WordPress.org

Forums

iThemes Security (formerly Better WP Security)
[Plugin: Better WP Security] Bypass to Login hide (or "hide backend") (33 posts)

  1. dr.yoni
    Member
    Posted 2 years ago #

    Hello,

    I've found a bypass to the login hide function in Better WP Security plugin.

    Even if the secret login, or the secret key are unknown you can still enter the login page by entering:
    http://YourDomainHere/wp-login.php?loggedout=true

    this redirects to the login page with the secret key.

    Please review this issue.
    10x.

    http://wordpress.org/extend/plugins/better-wp-security/

  2. CentralTrans
    Member
    Posted 2 years ago #

    yes I can verify the same problem

  3. dr.yoni
    Member
    Posted 2 years ago #

    upgrading WordPress to the latest version (3.4.2) solved this problem for me.
    But I've found a way to bypass it even in the latest wordpress version.

    by sending a request to "http://YourDomainHere/wp-login.php?loggedout=true" with Referer of "http://YourDomainHere/wp-admin/" the website redirects you to the secret login page.

    This is an HTTP packet sent to the server:

    GET /wp-login.php?loggedout=true HTTP/1.1
    Host: YourDomainHere
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip, deflate
    Proxy-Connection: keep-alive
    Referer: http://YourDomainHere/wp-admin/

  4. MickeyRoush
    Member
    Posted 2 years ago #

    Try using this to hide the backend. Just remember to use something other than the default WordPress Permalink structure.

    http://wordpress.org/extend/plugins/wsecure/

  5. dr.yoni
    Member
    Posted 2 years ago #

    The hide backend feature requires to change the default permalinks.
    The setup page sats that: "In both cases it requires permalinks to be turned on in your settings to function."

    So it's not the issue.

  6. MickeyRoush
    Member
    Posted 2 years ago #

    dr.yoni wrote:

    The hide backend feature requires to change the default permalinks.
    The setup page sats that: "In both cases it requires permalinks to be turned on in your settings to function."

    So it's not the issue.

    Which plugin are you referring to? I was referring to the wSecure plugin, not the Better WP Security plugin.

  7. thealchemist
    Member
    Posted 2 years ago #

    Didn't redirect me to the login page. I can't seem to access the login page regardless of what I do.

  8. siprof
    Member
    Posted 2 years ago #

    oh god, /wp-login.php?loggedout=true redirect me to login page! :(

  9. awakegal
    Member
    Posted 2 years ago #

    I get redirected to a login page when I use

    /wp-login.php?loggedout=true

    Very frustrating that I cannot hide my login page using Better WP Security

  10. Handoko
    Member
    Posted 2 years ago #

    Hello all.

    I think I found a quick fix. I have tested the trick on my website and it works. Hope it can help you too. But I guarantee nothing and don't blame me if it breaks your website.

    I have posted the fix on this thread:
    http://wordpress.org/support/topic/after-enabling-hide-backend-still-i-am-getting-bad-login-attempt-how

  11. HCE
    Blocked
    Posted 2 years ago #

    Better WP Security needs to take the approach of the Lockdown WP Admin plugin (http://wordpress.org/extend/plugins/lockdown-wp-admin/). When using the Lockdown WP Admin plugin, going to http://YourDomainHere/wp-login.php?loggedout=true will generate a 404 error. Anything off of the /wp-login.php or /wp-admin url will generate a 404 error if logged out.

  12. swatts
    Member
    Posted 1 year ago #

    Hello all. Has there been any progress on eliminating the bypass of http://YourDomainHere/wp-login.php?loggedout=true originally reported? I tend to agree with HCE on the preferred approach.

  13. giti
    Member
    Posted 1 year ago #

    I'm experiencing the very same issue (backend hidden, still getting lockout notifications).

    I will notify the author, since this seems a bug rather than a support request.

  14. Exponom
    Member
    Posted 1 year ago #

    Today I got the same issue - Bypass to wp-login.php with "hide backend". I have brute force attack the whole day.

