Password reset page reveals secret admin login URL

Resolved JJ
(@jdagan)

7 years, 3 months ago

I have a members site using Wishlist member plugin.
I’m using “Rename Login Page” to stop brute force attacks,
for example http://www.example.com/customlogin .
Members are login-in into the site via widget, so they cannot see the secret login url.
However when the user press Password Reset he goes to
http://www.example.com/customlogin/?action=lostpassword
which reveals the secret login page.
How can I make the password reset go to another URL which is not connected to customlogin .

Thanks.

Viewing 7 replies - 1 through 7 (of 7 total)

Plugin Contributor mbrsolution
(@mbrsolution)

7 years, 3 months ago

Hi, I have never used Wishlist member plugin before. Did you speak to the Wishlist member plugin developers about this issue?

Thread Starter JJ
(@jdagan)

7 years, 3 months ago

Hi @mbrsolution. Thanks for your help.
I don’t think it is related to to Wishlist Member.
The problem arise from that there are WordPress users who shouldn’t know about the secret admin login URL.
I just checked the code for the login-in widget I’m using and it seems that the POST is also exposing the secret URL.
I think it turn into a wider question. How do you distinguish regular users from admin? The regular users shouldn’t know about the secret admin login URL.
Can I use one login URL (and Password reset URL) for regular users and another URL for admins?

Thanks.

Plugin Contributor mbrsolution
(@mbrsolution)

7 years, 3 months ago

The problem is related to having users login in as members of your site “Not related to your membership plugin”. If they need to recover the password then the secret word will always be displayed. That is why I always encourage people to use a membership plugin if they are going to use the rename login Brute Force feature in the security plugin and they have members login in.

Let me know if you understand what I mean.

Regards

Thread Starter JJ
(@jdagan)

7 years, 3 months ago

@mbrsolution Now I understand.
I will go to the membership plugin support and ask there for a solution.
I Appreciate your help.

Plugin Contributor mbrsolution
(@mbrsolution)

7 years, 3 months ago

You are most welcome. Let me know how you go.

Regards
livingflame
(@livingflame)

7 years, 3 months ago
Secret Url revealed after Max Login Attempts

For example: http://www.yoursite.com/yourcustom wp login: monkey
When a user fails, this secret Url is reveled. I think that is it a problem :/
So please, configure your plugin to NOT show this secret login url.

Other think, this message is very short:
ERROR: Access from your IP address has been blocked for security reasons. Please contact the administrator.
Maybe:
ERROR: Access from your IP address has been blocked during 30 minutes for security reasons. Please contact the administrator to: youremail@email.com
(Here the Admin can put whatever email that he or she wants. Login Options / Email… you know)
- This reply was modified 7 years, 3 months ago by livingflame.
Plugin Contributor mbrsolution
(@mbrsolution)

7 years, 3 months ago

(@livingflame), I have replied to your other thread.

Thank you

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Password reset page reveals secret admin login URL’ is closed to new replies.

Tags