WordPress.org

Ready to get started?Download WordPress

Forums

Stealth Login Page
[resolved] Why the change? 4.0 (33 posts)

  1. Grimpond
    Member
    Posted 12 months ago #

    I went to install Stealth on a new site today, and the entire functionality has changed with 4.0

    Can I ask why?

    One of the best parts of the plugin was the non loading of the login page if you didn't have the right url..

    but that had now gone:(

    G

    http://wordpress.org/plugins/stealth-login-page/

  2. Jesse Petersen
    Member
    Plugin Author

    Posted 12 months ago #

    Because 90+% of the tickets on here have to do with some other plugin or some other feature like password-protected pages not knowing what to do with a login page that is no longer there. The primary function was to kill bot attacks and now that I have done this, I will have the option in v5 to give people the option.

    Let's see which one works best for the masses and then let people choose.

    If you clear out that field, you will get your old settings back. You may want to use the variables in the wp-config.php method, though, so you can control your question, answer, and redirect there. (because it's backwards compatible - and the notes said you didn't have to change methods)

  3. Grimpond
    Member
    Posted 12 months ago #

    Thanks for the answer Jesse.

    I guess it depends on the usage, but one of the best bits in our opinion was the missing login page.

    I would be happy to see the option to have it one way or the other.

    Is the last 3.x version still compatible with the current WP?

    Thanks for the great plugin in )

  4. Jesse Petersen
    Member
    Plugin Author

    Posted 12 months ago #

    Let me see if I can work it into a 4.1.0 in the next 2 weeks for you and those who will miss it. I can assure you that it will be a major pain in the butt if you spend any time in the dashboard.

    WP 3.6+ (if you are on a bleeding edge version on any dev site, they've already pushed out 3.7-alpha due for release in October and 3.8 in December) has the Heartbeat API, which brings up a pop-up login form when you've had session inactivity. When that pops up, that form is pulled from wp-login.php, which is a redirect, so bye-bye from whatever you were just working on. Time to go back to your hidden login, log back in, and navigate back to where you were.

    It personally drove me nuts for 2 months knowing it was coming for everyone using the plugin (see download stats to see my anxiety).

    http://wpmu.org/wordpress-3-6-the-new-heartbeat-api/

    I did find a way to disable the Heartbeat API and forwarding of addresses like /login and /dashboard and /admin to various locations in the install, so perhaps those as options, also, would make for a comprehensive settings page.

    I've got 4 or 5 full-site projects backed up and a deadline on one today and another next Friday, so it'll be at least 10 days. A few hefty contributions will aid in sitting down and re-coding those options. This was the result of 2 months of thinking and researching, 5 hours of re-coding the entire plugin for efficiency, and 5 hours of squashing the backward-compatibility issue for people who haven't been to the Settings page yet.

  5. bisadmin
    Member
    Posted 12 months ago #

    i also liked the prev version more

  6. Jesse Petersen
    Member
    Plugin Author

    Posted 12 months ago #

    Your vote counts. :)

    I've already decided this morning to add the option on the settings page because I realized... it's not a stealth login page now. I believe it will work better against bots, but I do need to re-hide it and let those (possibly few) people who have issues with redirects to use the new method.

    Please feel free to use 3.0.0, as it was working pretty good for at least 6-8 weeks without updates. You will be frustrated in WP 3.6 per above.

  7. Grimpond
    Member
    Posted 12 months ago #

    Thanks Jesse.:) You work is much appreciated..

    Pop-up login!!! Ahhhhh ! No wonder you are frustrated.. IMO popup logins are a giant PITA.

    As I said we were really happy with V3.x and we will continue to use it as long as we can.

    Good luck with the new versions.

    G

    PS - Everyone - support your developers! :)

  8. The Hack Repair Guy
    Member
    Posted 12 months ago #

    I like the authorization code. It does solve other issues I've alluded too prior.

    Food for thought.
    I do think you should look at CAPTCHA which I "force" all of my client to install.

    With the new authorization code option, it seems to me your plugin and CAPTCHA might have sort of redundized each other?

