@gadgetcoma
Phew, a wordpress.org member for 10 years and this is your first topic !
Just to make a point please provide the website address.
I’ll explain later on.
dwinden
Reminds me of a story –
A couple was worried about their son. He was approaching 3 years old and hadn’t uttered a word. They took him to doctor after doctor. They did every test imaginable. They couldn’t find any physical problems, he could hear, he had proper vocal cords, his reactions showed that he understood what was going on around him and his brain was as normal and healthy as everyone else his age. Then one day at dinner, he said, “My soup is cold.” His parents were amazed and shocked. After a few minutes, they recovered and explained to the boy how worried they were and why they did all of the tests. Finally, they asked, “Why haven’t you said anything until now?” The boy replied, “Until now, everything was perfect.”
🙂
The site in question is kidsmovingco.com.
Thanks.
@gadgetcoma
Ok, so I guess your WordPress experience has been perfect for 10 years … 😉
Back on-topic.
Just checked out the site and it seems to be a non members site.
But suppose it was a members site offering a register\login link ?
It would also expose the secret login slug, right ?
Just like in the notification email.
Even when the secret slug is exposed it still has a purpose.
Why ? Because it specifically helps against botnets performing AUTOMATED brute force attacks. This is the main purpose of using this feature.
Anyway hiding the Dashboard login page is security by obscurity.
It doesn’t really strenghten the security of your site.
Bottom line is that exposing the secret login page slug does not undermine the security of your site provided you have taken the necessary steps that do strenghten its security (like using strong passwords, 2FA etc).
dwinden
Actually, my WordPress experience hasn’t been completely flawless, but it’s been pretty darn good.
Thanks for your explanation. I hadn’t considered that many WordPress sites have member logins, which would, of course, expose the slug. I do recognize that security by obscurity is helpful but not the ultimate answer. (That’s why I like iThemes Security! 🙂 Given my set up, I just like to have as much obscurity as possible. It would be great to have the option to not include the slug in the notification emails, but I see now that it’s not critical.
BTW, I do have 2FA and will soon be adding SSL.
Thanks again for your response.
– Leon
@gadgetcoma
You could submit a feature request to iThemes@trello but I don’t think it makes any chance to materialize.
I noticed the Google Authenticator field in the Login page of the site …
Just like the empty message with the red left border at the top of the login page …
The message is empty because you have probably enabled the Disable login error messages setting in the WordPress Tweaks module. Weird, accessing the login page should normally not display any message … could be a plugin conflict.
Anyway SSL will definately strenghten the security of the site.
dwinden
@gadgetcoma
If you require no further assistance please mark this topic as ‘resolved’.
dwinden
