WordPress.org

Ready to get started?Download WordPress

Forums

Lockdown WP Admin
login (31 posts)

  1. jonrittmann
    Member
    Posted 1 year ago #

    your plugin worked, sort of. After I specified a custom URL, it went to the URL i created, but i also just typed a http://www.myweb.com/login and that also worked. bad thing about it is it didnt slow down hackers getting to the login screen as they guessed the "login".

    http://wordpress.org/extend/plugins/lockdown-wp-admin/

  2. kingofpunk
    Member
    Posted 1 year ago #

    I have the same problem, so the intrusion attempts don't stop.

  3. James Bonham
    Member
    Posted 1 year ago #

    See next reply. This one was a duplicate.

  4. James Bonham
    Member
    Posted 1 year ago #

    Not sure if this hack is the best way, but it seems to work. The author should look at this.

    Around line 580 in lockdown-wp-admin.php
    from...

    if ( $super_base == 'wp-login.php' )

    to...

    if ( $super_base == 'wp-login.php' || $super_base == 'login' )

  5. Sean Fisher
    Member
    Plugin Author

    Posted 1 year ago #

    The problem is that somebody could also set their login URL to login. I wonder how that's happening.

    @jonrittmann: can you tell me something about your hosting setup? Web host and PHP version?

  6. HCE
    Blocked
    Posted 11 months ago #

    This is happening to me too. When I go to mydomain.com/login it redirects me to the custom login url I created. Also, initially I created the custom url mydomain.com/admin to login at. The I changed it to mydomain.com/something else. But when I go to /admin now it redirects to /wp-admin.

    Please advise.

  7. HCE
    Blocked
    Posted 11 months ago #

    It looks like /login and /admin are native wordpress functions...

  8. HCE
    Blocked
    Posted 11 months ago #

    Also, I have the multiple tlds for my domain.

    Example: mydomain.com, my domain.net, mydomain.org, mydomain.biz, etc...

    My main website is mydomain.ORG. But I have the .net, .com, .biz, etc. redirecting to mydomain.org. I have the redirects set up so that if you go to mydomain.COM/contact it redirects you to mydomain.ORG/contact.

    Using your plugin, when I go to mydomain.ORG/wp-login.php I get the 404 page. But when I go to mydomain.COM/wp-login.php it redirects to mydomain.org/wp-login.php and shows the login form.

    How can I prevent this and get it to show the 404 instead?

    Thanks!

  9. HCE
    Blocked
    Posted 11 months ago #

    If you go to /wp-register.php or /wp-signup.php it reveals the custom login url...

  10. ogu007
    Member
    Posted 11 months ago #

    I love this plugin, but same thing for me :
    /wp-register.php + /wp-signup.php reveals the custom login url.
    Also, it can be bypassed by browsing to /wp-admin/async-upload.php

    Thank you!

  11. HCE
    Blocked
    Posted 11 months ago #

    To prevent /login, /admin, /wp-register.php, and /wp-signup.php from revealing the custom login url I did as @Bonham suggested and added them to line 592 in lockdown-wp-admin.php. So this is what I have:

    if ( $super_base == 'wp-login.php' || $super_base == 'login' || $super_base == 'admin' || $super_base == 'wp-register.php' || $super_base == 'wp-signup.php' )

    and it now returns a 404 for those pages.

    I tried adding /wp-admin/async-upload.php to that but it didn't work. Any suggestions on how to prevent /wp-admin/async-upload.php from revealing the custom login url?

  12. ogu007
    Member
    Posted 11 months ago #

    Great. It works for me now!

    I added /async-upload.php to line 592. It blocks access to the custom login url, but it created some issues with the media manager. So, don't try this one.

    So, still don't know what to do with /wp-admin/async-upload.php from revealing the custom login url.

  13. James Bonham
    Member
    Posted 11 months ago #

    Sean, can I suggest that /login is not allowed as a setting? Looking at some brute force attacks, some of them guess that /login has been used instead of /wp-login.php. Using /login makes no sense form a security perspective.

    @HCE has extended my idea further and this really ought to be in the plugin core.

    Here's a condensed version when there are a lot of values to check against...

    if ( in_array( $super_base, array( 'wp-login.php', 'login', 'admin', 'wp-register.php', 'wp-signup.php' ) )

  14. James Bonham
    Member
    Posted 11 months ago #

    ...but there's a problem. What if you want to allow registrations? This would have to be conditional or an option or something. Alternatively find a way to rename the register page too, just like the login.

  15. HCE
    Blocked
    Posted 11 months ago #

    I don't allow registrations, so blocking /wp-register and/or wp-signup is not a problem for me. But I agree it should be conditional as a plugin core.

    To prevent /wp-admin/async-upload.php from revealing the custom login url you can password protect the wp-admin directory. That offers a suitable solution for me.

  16. Sean Fisher
    Member
    Plugin Author

    Posted 11 months ago #

    The idea behind this plugin was to let the user set whatever login URL they wanted. If they really wanted it to be /login, so be it--their stupid decision!

    What I could do is recommend against it by adding in a message saying this isn't so secure. They have the freedom to compromise security.

