WordPress.org

Ready to get started?Download WordPress

Ideas

Login, Register, White-Label

  1. Cr7Pramana
    Member

    12345

    WordPress always make a new releases of version but still all their version use initiation WP in all of their cores, like login or register example: WP-Login, wp-login.php?action=register. Why don't wordpress change it permanently to just login.php and register.php on the next update for professional and security reasons. and on the login page admin able to change the logos, header and footer, and the column registration of course.

    And also the white-label or label that is the top of screen, why don't just remove it so the user can't access the back-end ?

    that just my ideas, and it would be great if you WordPress team make this idea comes true

    Thank You!

    Posted: 4 months ago #
  2. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue & Mod

    At this time, there are no plans to rename the login pages. Also check out http://codex.wordpress.org/Hardening_WordPress#Security_through_obscurity as to why we don't rename them on the play.

    You can use plugins to customize the login page.

    Posted: 4 months ago #
  3. Cr7Pramana
    Member

    12345

    @Ipstenu,

    maybe someday WP Team would have a plans to rename the login pages,

    Plugins that made by users here are help too but to much plugin is also not good.

    Posted: 4 months ago #
  4. SiteDesignUSA
    Member

    A built in method to change default wp-(admin|login|content |etc).* i.e. "entry paths" would be nice.

    So at least wordpress users don't have HUGE, easy to identify targets. Point, everyone knows that wp-login.php is wordpress. Once attacker gets a 304 response, it's off to the races.

    Your point, Mr. Epstein, (in this link: http://wordpress.org/ideas/topic/let-users-choose-name-of-wp-loginphp-to-prevent-bot-based-password-attacks#post-26351) is missing the point. An attacker can smell the 404 and move on or try, as you say to continue to probe. But, then, they will not know if target site is WordPress or not. Will they.

    If attacker gets the 304 or 200 they have a WordPress site they can ply their trade against. Endless hits.

    If they (names of entry paths) would be distributed (customizable by end user) they would be less profitable to bad guys.

    As it stands now, wordpress users are, proverbially, the side of a barn that can't be missed.

    I drive a truck in the USA for my REAL living (It finances my blogging habit ;) ) and we call the State Police a nickname. Bears. We truckers have a saying, "Don't feed the bears!" In other words don't do stuff that is going to get you pulled over and given a "Safety Certificate" (ticket and fine).

    Personally, I understand that it's free software. The wp is branding. That's the reason. You can deny it but there it is. But you are just feeding the Bears and I wish the WordPress Team would help us out here.

    I run nginx and have followed every hardening tip out there, but with nginx some of rename plugins don't work well. Be neat to just have some access to functions to just rename the target pages that work at core. If there are some, let me know!

    Posted: 3 weeks ago #
  5. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue & Mod

    It's Ms. Epstein, if we're going down that road.

    An attacker can smell the 404 and move on or try, as you say to continue to probe. But, then, they will not know if target site is WordPress or not. Will they.

    Yes, they will. It's trivial to scrape/scan/probe and determine if it's WP. I work for a webhost, trust me on this one, it's not hard at all.

    Posted: 3 weeks ago #

RSS feed for this topic

Reply

You must log in to post.

  • Rating

    12345
    1 Vote
  • Status

    Sorry, not right now