WordPress.org

Ready to get started?Download WordPress

Forums

iThemes Security (formerly Better WP Security)
[closed] Hide Backend not working for multisite (10 posts)

  1. fchang
    Member
    Posted 10 months ago #

    Hmm... installed BWPS and turned on hide backend with new url slug. Now I cannot access my site at all with new or old urls. I only got one test node setup in the network right now. Thoughts?

    http://wordpress.org/extend/plugins/better-wp-security/

  2. Handoko
    Member
    Posted 9 months ago #

    Weird. I have tested this plugin on multisite environment several times. Never have such problem.

    Do you need help for login to your website? If yes, you need to provide me your website URL.

  3. fchang
    Member
    Posted 9 months ago #

    Hi Handoko,

    I've reinstalled the multisite and BWPS. The hide backend seems to work for the main site now, however, I always get a 'page not found' error when trying to access the subsite's login page.

    url: teachers[dot]northleaschool[dot]ca

    hidebackend test url: login123, register123 and admin123

    works for the main site, but subsite teachers[dot]northleaschool[dot]ca/frank/admin123

    always give you a 'page not found'. As a matter of fact, I cannot use any url (including wp-admin) to get to the subsite login page.

  4. Handoko
    Member
    Posted 9 months ago #

    I do not 'play' too much with the multisite environment. Maybe someone can help enlighten us. But these are what I know:

    - Normally, WordPress users use example.com/wp-login.php to login.

    - On multisite environment, users also use example.com/wp-login.php to login into the main site.

    - On multisite environment, if you want to login to your subsites you also use the same login: example.com/wp-login.php.

    - So what is the difference to make the login to go to main or subsite? The Username you provide when login. If the user is a Super Admin then after login, he/she can access all the main and subsites. But if the user is only a 'ordinary' admin, he/she can access only the subsite that is associated with him/her.

    So, if you now can login to your main site, it means the problem solve. I hope you understand what I mean.

    About the 'wp-admin' you mentioned, don't use it because it is not a normal login url.

  5. ap.koponen
    Member
    Posted 9 months ago #

    Hi,

    i am experiencing the same problem.

    Handoko, the case is not just as you describe. Many use multisite installations with e.g. multiple different domains, where the subsites have been domain mapped to a different domain than the mainsite. In these cases, the users use the examplesubsite.com/wp-login.php to login. Often, they might not even know, that their website is running on a multisite installation and that's why logging through the mainsite is not an option.

    Even with just one domain, users often use the example.com/subsite/wp-login.php (or subsite.example.com/wp-login.php) to login.

    So in order to work correctly, the hide backend url rewrite should direct the example.com/subsite/administartion-slug to example.com/subsite/wp-login.php, not to the main site login.

  6. Handoko
    Member
    Posted 9 months ago #

    @ap.koponen:

    Thanks for the explanation. Now, I understand why the logging through the mainsite is not an option.

    It seems this hide backend feature will need to have some reworks for making it fully compatible with multisite environment. So, it's not a bug but it should be considered as feature request or suggestion.

    But I'm afraid the author of this plugin doesn't monitor this forum too often, you may need to post your suggestion on this thread:
    http://wordpress.org/support/topic/suggestions-and-bwps-40

  7. gresakg
    Member
    Posted 2 months ago #

    I have the same problem and I have been investigating it.

    This is how the hide feature works.
    1. Your secret custom login/admin url just redirects to the normal wp-login.php with a secret string appended.
    2. If anyone tries to connect to wp-login.php without the secret string, wp-login.php pretends not to exist and redirects to a 404 page.

    I discovered that this problem occours because the secret string is not appended to the url in the action attribute of the form html tag. The result is that the form is posted to the url without the secret string and the result is a redirection to a 404 page.

    This happens only when trying to connect to mapped subdomains. Login to main network domain works perfectly.

    Any suggestions on where to look for solutions are welcome.

  8. Handoko
    Member
    Posted 2 months ago #

    Interesting investigation. Thanks gresakg.

    Now I'm using All In One Security & Firewall. I personally think they both are good plugins, but there are things I like in All In One Security & Firewall:
    - Rename login page (so far works without any issue)
    - Brute force protection
    - Allow Unlock Requests (after the IP is blocked to login)
    - Login IP whitelisting

    Both plugins have feature to let user to change/hide login url. But I never tried All In One Security & Firewall's rename login page on multisite environment. Perhaps you will interested to investigate it.

  9. jdaviescoates
    Member
    Posted 1 month ago #

    Handoko,

    I really like all your helpful posts and I once read a really useful post you made about which features of Better WordPress security can often cause problems and which are generally OK to use, in your experience.

    Was just trying to find that post again, but didn't manage to - can you help? :)

    Thanks!

  10. esmi
    Theme Diva & Forum Moderator
    Posted 1 month ago #

    @jdaviescoates: If you require assistance then, as per the Forum Welcome, please post your own topic.

    This 8 month old topic references an old version of WordPress.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic