WordPress.org

Ready to get started?Download WordPress

Forums

Lockdown WP Admin
Plugin misbehaving when WP installed into a subdirectory (7 posts)

  1. GermanKiwi
    Member
    Posted 1 year ago #

    Hi Sean,

    I wonder if you can help me out with a problem I've encountered with your plugin. I've just installed a brand new WordPress site from scratch, and I've installed WP into a subfolder called "wordpress", but with the site URL itself being the root folder (which is a fully supported configuration for WordPress, as per http://codex.wordpress.org/Giving_WordPress_Its_Own_Directory).

    So on the "General Settings" page, I have set the WordPress Address to http://www.example.com/wordpress and I have set the Site Address to http://www.example.com. Everything is working fine - I can log into the dashboard, I can browse the site correctly at http://www.example.com, etc etc.

    Then I installed your Lockdown WP plugin (LWP). It's literally the only plugin I have installed, and it was the very first thing I did - I haven't configured anything else apart from the permalinks, which I have set to a custom structure of http://www.example.com/%postname%

    (I have already used LWP on other sites without problem, where WP is installed into the root directory rather than into a subdirectory - today is the first time I'm doing it on a site with WP in a subdirectory).

    On the LWP settings page, I enabled "hide WP Admin", and I changed the login URL to "dashboard". The plugin showed the subdirectory there as part of the URL, where it says "Change the WordPress Login URL? http://www.example.com/wordpress/ [________]"

    I am *not* using HTTP Authentication.

    Then I clicked Save, and logged out in order to test it.

    The results I got were inconsistant, and I have a feeling that the plugin doesn't work properly when WordPress is installed in a subdirectory. I hope you can check and confirm this for me, and fix it if necessary. :)

    So here are the URLs I typed into my browser, while logged out of WP, and the results, and whether I find the results good or not:

    1) http://www.example.com/wp-login.php -> gives 404 (good!)

    2) http://www.example.com/wordpress/wp-login.php -> This works and displays the login panel, and does not change/hide the URL! (NOT good)

    3) http://www.example.com/wp-admin/ -> redirects automatically to http://www.example.com/wordpress/wp-admin/ and gives 404 (good) - however, I'd prefer this not to redirect. It should stay at the original URL so it doesn't give away the /wordpress/ subfolder where I've installed WP. It would be better for the redirection to work the other way around, ie. for http://www.example.com/wordpress/wp-admin to redirect to http://www.example.com/wp-admin and then give the 404. Or at the very least, there should be no redirection at all, and both URLs should give a 404.

    4) http://www.example.com/wordpress/wp-admin/ -> gives 404 (good)

    5) http://www.example.com/dashboard -> displays the login panel, as expected (good)

    6) http://www.example.com/wordpress/dashboard -> redirects to http://www.example.com/wordpress/wp-admin/ and gives 404 (I would prefer that it redirects to http://www.example.com/dashboard and shows the login box)

    7) http://www.example.com/admin -> redirects to http://www.example.com/wordpress/wp-admin/ and gives 404 - not good, as this exposes the wp-admin URL - and I'm surprised that /admin would redirect in the first place - is this URL something you've built into your plugin, or is it part of core WordPress functionality? It would be better for this to stay as http://www.example.com/admin and give a 404 there.

    8) http://www.example.com/wordpress/admin/ redirects to http://www.example.com/wordpress/wp-admin/ and gives 404 - also not good as this exposes the wp-admin URL.

    Now here's the worst part: I then went to http://www.example.com/dashboard and logged in there via the login panel, and it immediately redirected me to http://www.example.com/wordpress/wp-admin/ and I get a 404 error!! Not good! Even though I did log in with correct credentials. So now I'm locked out of WP completely and can't get in at all - even if I go back to the login panel and log in again, it just takes me back to http://www.example.com/wordpress/wp-admin and gives me a 404. The only way I can fix this is by removing the "lockdown-wp-admin" folder from /wp-content/plugins on the server (using FTP), and then it will let me log in again to the Dashboard. I've never had this problem on WordPress installations where WP is installed into the root directory, so I have to assume that the problem is with WP running out of a subdirectory.

    Unfortunately this renders your wonderful plugin unusable by me, so I really hope you can fix it, as yours is by far the best plugin I've seen for hiding the URL of the login page (without using .htaccess or annoying "secret keys" etc).

    I hope this all makes sense and you can check and confirm this for me!

    Thanks! :)

    http://wordpress.org/extend/plugins/lockdown-wp-admin/

  2. GermanKiwi
    Member
    Posted 1 year ago #

    Hi Sean, I've just installed the new v2.0.2 of this plugin, as I saw in the changelog that you've fixed some issues with WP installed in a sub-directory. I've done some tests and it's definitely an improvement, but it still doesn't work correctly I'm afraid.

    Specifically, it won't let me log in at all using the login URL I set in the plugin - same problem as before.

    I set the login URL to "dashboard", ie. http://www.example.com/dashboard.

    Then I logged out, and went to http://www.example.com/dashboard and it correctly showed the login panel. I entered my username/password, and instead of logging me in and taking me to the WP Dashboard, it actually redirected me to http://www.example.com/wordpress/wp-admin/ and gave a 404 error. So I still have no chance to log in at all, without removing the plugin. :( Any idea what's causing this? (And please note that the URL it redirected me to, includes the /wordpress/ sub-directory in the URL)

    Additionally, when it redirects to http://www.example.com/wordpress/wp-admin/ the page there inserts the text "Page not found" at the top of the page, above the normal 404.php page content - this is odd. It should simply display the standard 404.php page from my template, without inserting any extra text at the top of the page.

    In addition, the following URLs are still problematic for me (with the login URL set to "dashboard"):

    When NOT logged in to WordPress:

    1) http://example.com/login redirects to http://example.com/wordpress/wp-admin/ and gives a 404. But this reveals the path to my WordPress installation subfolder, which is not good. I want to keep that hidden. Obviously one of the main advantages of this plugin is securing WordPress by obscurity - keeping the path and login page hidden - therefore I think the plugin should not reveal the WP installation subfolder if possible.

    2) http://example.com/wordpress/login redirects to http://example.com/wordpress/wp-admin/ and gives a 404. I think it would be better to give the 404 at the original URL without redirecting it to wp-admin.

    3) http://example.com/admin/ redirects to http://example.com/wordpress/wp-admin/ and gives a 404. Not good for the above reason.

    4) http://example.com/wordpress/admin/ redirects to http://example.com/wordpress/wp-admin/ and gives a 404. Not good for the above reason.

    5) http://example.com/wp-login.php does not redirect - just gives a 404. This is great!

    6) http://example.com/wordpress/wp-login.php does not redirect - just gives a 404. This is also great!

    7) http://example.com/wp-admin/ redirects to http://example.com/wordpress/wp-admin/ and gives a 404. Not good for the above reason - it reveals the WP subdirectory.

    8) http://example.com/dashboard does not redirect, but shows the WP login page (good!)

    9) http://example.com/wordpress/dashboard redirects to http://example.com/wordpress/wp-admin/ and gives a 404. I think this is not good - it should either redirect to http://example.com/dashboard and show the login page, or else it should not redirect anywhere, and give a 404 error without changing the URL.

    In conclusion, I think it's best when the plugin doesn't redirect (doesn't change the URL) in order to give the 404 error, because changing the URL reveals the WP subdirectory and lets the user know that WordPress is being used - which defeats the purpose of using this plugin for "security through obscurity". Also, when the URL is changed, the resulting URL ends with "wp-admin" which also gives away the fact that WordPress is being used. So it would be best if the 404 error is given without the URL changing, Maybe this is not possible with this plugin, I don't know. But if it is possible, I think it's the best solution. What do you think?

    Thanks!

  3. sLa NGjI's
    Member
    Posted 11 months ago #

    Confirm: with WordPress on subdir this plugin show subdir name and redirect improperly!
    This need a security patch for me ...

    Another problem is 404: 404 error is embedded on plugin, but for best caching performances and security masking, is needed, imho, that 404 error call directly real 404 of hosting.

    Is possible to add on control panel one option to enable it on future releases of this plugin?

    Thanks!

  4. GermanKiwi
    Member
    Posted 11 months ago #

    The 404 error page that I get via this plugin is just the standard WordPress 404 error page, that you would also get when you go to any other invalid URL - which I think is fine. It provides consistency with the rest of the site. It's not built into the plugin, but it's provided by your WordPress theme.

    The 404 error page itself doesn't reveal anything wrong in terms of security. The only issue I have is that the URL still reveals the WP subdirectory location.

  5. sLa NGjI's
    Member
    Posted 11 months ago #

    the URL still reveals the WP subdirectory location

    Yes! This is real big problem ...

    The 404 error page that I get via this plugin is just the standard WordPress 404 error page, that you would also get when you go to any other invalid URL - which I think is fine. It provides consistency with the rest of the site. It's not built into the plugin, but it's provided by your WordPress theme.

    If your theme support 404 it bypass 404 of plugin, but if your theme not support 404 the plugin show your internal 404 located on line 657 on lockdown-wp-admin.php file. Not all themes support 404 ... for example, if you use wordpress as simple cms ... for best caching on wordpress and reducing memory and cpu load the best solution is to serving the real 404 of hosting and not 404 embedded on plugins or themes. This pratice is also used by W3 Total Cache ...

  6. GermanKiwi
    Member
    Posted 9 months ago #

    It's still broken after upgrading to 2.1 today.

    If I set the login URL to http://www.example.com/dashboard (by entering "dashboard" into the login URL field of this plugin), and then I go to http://www.example.com/dashboard in my browser and enter my username/password, it then gives me a 404 error page instead of logging me in.

  7. Dademaru
    Member
    Posted 7 months ago #

    Hi,
    I have the same problem with wp installed in subdirectory.
    It generates too many redirects.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.