Support » Plugin: Stealth Login Page » New WP install, default logins not hidden

  • Resolved izzaboo

    (@izzaboo)


    Hallo.

    I’ve used this plugin on two other sites and found it very useful. So, on a new install I included it in default list of plugins to set up right away.

    I did that but when I launched another browser (on a different device) the /wp-admin url redirected to wp-login.php?question=answer

    That doesn’t seem like the way it is supposed to work.

    Any thoughts? Did I do something wrong? Does logging out close the session used by this plugin?

    all best,
    Greg

    http://wordpress.org/extend/plugins/stealth-login-page/

Viewing 15 replies - 1 through 15 (of 16 total)
  • Plugin Contributor Jesse Petersen

    (@peterdog)

    It shouldn’t redirect until the checkbox to enable it is checked, which is defaulted unchecked upon install. Did it say exactly that? “?question=answer” in the URL? If so, I can see where that originated from.

    Go ahead and grab the latest version, though – what version did you upload into a new install?

    Plugin Contributor Jesse Petersen

    (@peterdog)

    2.1.0 has an issue. I’m updating to 2.1.1 at the moment as soon as I rectify a conditional logic issue.

    Hi Jesse,

    Thanks for your replies. Looks like you’re “on it” as they say. And I thought I should give you a response anyway.

    No, it used my secret question and answer, I just used “question” and “answer” as placeholders in my post here. Also, looking back at the email sent with the custom URL in it, the custom URL followed this form:

    http://www.myclientsdomain.com/wp-login.php/?question=answer?question=answer

    I didn’t notice the duplicated Q/A paring and the slash between .php and ? until this morning.

    I loaded the most recent version from the WP repository at the time (2.1.0, which you indicate has a conditional logic issue).

    btw, while you’re in there, i just noticed a typo on the /options-general.php?page=stealth-login-page. The word customizable is missing an “a”.

    Plugin Contributor Jesse Petersen

    (@peterdog)

    Thanks for the head’s up and the information.

    Plugin Contributor Jesse Petersen

    (@peterdog)

    2.1.1 is live. Please update immediately.

    Tally-ho! Redirection is working well!

    But hey. In the options page, I checked the box to send URL to admin’s email. In the email it came through with this convention:

    http://www.clientdomain.com/wp-login.php?Q=A?Q=A

    Where “Q” is my secret Question and “A” is my secret Answer.

    thanks for the quick work!

    all best,
    G

    Personally, I like the redirect on logout because I just use the site’s homepage as redirect URL.

    But I can see how if somebody wanted to redirect to good ol’ rick you might not want to rick roll a valid user logging out…

    heheheh.

    G

    Plugin Contributor Jesse Petersen

    (@peterdog)

    Thanks for pointing out that URL. It was using an old convention:

    wp_login_url() . ‘?’ . $slp_options[‘question’] . ‘=’ . $slp_options[‘answer’] )

    I’ve replaced the wp_login_url() with the new URL so it was thus repeating it. I’m going to fix that as I type.

    Plugin Contributor Jesse Petersen

    (@peterdog)

    I’m not going to rev the plugin for this change, so here is what I edited in /includes/settings-page.php Line 8… grab the whole thing and replace the entire function.

    add_action( 'admin_init', 'slp_email_admin' );
    function slp_email_admin() {
    	global $slp_options, $custom_url;
    	if ( isset( $slp_options['enable'] ) && $slp_options['question'] && $slp_options['answer']  && isset ( $_POST['email-admin'] ) && current_user_can( 'manage_options' ) ) {
    		$to = get_bloginfo( 'admin_email' );
    		$subject = sprintf( __( 'Custom login URL for %s', 'stealth-login-page' ), get_bloginfo( 'name' ) );
    		$message = sprintf( __( 'Your custom login URL for %1$s is %2$s', 'stealth-login-page' ), get_bloginfo( 'name' ), $custom_url;
    		wp_mail( $to, $subject, $message );
    	}
    }
    Plugin Contributor Jesse Petersen

    (@peterdog)

    Actually, this

    add_action( 'admin_init', 'slp_email_admin' );
    function slp_email_admin() {
    	global $slp_options, $custom_url;
    	if ( isset( $slp_options['enable'] ) && $slp_options['question'] && $slp_options['answer']  && isset ( $_POST['email-admin'] ) && current_user_can( 'manage_options' ) ) {
    		$to = get_bloginfo( 'admin_email' );
    		$subject = sprintf( __( 'Custom login URL for %s', 'stealth-login-page' ), get_bloginfo( 'name' ) );
    		$message = sprintf( __( 'Your custom login URL for %1$s is %2$s', 'stealth-login-page' ), get_bloginfo( 'name' ), $custom_url );
    		wp_mail( $to, $subject, $message );
    	}
    }

    Great!

    I commented out everything after “wp-login.php” when setting $custom_url_ending in plugin.php

    $custom_url_ending = "wp-login.php";//?" . $slp_options['question'] . '=' . $slp_options['answer'];

    And it seemed to work better for me. Not sure why.

    -Greg

    p.s. I guess I don’t know how to get my code to display here in a nice scrollable box. huh.

    Plugin Contributor Jesse Petersen

    (@peterdog)

    Well, if you do that, then your WP login/out URL is going to return to /wp-login.php with nothing after it and be redirected and it makes the entire function above that (the reason for 2.1.0) non-functioning. Same-same. The function is negated when you do that.

    Translated:

    $old  = array( "/(wp-login\.php)/");
        $new  = array( "wp-login.php" );

    See the box below the editor box with instructions on code? Or that little code button above this box as you type a reply to me?

    I liked this plugin, but it needs some improvements.
    It does not work with other actions in wp-login, like register and lostpassword for example.

    Plugin Contributor Jesse Petersen

    (@peterdog)

    2.1.0 did fix the lost password link and anyone allowing registrations from the base login screen can skip this plugin, as it’s not in the best interest of site security. That will not be addressed by any changes in the future.

    2.1.0
    Corrected the logout link in the dashboard and the lost password link on the login page.

    Hi Jesse,

    Installed v2.1.2, and I still get attackes (2 min intervals). I myself cannot access my website login page, how do “they” find it?

    I also never received the email with question and answer as per suggested by checking the box.

    Can you help? Anything I missed?

    Regards,

    Andre

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘New WP install, default logins not hidden’ is closed to new replies.