Password protected posts – behavour changed

  • Resolved Shane

    (@shanemarsh28)


    5 years, 3 months ago

    Hi,

    Currently we were on version I think 1.5 (possibly 1.3.4.2 not 100% sure) . Attempted upgrade to version 1.5.2.1 and the behaviour of WordPress password protected pages has changed. Prior to upgrade, it seemed the password was accepted via some sort of Ajax or post request to the page you are on – like submitting a form. When I updated to 1.5.2.1 that changed to a redirect to: /wp-login.php?action=postpass

    For security, we have wp-login.php blocked in our Nginx configuration so this update produced a series of 500 errors when users attempted enter their password to a protected page.

    Is this now new expected behaviour? Please advise. I have rolled back the plugin to our previous version which is working as expected.

    Shane.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author NicolasKulka

    (@nicolaskulka)

    5 years, 3 months ago

    Hello,

    Yes it’s now working, because I was noticed that the hidden URL for the admin was displayed in the source code, or the plugin can hide this new URL to access the back office.

    So there was a fix to display the classic WordPress URL for hiding the URL you chose.

    Thread Starter Shane

    (@shanemarsh28)

    5 years, 3 months ago

    Hi Nicolas,

    Thanks for your reply! I’m sorry but I don’t fully understand what you mean. When submitting a form, is the new redirect to: /wp-login.php?action=postpass now expected behaviour or not?

    Shane 🙂

    Plugin Author NicolasKulka

    (@nicolaskulka)

    5 years, 3 months ago

    Yes exactly and not the hidden url given by wps hide login.

    Thread Starter Shane

    (@shanemarsh28)

    5 years, 3 months ago

    Ahh OK. Is there a way of continuing to use the hidden login?

    This will cause problems for us because we have wp-login.php blocked at server level for security reasons. Our servers get a lot of brute force attempts on that file which was one of the reasons for wanting to hide it in the first place.

    Plugin Author NicolasKulka

    (@nicolaskulka)

    5 years, 3 months ago

    Not possible to use the hidden login.

    You have to disable it on the server side, so that you do not have any more worries and disable XMLRPC that’s where you have the brute force attempts normally

    Thread Starter Shane

    (@shanemarsh28)

    5 years, 3 months ago

    OK we will have to consider an alternative plugin in this case then because allowing /wp-login.php to accept requests for us is a no go option – it partially defeats the whole point of hiding wp-login.php and /wp-admin if your just going to use it anyways. I would suggest that others will have issues with this update too.

    Don’t worry, we have XMLRPC entirely disabled too 🙂

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Password protected posts – behavour changed’ is closed to new replies.