Support » Plugin: iThemes Security (formerly Better WP Security) » Finding the hidden login page

Viewing 13 replies - 1 through 13 (of 13 total)
  • Please can you update me on the state of this issue? This is a security bug in your product.

    One question:
    if i put this url into chrome it works as you should expect, that is it returns a not_found:
    if i put it into firefox, it does indeed open up the wp-login.php dialog and anyone can log in without ever knowing the “secret” address.

    Why do the two seem to behave differently?

    The difference is the automatic decoding in Google Chrome.

    Instead of Mozilla Firefox you can use web proxies such as Fiddler, ZAP, or Burp Suite to get the same result.

    As long as the request sends with the encoded values(for instance, “%25” instead of the “.” sign), it will work fine.

    iTSec code performs the following check:

    strpos( $_SERVER[‘REQUEST_URI’], ‘wp-login.php’ )

    Perhaps this will fix the security hole on the server side ?

    strpos( rawurldecode($_SERVER[‘REQUEST_URI’]), ‘wp-login.php’ )


    I think this should fix the encoding bypass issue.

    Tested and indeed it works …
    Using rawurldecode($_SERVER[‘REQUEST_URI’]) will take care of any url encoded variant of “wp-login.php” such as:


    Still wondering whether there is anything we can do about this in .htaccess …
    A RewriteRule in .htaccess might save us from changing php code …
    Or perhaps this should be fixed in .htaccess and php code ?


    This is serious and the fix must be included in the plugin. Any official answer?

    Why has this still not be included in ithemes security plugin?

    I’ve had a slew of attempted logins today on two of my sites using this plugin’s hidden login URL feature, so I started Googling for potential vulnerabilities and found this page.

    This really is a crucial security hole that needs to be patched.

    Just apply the following to the .htaccess file and it will stop the page from loading.

    <Files “wp-login.php”>
    Order Allow,Deny
    Deny from all

    and you should still be able to access your “secret” URL

    Yes, that works for Apache < 2.3.x

    For Apache > 2.2.x use:

    <Files “wp-login.php”>
    Require all denied


    But unregardless the Apache version the “secret” URL no longer works …


    The secret url doesn’t work for me either with the htaccess mod

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Finding the hidden login page’ is closed to new replies.