wp-login
-
Hello,
I use the free version, and I use the option that Hide login Area :
Hides the login page (wp-login.php, wp-admin, admin and login) making it harder to find by automated attacks and making it easier for users unfamiliar with the WordPress platform.
it’s ok for :
– wp-admin
– admin
– loginbut not working for : /wp-login
Can you help me please ?
Best regards,
Olivier
-
Olivier,
Are you referring to /wp-login or /wp-login.php ?
I guess you’re saying that despite enabling the iTSec plugin “Hide Login Area” setting, the /wp-login.php URL still allows access to the WP login screen ?
Please clarify.
dwinden
I have the same issue the wp-login.php URL still allowing access to the WP login screen.
Thanks
Please make sure the “Enable the hide backend feature” checkbox is ticked
in the Settings tab, “Hide Login Area” section.Are you using any caching plugin ?
Which browser are you using ?
Have you already tried clearing the browser cache ?
Also confirm you are using iTSec 4.5.10 (or higher) in WP 4.1If possible please provide me with your URL.
dwinden
Hi,
Thanks for your help. I give you some response below
>> Are you referring to /wp-login or /wp-login.php ?
https://www.domain.com/wp-login
https://www.domain.com/wp-login/
this 2 URL still allows access to the WP login screenbut it work for :
https://www.domain.com/wp-login.php => produce a 404>>make sure the “Enable the hide backend feature” checkbox is ticked
It’s ok>> Are you using any caching plugin ?
No. I’m on a preprod server>> Have you already tried clearing the browser cache ?
Yes. Local cache is clear.>> Also confirm you are using iTSec 4.5.10 (or higher) in WP 4.1
Version 4.6.2 in WP 4.1>>If possible please provide me with your URL.
Sorry. Not possible : not accessible form externalIf the iTSec plugin was not installed recently and it has been updated in the past there may be some outdated RewriteRule lines left in the .htaccess file eg:
RewriteRule ^wp-login/?$ /wp-login.php?awxz3zc03winl3fq0gwcr [R,L]
That would explain …
Remove such outdated RewriteRule lines from the .htaccess file.
Or post the content of the .htaccess file and I’ll take a look at it …dwinden
Thanks for your response.
I give you my htaccess file below :# BEGIN iThemes Security # BEGIN Hide Backend # Rules to hide the dashboard RewriteRule ^(/actualite/)?tagadac/?$ /actualite/wp-login.php [QSA,L] # END Hide Backend # BEGIN Tweaks # Rules to block access to WordPress specific files <files .htaccess> Order allow,deny Deny from all </files> <files readme.html> Order allow,deny Deny from all </files> <files readme.txt> Order allow,deny Deny from all </files> <files install.php> Order allow,deny Deny from all </files> <files wp-config.php> Order allow,deny Deny from all </files> # Rules to disable XML-RPC <files xmlrpc.php> Order allow,deny Deny from all </files> # Rules to disable directory browsing Options -Indexes <IfModule mod_rewrite.c> RewriteEngine On # Rules to protect wp-includes RewriteRule ^wp-admin/includes/ - [F] RewriteRule !^wp-includes/ - [S=3] RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php RewriteRule ^wp-includes/[^/]+\.php$ - [F] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F] RewriteRule ^wp-includes/theme-compat/ - [F] # Rules to prevent php execution in uploads RewriteRule ^(.*)/uploads/(.*).php(.?) - [F] # Rules to block unneeded HTTP methods RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC] RewriteRule ^(.*)$ - [F] # Rules to block suspicious URIs RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR] RewriteCond %{QUERY_STRING} etc/passwd [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC] RewriteCond %{QUERY_STRING} !^loggedout=true RewriteCond %{QUERY_STRING} !^action=jetpack-sso RewriteCond %{QUERY_STRING} !^action=rp RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com(.*)$ RewriteRule ^(.*)$ - [F] </IfModule> # END Tweaks # END iThemes Security # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase /actualite/ RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /actualite/index.php [L] </IfModule> # END WordPressOlivier,
Your .htaccess looks absolutely fine.
If you are using Apache webserver also check your Apache conf file for any “wp-login” redirects …
Also confirm you are using “tagadac” as the new login slug (instead of wp-admin). Test it by accessing:
https://www.domain.com/tagadac
or
https://www.domain.com/actualite/tagadacIf there are no wp-login redirects in Apache conf file try to determin whether this issue is caused by something else than the iTSec plugin by temporarily renaming the “better-wp-security” directory …
Then test whether you are still able to access the WP login screen using wp-login …(clear cache).
(Don’t forget to rename the directory back to its original name after the test …)Please confirm you have SSL (https) enabled …
dwinden
dwinden,
https://www.domain.com/actualite/tagadac work fine
so SSL is well enabled, and the slug work fine.I have no rewrite rule in my apache SSL conf about wp-login.
My only pb is
https://www.domain.com/actualite/wp-login
or
https://www.domain.com/actualite/wp-login/don’t redirect to
https://www.domain.com/actualite/tagadacCan I add a rule like this ?
RewriteRule ^(/actualite/)?wp-login?$ /actualite/tagadac
oups
Can I add a rule like this ?
RewriteRule ^(/actualite/)?wp-login?$ /actualite/
I think it is possible to add such a rule …
But it would be better to solve the real issue.
As far as know in a vanilla WP 4.1 env (with or without iTSec plugin installed and “Hide login Area” feature enabled) wp-login and\or wp-login/ should not work … (but I could be wrong).Unless the wp-login folder actually exists …
This looks more and more like a general WP issue …
First disable “Hide login Area” in the iTSec plugin (just to be sure rename the .htaccess as well).
Then see whether wp-login and\or wp-login/ still redirect to the WP login screen ? If so, this is not an iTSec plugin issue.dwinden
To be sure I performed some WP tests (non SSL).
In a vanilla WP 4.1 environment BEFORE enabling Permalinks:
– admin, login and wp-login (or wp-login/) result in:
NOT FOUND
The requested URL /whatever/admin was not found on this server.
– wp-admin redirects to wp-login.phpIn a vanilla WP 4.1 environment AFTER enabling Permalinks:
– admin, login and wp-admin redirect to wp-login.php
– wp-login (or wp-login/) results in:
Oops! That page can’t be found. (But displays as a page in the theme layout. No redirect visible in browser address bar).
Apache access_log shows 404.dwinden
The topic ‘wp-login’ is closed to new replies.
