Hi,
So … we do have a sister plugin Deny All Firewall which works in conjunction with “Block wp-login”.
All “Block wp-login” does is obfuscate the login url.
With Deny All Firewall, you can lock /wp-admin/ down so that only successful logins are able to access any files within the Dashboard.
What you are suggesting wouldn’t actually work because if you had a whitelist list of IP addresses allowed to sign in then no other IP addresses would be able to sign in anyway so there wouldn’t be a requirement for a notification email. Furthermore, most users work on dynamic IP addresses (which is why Deny All Firewall updates a user’s IP address on login and if it changes during the session).
If you really want to lock your wp-login.php or /wp-admin/ down to a strict set of specified static IP addresses, it could be done but you’d need to make sure that assets that are required by normal visitors (like admin-ajax.php) are still accessible.
Let me know if I’ve not understood your requirement.
Oliver
Understood, thanks for taking the time.
Oh, OK (I thought I may have misunderstood π ).
Do you have a static IP address then? Because if so, what you are proposing is possible.
Oliver
I do not have a static IP, it randomizes between three addresses.
I am currently running a few plugins where I have these three IP’s, the WordPress IP and two IP’s from my hosting company listed and it works well for me.
I HAD the same three IP’s set in Cloudflare WAF to achieve what I’m suggesting but I no longer use Cloudflare, transitioning to hosting companies in-house CDN…
Was using CF WAF Rule as follows:
If URI Contains (new url set by myself in Block wp-login) ********** and IP Source Does Not Contain (my three randomizing IP’s) ************, **********, *********** then Block.
Kind of what I was getting at with my suggestion but only really suggesting Block wp-login send admin an email whenever someone logs in BUT set a few IP’s that will not trigger the email notification so user/admin is not bombarded with self login emails.
Again, I would never expect anyone to figure out the *New login URL but if they ever did? We would be notified.
To further; So, if Comcast Internet again changes my IP to something other than the three I mentioned? I would be notified via email by your plugin the next time I logged in, your plugin would provide the IP assigned to the login user and I could simply check by comparing to a quick Google search of “what’s my ip”.
May be a little much for others without a static IP but for myself I believe the remedy would not take but a few seconds out of my day, long as I was able to add multiple IP’s.
OK! So you want an email notification when an administrator signs in but only if their IP is not in a list of “known” IP addresses?
I think we can do that for you π
I’ll add it to the “to do” list and let you know as soon as it’s done.
Oliver
Yes, exactly. Sorry, my communication skills are normally on point.
Looking forward to all future updates.
Thank you for taking the time with me.
Sorry this took a while. It’s been a crazy couple of months here. Anyway, I have something for you to test. If you go here, scroll down to “Previous Versions” and download the development version, you should have the options you asked for. You’ll need to deactivate the plugin you have installed currently and upload this plugin manually. Make sure you take a full backup just in case.
Please fully test that it works as required and get back to me with any changes.
Many thanks,
Oliver
Sorry for the delay, I was out of State for Thanksgiving.
Installed Development Version, failed to send me the notification email when I logged in with a different IP Address, my mobile phone.
Notify administrators about the new login URL. [unticked]
Notify site owner if an admin signs in with an unknown IP address. [ticked] only my
desktop IP Addresses listed in “Known IPs (one IP per line)”
Hmm. Sorry!
So I used the wp_login hook and I think what’s happening is that current_user_can() function can’t yet be used there so I’ve changed it to user_can() function and I think that fixed it.
Delete the plugin, download a fresh copy of the development version, install and activate and test and I think it will work for you now.
Let me know.
Thanks,
Oliver
Wordpress Login Alert
An administrator with an un-recognised IP address has signed in:
Working Fine! Thanks!
OK, I’ll push this live soon.
Oliver
1.5.1 working fine! Thanks SO much!
Great! Thanks for confirming!
Oliver