  17. Delta Skies
    Member
    Posted 10 months ago #

    It's not a case of people making a "stupid decision" it's a case of the plugin still allowing someone to type in /login and getting to the new login url they have just created. OK the attempts at hacking in to my websites have greatly reduced but they certainly haven't gone away due to this.

  18. James Bonham
    Member
    Posted 10 months ago #

    Agree with Delta Skies. Allowing /login to reveal the everyones login is crazy. And sometimes you have to steer the user away from making stupid decisions.

    The problem is that if we did it, existing users who have set it to /login would be locked out of their sites when they update the plugin.

    So the plugin would have to check if the user has specifically chosen /login, and only then allow it to work. Otherwise it would be in the blacklist.

    I could look into submitting my idea as a pull request, but only if Sean agrees to the concept.

    For now I am sticking a redirect in htaccess...
    Redirect 301 /login /

  19. HCE
    Blocked
    Posted 10 months ago #

    Hi James! Can you provide the exact code we should place in the htaccess to redirect /login to a 404?

    Thanks!

  20. James Bonham
    Member
    Posted 9 months ago #

    This is what I am now doing to block /login, /wp-login.php and /admin in .htaccess, before they even get to WordPress.

    # Set a simple 401 Unauthorized message
    ErrorDocument 401 "Unauthorized"
    
    # Throw out requests to the usual login addresses
    RewriteCond %{REQUEST_URI} .*(wp-login.php|/login|/admin)$
    RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=401,L]

    Do this before the usual WordPress rewrite rules

  21. Yuffie89
    Member
    Posted 5 months ago #

    Hi! I noticed another problem with this plugin.

    I've never have problems thanks to this plugin, but from yesterday someone tried to enter in my site.

    I have a website url like site.net (without www), I noticed that the intrusions come from the url http://www.site.net/wp-login.php. Even if I modified the plugin like written above, anyone can access from another url without know the real url.

    How can I resolve the problem?

    I don't know how to redirect via .htaccess or modify the plugin, can someone help me? Thanks

    (Sorry for my english, I hope you can understand)

  22. James Bonham
    Member
    Posted 5 months ago #

    How are you monitoring intrusions?

    I assume you have a redirect setup from www to non-www. That would mean the user is actually hitting the wp-login.php of the non-www site - in other works your actual site.

    The only way to avoid requests to wp-login.php from loading WordPress and slowing things down is to throw them out before they get anywhere near WordPress. The easiest way to do this is to...

    1. Set up the plugin to use a different login url from the standard one
    2. open the .htaccess file in the root level of your WordPress site.
    3. copy and paste the lines from my post above to the very start of the file

    If you do this you don't need to worry about modifying the plugin.

    Hope you can resolve it.

  23. Yuffie89
    Member
    Posted 5 months ago #

    Hi, thanks for the reply. I opened my .htaccess and copy/pasted at the beginning but your method doesn't work.

    I noticed the intrusions with "Better Wp security" and then on cPanel I saw that they tried to enter from the www url.

    I don't understand why in the non-www site lockdown wp works and in the www site doesn't work...

    In other words I have the same problem written in this topic: http://wordpress.org/support/topic/subdomains-disrespect-the-url-change

  24. david
    Member
    Posted 5 months ago #

    I had same problem, i..e., when domain prefixed with 'www.' the plugin was bypassed and http://www.domain.com/wp-login.php worked. The code posted above by James SOLVED the problem!!! I am a happy camper. Thanks much!

    david

  25. Yuffie89
    Member
    Posted 5 months ago #

    So the code's working? Am I doing something wrong?

    I tried another time and at the www site and I continue to see the login screen...

    Maybe something in htaccess conflict with the code? I think this can be the problem: I modified the plugin like it was in origin and it doesn't work too.

  26. HCE
    Blocked
    Posted 5 months ago #

    James' htaccess code definitely works. It works perfectly, in fact. Make sure you copied it correctly and try again. Be sure to undo any modifications you made to the plugin as well.

  27. Yuffie89
    Member
    Posted 5 months ago #

    It doesn't work at all and I don't understand why :/ I deleted the htaccess rewrite option of better wp security too but nothing changes.

    I undo the modification of the plugin, I put the code at the beginning of the document and just before wordpress rewrite (after better wp security code), I deleted the code of better wp security...

    Nothing changes and I always see the login screen at http://www.site.net/wp-login.php

    I'm sure the code works, or I've some conflicts in the site or I'm doing something wrong.

  28. HCE
    Blocked
    Posted 5 months ago #

    Have you tried clearing your cache?

  29. James Bonham
    Member
    Posted 5 months ago #

    When you go to http://www.site.net/wp-login.php do you get redirected to the non-www login page or does the address stay as http://www.site.net/wp-login.php

    If you stay on www, you should do something about it to avoid duplicate content and other strangeness. You should redirect all www. pages to non-www pages in your DNS setup or in htaccess. How you do that depends on your web host.

  30. Yuffie89
    Member
    Posted 5 months ago #

    Yeah, my site on http://www.site.net/wp-login.php doesn't go to the non-www site, I don't know why. When I go to http://www.site.net it goes to site.net without any problem...

    I contacted my web host and said that it's a wordpress problem and couldn't resolve the issue.

    Any ideas? I tried to redirect via htaccess but doesn't work.

    I'm really sorry, I'm going ot...

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags