is set with an expiration time of one hour. As long as the cookie remains, you can access example.com/wp-login.php without having to access the Hide Backend Login Slug first. If you wish to confirm that Hide Backend is working properly on your site, opening up a private browsing window is a quick way to test without having to log out and clear cookies.
Maybe update that settings page? It would still says example.com/wplogin, which is incorrect, right?
Shouldn’t it say: example.com/wp-login.php?itsec-hb-token=wplogin ?
Shouldn’t it say: example.com/wp-login.php?itsec-hb-token=wplogin ?
No. The new login slug (which is the easy one to remember) will automatically redirect to the mentioned far more complicated url.
So there is no need to know the complicated url.
The above is just my opinion and not iThemes.
I don’t get a redirect. I have to use the long one, e.g. example.com/wp-login.php?itsec-hb-token=wplogin for me to login.
Are there special assumptions or a context in which this redirect works?
Have a look at the relevant Hide Backend code.
Follow the program flow of the init hook as set in the run() class method in the core/modules/hide-backend/class-itsec-hide-backend.php file.
