Support » Plugin: iThemes Security » Minor Issue – 404 after resetting password

  • Hi team, big fan of the plugin.

    This has been brought up before but I dont see a solution.
    https://wordpress.org/support/topic/password-reset-problem-after-hiding-backend/

    After hiding the backend url, when attempting to reset the pw, the url goes to a 404 page. There is a Redirection Slug for when attempting to go to wp-admin, but I think there should also be a redirection for the standard /wp-login.php?checkemail=confirm to the url slug you changed it to…./my-newloginurl?checkemail=confirm for example. Can we do that in the next update?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Hi Moe,

    Thanks for the suggestion! I can certainly pass this request along to our developers.

    Thanks,

    Matt

    Thread Starter Moe Himed

    (@mhimed)

    Hey Matt..just following up here. I ended up going into the security plugin in the hide-backend folder and modifying the file class-itsec-hide-backend.php on Line 211….I modified the function block_access to exclude the url that it redirects to when a user resets their password from being redirected to a 404 page. A setting could easily be added to ensure that after requesting the password reset, a user is sent to a page saying check your email or at least the login page. Im sure you guys can get this done 🙂

    There is a Redirection Slug for when attempting to go to wp-admin, but I think there should also be a redirection for the standard /wp-login.php?checkemail=confirm to the url slug you changed it to…./my-newloginurl?checkemail=confirm for example.

    Nope. Accessing the login page through the newly hidden slug will ensure there is a hide backend cookie set in the browser. However this cookie will expire after 1 hour… As long as the hide backend cookie exists wp-login.php is accessible from that browser.

    Theoretically you could wait an hour before actually requesting the password reset (or simply delete the hide backend cookie manually). Would be interesting to see what happens then.
    If the hide backend cookie expires (or is manually deleted) the iTSec plugin should add a parameter to the url like this:

    https://www.example.com/wp-login.php?checkemail=confirm&itsec-hb-token=SLUG

    where SLUG should be substituted with your hidden slug.

    To prevent any confusion, I’m not iThemes.

    Just for completeness sake, below relevant Hide Backend info from the 6.3.0 Changelog:

    Important: The way that Hide Backend functions changes in this release. Previously, if your Hide Backend Login Slug was wplogin, going to example.com/wplogin would result in the URL remaining example.com/wplogin. The new implementation of this feature results in a redirect to a URL that looks as follows: example.com/wp-login.php?itsec-hb-token=wplogin. While this may not be desireable for some users, this change was necessary to fix longstanding compatibility issues with other plugins. Once you access the login page using the Login Slug page, a cookie is set with an expiration time of one hour. As long as the cookie remains, you can access example.com/wp-login.php without having to access the Hide Backend Login Slug first. If you wish to confirm that Hide Backend is working properly on your site, opening up a private browsing window is a quick way to test without having to log out and clear cookies.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Minor Issue – 404 after resetting password’ is closed to new replies.