Why was this moved to “troubleshooting”. There is no “trouble” to shoot, this is request and feedback.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
It was moved because it appeared that your were asking for help for something on your installation.
https://wordpress.org/support/topic/wheres-my-topic-gone?replies=1
You discussed something that you are doing on your own installations.
I have a routine that I have installed on wordpress sites which filters out incoming requests for things like wp-login, /wp-admin, and so on.
Here’s where you discuss the modifying of core WordPress files.
I add the code in at line 10 of wp-login
And here’s where you ask about doing it in a better way.
For the moment, I have to manually re-add the code during every version update, because there is no hook point within wordpress to handle this. Is there a way to have wordpress check for the existance of a “security.php” or whatever file which could be used to help cut down on unwanted attempts to access the core?
Which is why I’m moving this to the Hacks sub-forum. There is almost certainly a way to do what you wish to accomplish without hacking WordPress that way. Perhaps someone will chime in on the Hacks sub-forum.
Edit: If you would like to submit a patch then I am sure that will be reviewed too.
https://core.trac.wordpress.org/
I have looked and I cannot find a way. Any point beyond the first few lines into wp-login or /admin/index.php invokes the actual site installation, starts up the database connection, and a whole bunch of other things – and no plug in can really run before that.
Asking for a better way is a request and suggestion that their needs to be a hook (say executing a file called “pre-login.php”) before every access, and any code the end user desires can run inside that file without having to hack wordpress to do it.
Basically, there is no way (save for htaccess, which is not always possible to use) to deal with login attempts BEFORE anyone access code. For site operators who only update from a single location, or only have a limited number of people working on their site, it would be very beneficial to be able to have a simple way to limit access by country / IP / whatever other items without first having to completely start up a wordpress session.
htaccess is not always available or not always the best tool for the job here. Services such as cloudflare and other caching services make it harder to use htaccess. Some people may not have access to it.
What setups don’t have .htaccess or it’s equivalent?
Jon, if you are using clouflare or similar services, you cannot use htaccess to block people (or permit access) because the IP address shown is a shared cloudflare address, not the end user address. You can obtain the address in PHP, example, but not at the htaccess level.
You could also do a fairly advanced filtering in PHP that isn’t as easy to set up in htaccess, such as browser type, language, and so on. Yes, it can be done in htaccess, but I can tell you it’s 1000 times easier to get it right in PHP than it is to write a proper regex for htaccess.
