I haven't had much success tackling that issue with watchlists as you have described.
If you're not paranoid about missing matches (on new events) you could try populating a dynamic watchlist type of "ESM Strings" that updates every couple of minutes. Your search string would simply be "wp-login". When you select "Run Now" to populate the initial watchlist you will likely retrieve all of the values to match against since it's pulling strings from events that ESM has in memory.
An alternate approach is to modify the parser to match the URI before the ? and then match the URI after the ? and store those in two different fields (custom fields of type string named 'base' and 'uri'). For example:
When the data is parsed like this your watchlist of 'wp-login.php' should work as you expect it to within your correlation rule.
Hope this is helpful!
Great idea on the additional parsing option, will try that out this week.
I've played around with the dynamic watchlist but doesn't work for all fields, it works in this example, but not for subject lines within email events.
It would be great if you could use a watchlist combined with a contain within a correlation rule.