Support » Plugins » Changing wp-login.php filename and wp-admin directory

Viewing 1 replies (of 1 total)
  • Seconded. This is a security flaw I’d like to see fixed. I think it would be best if there was some possibility to randomly rename wp-login.php and wp-comments-post.php, seeing as spammers know that these files exist once they know you’re running WordPress, so the following is not unusual in my logs:

    93.183.***.*** - - [10/Mar/2012:13:46:53 +0000] "POST /wp-login.php HTTP/1.0" 200 5675 "http://[my server's URL]/wp-login.php" "Mozilla/5.0 (Windows NT 5.1; rv:4.0) Gecko/20100101 Firefox/4.0"

    (some IP from Ukraine; this goes on for over a hundred times)

    46.29.***.*** - - [06/Mar/2012:20:07:07 +0000] "GET /archives/1689 HTTP/1.0" 200 28700 "http://[referrer spam URL]" "Mozilla/5.0 (en)"
    46.29.***.*** - - [06/Mar/2012:20:07:08 +0000] "POST /wp-comments-post.php HTTP/1.0" 302 0 "http://[my server's URL]" "Mozilla/5.0 (en)"

    (some IP from the US; resulting in successful spam)


    On the other hand, on the comment form it says:

    <form id="commentform" method="post" action="http://[server]/wp-comments-post.php">

    So the actual URL to the comments script is revealed, which would make the random renaming of the file pretty pointless, as the filename could easily be read out.

Viewing 1 replies (of 1 total)
  • The topic ‘Changing wp-login.php filename and wp-admin directory’ is closed to new replies.