Yes, that is necessary to use some countermeasure against hackers (trying brute force attacks).
For every user is unique url to login. So the user can login only if he tries to login from the unique url associated only with the user.
For example website login form is in file login.php
1) user enters business name
2) the business name is recorded in mysql
3) the business name from mysql is placed at the end of url, like login.php?businessname. This is the url for particular user to login
4) when any of users type url like login.php?xyz(1,2,3 etc) login form is displayed (echo).
5)in that login form user types username and password.
6) get/create php variable that contains url after ? sign
7) compare if such variable exists in mysql and match username
8)if not exist, error message; if exists, check if password is correct
By the way would like to know thoughts how effective is such solution. Here is example [secure.freshbooks.com
And by the way... question. Is it possible to create whitelist of bots that are allowed to see website? So if bot is not in the whitelist, it sees something blank (does not see input form code).