Support » Plugin: BulletProof Security » Changing /wp-admin url path

Viewing 15 replies - 1 through 15 (of 24 total)
  • Plugin Author AITpro

    (@aitpro)

    Yes, it is possible, but why do you think that has any value at all? You cannot hide anything from a Bot – that is just not possible to do. Hackers use automated Bot programs to find whatever they want to find. They will always find whatever they want to find. 😉

    The best website security method is – Action Approach.

    hacker X does bad action Y and the result is Z = Forbidden.

    PayPal and your online bank do not try and hide things – they use an Action Approach to website security. 😉

    Plugin Author AITpro

    (@aitpro)

    resolving

    Plugin Author AITpro

    (@aitpro)

    Trying to hide things or changing URL’s is not a legitmate or effective security measure – it never has been and it never will be. It is myth/misinformation that has been spread all over the Internet. Does PayPal, eBay or any other reputable website use hiding tactics – no because they are not real or effective security measures.

    It is not possible to actually hide anything on the Internet. Automated spammer/hacker bots can find anything and everything very easily.

    cscottb

    (@cscottb)

    If you click on the above link, How to change wordpress admin url, you get a Sorry … Page Not Found response. lol

    heart2hack

    (@heart2hack)

    @aitpro : if you use plugin than it will find security holes in your wordpress installation and fix it and tell you where is the security hole or risk that hacker can get your website information and hacked….

    Plugin Author AITpro

    (@aitpro)

    @heart2hack – you’re advertising another plugin here that I don’t believe is a good plugin. If you want to advertise that plugin then do it in that plugin’s forum area and not here. Thanks.

    Plugin Author AITpro

    (@aitpro)

    If you really want to do something like this then this plugin does this in a much better way: http://wordpress.org/extend/plugins/stealth-login-page/

    Note: The plugin author mentions that there are some issues with WP 3.6 that he is trying to fix ASAP.

    Plugin Author AITpro

    (@aitpro)

    if you use plugin than it will find security holes in your wordpress installation and fix it and tell you where is the security hole or risk that hacker can get your website information and hacked….

    I just do not want to have any part in spreading bad information around the Internet. There is enough of that already to last for 1,000 years. 😉 Thanks.

    I think your tutorial is good by the way.

    heart2hack

    (@heart2hack)

    thanx btw! 🙂

    Plugin Author AITpro

    (@aitpro)

    It is frowned upon to modify/hack WP Core files directly. You can achieve the exact same thing by using this function in your Theme’s functions.php file without having to modify/hack the wp-login.php file directly.

    // custom login link/page
    function example_custom_login_page() {
    
    	if ( $_SERVER['HTTP_REFERER'] != 'http://' . $_SERVER["SERVER_NAME"] . '/workpath/' ) {
    		header( 'Location: http://' . $_SERVER["SERVER_NAME"] . '/' );
    	}
    }
    add_action('login_head', 'example_custom_login_page');
    Plugin Author AITpro

    (@aitpro)

    I played around with this and there is a much simpler way to do this all in this one simple function below without having to muck around with anything else (create unnecessary folders, redirects, pages, etc.).

    // Simple Query String Login page protection
    function example_simple_query_string_protection_for_login_page() {
    $QS = '?mySecretString=foobar';
    $theRequest = 'http://' . $_SERVER['SERVER_NAME'] . '/' . 'wp-login.php' . '?'. $_SERVER['QUERY_STRING'];
    
    // these are for testing
    // echo $theRequest . '<br>';
    // echo site_url('/wp-login.php').$QS.'<br>';	
    
    	if ( site_url('/wp-login.php').$QS == $theRequest ) {
    		echo 'Query string matches';
    	} else {
    		header( 'Location: http://' . $_SERVER['SERVER_NAME'] . '/' );
    	}
    }
    add_action('login_head', 'example_simple_query_string_protection_for_login_page');

    Good stuff. If only I could have found that quick and easy method before. The previous methods earlier in this thread are so complex and just would not work for me. Thanks for the suggestion.

    Plugin Author AITpro

    (@aitpro)

    Yep, no problem. I was curious about this myself. We have several websites where we need to allow folks to be able to login so we could not use this code on those sites, but I am sure there are a lot of folks out there who do not want to allow other folks to log into their sites – ie register to login to comment, etc. so this code might be handy for them.

    Plugin Author AITpro

    (@aitpro)

    And another interesting approach would be to have some sort of auto-generated image file similar to a CAPTCHA with “the secret query string” of the day displayed in an image file that would not be found by automated hacker bots. The image file would be displayed to humans so that they would have the query string login. Of course the inconvenience factor is huge so this would most likely discourage human visitors from registering to a site anyway.

    Yes a captcha would certainly be good for thwarting bot activity. I don’t require frontend login right now but it is a fact that the modification will cause a problem for frontend users.

    A benefit of hacking wp-login.php is when I switch themes the function is still active, otherwise I will need to remember to place it in each theme’s function file. Being made as a plugin would solve that though.

Viewing 15 replies - 1 through 15 (of 24 total)
  • The topic ‘Changing /wp-admin url path’ is closed to new replies.