    +++
    I see no donation option within your plugin options page- get that done now!
    +++

  9. Jonathan
    Member
    Posted 12 months ago #

    I also very much liked the method utilized in version 3.0 because it didn't load the page at all. We're concerned about the security aspect, but more than anything the page requests were hurting our server performance.

    It would be great if people had the option to choose which method to use.

    Thanks again for the plugin. We love it.

    Jonathan

  10. Jesse Petersen
    Member
    Plugin Author

    Posted 12 months ago #

    I am adding in the option to choose just as soon as I launch things with immediate deadlines. It will be the best of both worlds. To get that option back, just clear out the auth code field and it will revert to previous behavior or add the variables to wp-config.php:
    $slp_redirect = "item";
    $slp_question = "item";
    $slp_answer = "item";

    Hack Repair Guy - I didn't have time to put the link in the dashboard in case WP 3.6 dropped - the link is here on the repo under my developer name in the sidebar or https://www.petersenmediagroup.com/contribute/

  11. Faskil
    Member
    Posted 11 months ago #

    Hello Jesse,

    TBH, I don't understand how the plugin can be useful with the lock code. It just adds a layer to the login process but doesn't prevent bots from trying to brute force it, which was the initial purpose. So yeah, a choice to roll back to the previous behavior would be appreciated. ;)

    To get that option back, just clear out the auth code field and it will revert to previous behavior

    Can't do that. When I try to save the settings with an empty box, it complains about the box being empty and won't save. :/

  12. Jesse Petersen
    Member
    Plugin Author

    Posted 11 months ago #

    Yes, I'm considering rolling out 4.0.1 today to fix that bit. 4.1.0 is underway but I have a strict deadline to do a site start to finish by Friday.

    If you have access to FTP, edit the settings-page.php fields by searching for "required" and deleting them. That will kill the complaining of empty fields. Just be sure you have the 3 fields filled in.

  13. bugsland
    Member
    Posted 11 months ago #

    Hi,

    I am also voting for the old "stealth" function to be added back.
    I was using your plugin to hide the login page as I noticed various brute force attacks were having a heavy impact on my website CPU/Memory.
    Hiding the login page stops those attacks and free up the CPU!

    By the way, I tried to remove the AUTH code from your plugin settings (4.0.0), thinking it would bring back the old feature, but it doesn't let me save the settings if there is no auth code value.

    I'll wait for your update :)

  14. dvascheta
    Member
    Posted 11 months ago #

    Would like to say I also miss this feature!

    wp-login.php?question=answer -- was very original! I've found no more plugins with such feature, that was the reason I used your plugin together with complex plugins, solving many security problems "all-in-one", which have their own "not original" way to hide login page!

    Will be very glad to see it again!

    Thank you for your work!

  15. aproimage
    Member
    Posted 11 months ago #

    Just another vote for the old functionality, the new version doesn't really achieve what I installed it for, so having the option to choose would be useful.

    Great plugin though, thanks!

  16. Jesse Petersen
    Member
    Plugin Author

    Posted 11 months ago #

    Thank you. I've got a good portion of the code in place now - just launching sites to pay the bills and then I'll make 4.1.0 something everyone will like.

    Bugsland, if you remove "required" from the input fields in the setings-page.php file, then the page should save with empty fields.

  17. Karl Jacobs
    Member
    Posted 11 months ago #

    Have to say, I'm waiting for the previous functionality as well. I've got 20+ users that will never remember a second password, but I can give them a link to bookmark.. ;D

  18. nootkan
    Member
    Posted 11 months ago #

    I'm confused, are you guys saying that once the login page is hidden that no one can even register? Most of my problems with bots is that they keep registering and making me go into users to delete them. Will this plugin stop this or should I be looking for some kind of email authentication plugin so that they don't even get to the user page?

  19. dvascheta
    Member
    Posted 11 months ago #

    Nootkan, do you need real people to register to your site? If no, just turn off this capability at all. Main page of the settings, option "Anyone can register"

    If yes, renaming of register page will prevent from the most part of bots. And also you can always add captcha or any other "quest" that only people can pass.

  20. Jesse Petersen
    Member
    Plugin Author

    Posted 11 months ago #

    dvascheta is correct, nootkan. This is for people who want a secure site and having open registrations is inherently insecure because you must have an open login form, however there are additional options coming.

