Unable to "hide the backend" using ithemes security wordpress plugin

I think this has something to do with the rewrite rules and .htaccess. I’ve always used Ithemes Security plugin on my Wordpress sites (though not with lightspeed), and specifically the “hide the backend” feature, which blocks users from visiting mysite.com/wp-login.php directly. Instead you have to use a special token in the url. I’ve activated permalinks first, and made sure that works, and then I activated the hide backend feature, but visiting wp-login.php directly still works, even after restarting lightspeed and also clearing the lightspeed cache in the wp control panel, and also clearing cookies from my browser. Any suggestions? Thank you.