your plugin worked, sort of. After I specified a custom URL, it went to the URL i created, but i also just typed a http://www.myweb.com/login and that also worked. bad thing about it is it didnt slow down hackers getting to the login screen as they guessed the “login”.
I have the same problem, so the intrusion attempts don’t stop.
Not sure if this hack is the best way, but it seems to work. The author should look at this.
Around line 580 in lockdown-wp-admin.php
if ( $super_base == 'wp-login.php' )
if ( $super_base == 'wp-login.php' || $super_base == 'login' )
The problem is that somebody could also set their login URL to login. I wonder how that’s happening.
@jonrittmann: can you tell me something about your hosting setup? Web host and PHP version?
This is happening to me too. When I go to mydomain.com/login it redirects me to the custom login url I created. Also, initially I created the custom url mydomain.com/admin to login at. The I changed it to mydomain.com/something else. But when I go to /admin now it redirects to /wp-admin.
Also, I have the multiple tlds for my domain.
Example: mydomain.com, my domain.net, mydomain.org, mydomain.biz, etc…
My main website is mydomain.ORG. But I have the .net, .com, .biz, etc. redirecting to mydomain.org. I have the redirects set up so that if you go to mydomain.COM/contact it redirects you to mydomain.ORG/contact.
Using your plugin, when I go to mydomain.ORG/wp-login.php I get the 404 page. But when I go to mydomain.COM/wp-login.php it redirects to mydomain.org/wp-login.php and shows the login form.
How can I prevent this and get it to show the 404 instead?
If you go to /wp-register.php or /wp-signup.php it reveals the custom login url…
I love this plugin, but same thing for me :
/wp-register.php + /wp-signup.php reveals the custom login url.
Also, it can be bypassed by browsing to /wp-admin/async-upload.php
To prevent /login, /admin, /wp-register.php, and /wp-signup.php from revealing the custom login url I did as @bonham suggested and added them to line 592 in lockdown-wp-admin.php. So this is what I have:
if ( $super_base == ‘wp-login.php’ || $super_base == ‘login’ || $super_base == ‘admin’ || $super_base == ‘wp-register.php’ || $super_base == ‘wp-signup.php’ )
and it now returns a 404 for those pages.
I tried adding /wp-admin/async-upload.php to that but it didn’t work. Any suggestions on how to prevent /wp-admin/async-upload.php from revealing the custom login url?
Great. It works for me now!
I added /async-upload.php to line 592. It blocks access to the custom login url, but it created some issues with the media manager. So, don’t try this one.
So, still don’t know what to do with /wp-admin/async-upload.php from revealing the custom login url.
Sean, can I suggest that /login is not allowed as a setting? Looking at some brute force attacks, some of them guess that /login has been used instead of /wp-login.php. Using /login makes no sense form a security perspective.
@hce has extended my idea further and this really ought to be in the plugin core.
Here’s a condensed version when there are a lot of values to check against…
if ( in_array( $super_base, array( 'wp-login.php', 'login', 'admin', 'wp-register.php', 'wp-signup.php' ) )
…but there’s a problem. What if you want to allow registrations? This would have to be conditional or an option or something. Alternatively find a way to rename the register page too, just like the login.
I don’t allow registrations, so blocking /wp-register and/or wp-signup is not a problem for me. But I agree it should be conditional as a plugin core.
To prevent /wp-admin/async-upload.php from revealing the custom login url you can password protect the wp-admin directory. That offers a suitable solution for me.
The idea behind this plugin was to let the user set whatever login URL they wanted. If they really wanted it to be /login, so be it–their stupid decision!
What I could do is recommend against it by adding in a message saying this isn’t so secure. They have the freedom to compromise security.
- The topic ‘login’ is closed to new replies.