  21. nootkan
    Member
    Posted 11 months ago #

    Thanks guys for replying. Unfortunately, I have to have the ability to allow normal users to post and register as feedback is important to the owners of the site. I will do some research on how to rename the register.php page as I am unfamiliar with the steps. I have used captcha but it doesn't work with the bots that keep attacking all my wordpress sites. I have been thinking of trying to find a plugin that has email authentication where a link is emailed before a user registration is activated. That should stop the bots from getting through (I think) as they never use valid email addresses. Thanks again for the help.

  22. dvascheta
    Member
    Posted 11 months ago #

    Do you mean that bots pass captcha?

    Probably you have to install some more plugins to improve site security. Smth like "Better WP Security" -- plugin with the whole complex of WP security improvements.

    Also may be a good idea to hide login/register page at all and install some plugin adding sidebar widget with small login form. Search for "sidebar login" in plugins section.

    If you need help, please write me at info(at)dvascheta.ru

  23. nootkan
    Member
    Posted 11 months ago #

    Yes the bots pass the captcha and my research shows that they are now good enough to fool the email validation. Good grief, is there anyway to stop this onslaught? Is it possible to at least stop them from getting added to the users database before an admin approves or deletes them? I'm getting tired of manually deleting users created by the bot(s). Also tried your other suggestions but cannot find anything related to sidebar login or how to hide the login/register page, but then my searching skills are not the best it seems. I will keep looking. Thanks for the replies by the way much appreciated.

  24. dvascheta
    Member
    Posted 11 months ago #

    It's very strange that bots pass captcha. Usually they are not so "clever".

    Try another captcha, may be they recognize only that one you use. But this is all very strange. There are another ways similar to captcha, for example I remember there was a plugin that ask user to orient three pictures some definite way.

    And of course you can force new users to wait for your approval -- see for example this: http://wordpress.org/plugins/search.php?q=New+User+Approve .

  25. nootkan
    Member
    Posted 11 months ago #

    Yes I have the new user approve plugin installed, unfortunately the new user is still placed in the user database so I have to manually delete them from the users page in the admin even though I haven't approved them yet. That is the real problem, I'm getting tired of manually deleting all the fake users that the bot is signing up. They may not be able to do anything on the site but I wish I could stop them from getting to the database somehow and showing up on the users page in the admin. Thanks for your reply.

  26. err0x
    Member
    Posted 11 months ago #

    That is what I hate to. Before 4.0.0 most bots that did try to go to wp-login or wp-admin got redirected to Google.com. That solves 99,999% of the problem. Illigal traffic automatically transferred to some searchengine. Now, they still try. And yes, although still using this plugin and some other captcha they will still try, posing a threat to my site.

  27. axeman41
    Member
    Posted 10 months ago #

    I just wanted to weigh in. I really liked the older way. Now my mailbox is filling up with notices that "admin" etc users are locked out due to too many failed login attempts (from the Wordfence plugin, which is awesome). The evil robot wasn't even getting that far before.

    Please restore the old one! I would pay for it!

  28. Jesse Petersen
    Member
    Plugin Author

    Posted 10 months ago #

    I'm still up to my neck in projects - you can always download 3.0.0 from the developer tab and re-upload it to get stealth back. The full history of the plugin is available there.

    http://wordpress.org/plugins/stealth-login-page/developers/

  29. axeman41
    Member
    Posted 10 months ago #

    Thanks for that.

    Seriously, I'm sure people would be willing to pay a few bucks for such a simple and effective solution to the ongoing issue of those dastardly brute force attacks. And then you could make it more of a priority.

    Just a thought.

  30. GoHero
    Member
    Posted 4 months ago #

    I'm still using Stealth Login on all sites, because it's the best out there. However: there has been some talk about additional options (such as the old login method, which I also much preferred) quite a few months ago. Has the development been abandoned?

    Like the previous poster, I'd be willing to pay for extended functionality, particularly if it could also resolve the problem with the login page, which is exposed to a much higher attack rate in version 4 (and is somewhat clumsy to login to, because apps like 1Password can't handle an additional pass).

Reply »

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.