Login from Comment 404

Does the Hide Backend custom\secret login slug work when accessed directly ? (http://www.domain.com/%5Blogin slug]).

Also hover with the mouse over the Comment login link and check whether the Hide Backend custom\secret login slug is used in the URL displayed.

dwinden

Ok.

When you enable the iTSec Plugin “Hide Backend” feature it is normal for the regular WP Dashboard slug (http://www.domain.com/wp-admin) to return a 404. This is intended behavior, because you don’t want anybody to access your WP Dashboard.

You should also know that when using the default wp-admin (if not already logged in) you normally get automatically redirected to URL:

http://www.domain.com/wp-login.php?redirect_to=http%3A%2F%2Fwww.domain.com%2Fwp-admin%2F&reauth=1

So the iTSec plugin Hide Backend feature does 3 things:

– Changes the default wp-admin Dashboard login slug to the (“secret”) login slug of your choice (default wplogin) BEFORE login.
AFTER login WP Dashboard uses wp-admin again …

– Prevents the default redirection to wp-login.php from displaying in the browser address bar … (Redirection takes place in background using RewriteRule from .htaccess file or by iTSec plugin PHP code).

– And prevents direct access to (http://www.domain.com/)wp-login.php
(iTSec plugin PHP code prevents this).

Now let’s say you have enabled the iTSec plugin Hide Backend feature and gp-login is the newly chosen WP Dashboard login slug. WP Dashboard will subsequently ONLY be available (BEFORE login) using the secret login URL:

http://www.domain.com/gp-login
(http://www.domain.com/wp-admin results in 404 or not_found)

There will be no automatic redirection visible in browser address bar to wp-login.php … (Just http://www.domain.com/gp-login displayed BEFORE login).

And (http://www.domain.com/)wp-login.php cannot be accessed directly.
(http://www.domain.com/wp-login.php results in 404 or not_found)

So this explains why the comment “logged in” link returns a 404.
The URL is for some reason still pointing to wp-login.php:

http://www.id-motogp.com/wp-login.php?redirect_to=… etc etc

The comment “logged in” link should be pointing to:

http://www.id-motogp.com/gp-login?redirect_to=… etc etc

I think this issue is probably caused by your active theme.
To confirm this you should temporarily switch your current active theme to a WP default theme.

Then check the comment “logged in” link again. It should display:

http://www.id-motogp.com/gp-login?redirect_to=… etc etc

(Remember gp-login should be substituted with your chosen Hide Backend login slug).

After the above we’ll probably need to do some more investigation.

We will probably need to answer the following questions:
Why is the comment “logged in” link not changed by iTSec plugin in the current active theme and how do we fix that ?

dwinden

Ok, well done.

The iTSec plugin Hide Backend feature adds the filter_login_url() class function\method to the WP site_url filter.

/**
 * Filters redirects for correct login URL
 * @since 4.0
 * @param  string $url URL redirecting to
 * @return string       Correct redirect URL
 */
public function filter_login_url( $url ) {

	$t = str_replace( 'wp-login.php', $this->settings['slug'], $url );

	return str_replace( 'wp-login.php', $this->settings['slug'], $url );

}

WP uses the site_url() function\method to construct the comment login url.
When the site_url() function\method returns the login url, the site_url filter is applied. The ‘wp-login.php’ string is then replaced with ‘gp-login’ in the login url by executing the filter_login_url() class function\method.

Note the above process will NOT take place under certain conditions which involves an installed and activated plugin named Jetpack. So please make sure you do NOT have a plugin installed and activated named Jetpack.

Other than that it’s a mystery to me why the comment “logged in” link is not using the iTSec login slug … but it is something your theme is doing.

Note there are 2 theme related Hide Backend settings in the iTSec plugin but because they are poorly documented I find it difficult to determin whether these 2 options are relevant for this issue …

The 2 options are named:

– Enable Theme Compatibility (checkbox)
– Theme Compatibility Slug (textbox)

dwinden

The iTSec plugin adds the filter_login_url() class function\method to the WP site_url filter in the wp-content/plugins/better-wp-security/free/modules/hide-backend/class-itsec-hide-backend.php file.
Search for the following line:

add_filter( 'site_url', array( $this, 'filter_login_url' ), 10, 2 );

That said I’m not sure whether this is any relevant info for your issue.
I would certainly not recommend to delete anything in the above mentioned file.

I just wanted you to read my SECOND post in this topic to get a better understanding of what the iTSec plugin Hide Backend feature exactly does.
Thus hoping you would be able to do the math and figure out why your custom login slug doesn’t work.

Still reading my THIRD post in this topic did make you aware of iTSec plugin Hide Backend incompatibility with Jetpack. So disabling Jetpack is worth a shot.

Oh and I really think we should continue discussing your Hide Backend issue not in this topic but in the topic you created for it.

dwinden