@css1
wp-login is not an official WP Dashboard login slug.
Enabling the iTSec plugin Hide Backend feature will disable all 5 standard WP Dashboard login slugs like:
- wp-admin
- admin
- login
- dashboard
- wp-login.php
Track down where the extra wp-login slug comes from and disable it there.
dwinden
Hi @dwinden
Can you tell how to do that?
Thanks,
@css31
No, I’ve tried to find out in the past (you are not the first person hitting this issue). It’s a mystery where the extra wp-login slug comes from.
Is this a manual WP download/install or was WP installed as an App from your hosting provider cPanel env ? Perhaps you should talk with your hosting provider.
dwinden
I made the installation by myself.
This issue is present on almost websites I made.
I’ve looked in .htaccess. No other rule than those from iThemes and WP.
Is there a tool that help to track?
@css31
Is this issue present on multiple WP websites hosted at the same hosting provider ?
Or does the issue occur across multiple hosting providers ?
You may have to post a new topic in the WordPress forum.
The question is: where does the wp-login slug come from on some WP envs ?
It’s basically not related to the iTSec plugin.
dwinden
Yes multiple hosting providers.
You’re right. I disabled iThemes and nothing change.
The question is: where does this wp-login come from?
It seems some weird configuration on your server opens files that are named similar to the requested ones:
http://www.100son.net/license shows the content of license.txt. http://www.100son.net/readme opens readme.html instead.
That’s why /wp-login works for you, because it calls for /wp-login.php.
@falk Wussow
Ok, that makes it sound like some sort of Web Server configuration issue.
I think you are right. http://www.100son.net/wp-signup also works (Though it currently redirects to the login screen as registration is disabled).
Normally this url would result in a 404.
@css1
Ask your hosting provider.
dwinden
hurray!
Thanks to all for your efficient help.
It’s actually a problem with why hosting provider server’s configuration (www.ovh.com).
To solve the issue, just put in .htaccess:
Options -Multiviews
It’s about Apache’s multiview feature. Multiviews allow substitutions of file extensions, so you can call an URL like http://www.example.com/mypage.php using http://www.example.com/mypage. Apache will figure out there is only one file (mypage.php) matching the request and will serve this instead returning an error 404 – not found.
Hello,
After one night, I would add that it would be great if iThemes take care of what seems to be a security vulnerability.
I’ve been using iThemes for more than one year for several web sites thinking they were protected.
I was wrong.
@css31
Nice to hear this mystery finally got resolved.
I feel the responsibility for this “vulnerability” lies more at the hosting provider (web server configuration) than at the web application layer (WordPress\iTSec plugin).
The Apache Multiviews option is not enabled by default. So it needs to be explicitly enabled by the hosting provider. This indicates that it is not an option without risks.
From what I’ve read on the internet Multiviews seems to have a HUGE performance impact. And it seems websites are also not properly indexed by Google.
So it seems to me that for a proper hosting provider it would make much more sense to not enable the Apache Multiviews option by default. If you do need it you can always enable it per directory in the .htaccess file (provided the AllowOverride is set properly).
dwinden
Hello Dwinden,
What you say make sens. Nevertheless two points against it.
1 – It’s not possible to know (at the first sight) if the provider as activated MultiViews. I was thinking for more than one, year that my sites were protected.
2 – Move Login do it correctly.
@ css31: iThemes Security already has this feature: It’s called “Hide Backend” in the settings. 🙂
@falk that’s what we are talking about. 🙂