    109.196.190.90 - - [07/Jul/2013:14:41:41 +0400] "POST /wp-login.php HTTP/1.0" 200 3426 "http://mysite.com/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.8.131 Version/11.10"

    It's not http://YourDomainHere/wp-login.php?loggedout=true flaw, because rewritten rules (below) work just for me. (Not for attacker)

    RewriteCond %{QUERY_STRING} ^loggedout=true
    RewriteRule .* http://mysite.com%{REQUEST_URL}? [R=301,L]

    I'm doubly surprised because wp-admin folder is password protected using htaccess as well. How does this happen?

  15. giti
    Member
    Posted 1 year ago #

    123 brute force attack attempts today.

    Same here, posts to wp-login

    207.248.110.135 - - [09/Jul/2013:05:56:44 +0200] "POST /wp-login.php HTTP/1.0" 200 5304 "mysite.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"

    Since the proposed fix causes an infinite redirect on chrome, I removed the ^loggedout string in htaccess at all.

    I will let you know if attacks continue

    PS: the author didn't answer my mail.

  16. swatts
    Member
    Posted 1 year ago #

    Same volume of attacks here today too.
    Hope the author has a fix soon or we may need to drop BWPS.

  17. rosenzweig70
    Member
    Posted 1 year ago #

    Keeping an eye on this thread. Thanks to OP.

  18. giti
    Member
    Posted 1 year ago #

    Author answered.

    He said he's doing a complete rewrite of that system and it will be ready in the next few months.

    Unfortunately I need a workaround in less time. Attacks are increasing too much.

    I removed at all the ^loggedout=true lines and I didn't see attacks today.

    Is it a good solution?

  19. Handoko
    Member
    Posted 1 year ago #

    Glad to know the author is fixing it. This issue has been troubling many WP users including me.

  20. swatts
    Member
    Posted 1 year ago #

    Glad to hear he is working on it. Not sure about your workaround solution. Can you provide specifics?

  21. giti
    Member
    Posted 1 year ago #

    http://wordpress.org/support/topic/after-enabling-hide-backend-still-i-am-getting-bad-login-attempt-how?replies=6

    the solution proposed there by Handoko causes an infinite redirect on chrome

    At Step 4, I just removed the lines showed in step 3

    Logout works, login works, wp-login.php?loggedout=true is not more accessible.

    I don't know if there are side effects, hope a .htaccess guru can help

  22. Exponom
    Member
    Posted 1 year ago #

    2 giti
    I think in case if BWPS will automatically update ban users list due to lockout, these lines could be repaired.

  23. Barbara Feldman
    Member
    Posted 1 year ago #

    I am baffled. When I read the header response for:
    http://www.mysite.com/wp-login.php
    I get a 302
    (which makes sense since I am HIDING the BACKEND using WP-Better-Security.)

    However, in my access logs for the last 24 hours, I see about 4000 attempts to access wp-login.php that get a 200 response. For example:

    1XX.1X.1XX.XX6 - - [12/Jul/2013:09:17:06 -0400] "POST /wp-login.php HTTP/1.0" 200 3880 "mysite.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"

    How is this possible?

    Of course, they are being locked out per the LIMIT LOGIN parameters, but they are still eating up my resources.

  24. giti
    Member
    Posted 1 year ago #

    @barbfeldman

    Did you read the above comments? there is explained the cause of this issue and there are also workarounds

  25. Barbara Feldman
    Member
    Posted 1 year ago #

    @giti

    I did read the comments, but the access_log is NOT showing hits to "wp-login.php?loggedout=true" ... the only hits to "wp-login.php?anything-at-all" are the ones that include my WP-Better-Security secret key (and these are all legit!)

  26. giti
    Member
    Posted 1 year ago #

    @barbfeldman

    same here now, 250 attacks in the last few minutes

  27. Barbara Feldman
    Member
    Posted 1 year ago #

    Let me restate this a little clearer.

    The wp-login hits I am seeing in my access_log ARE NOT taking advantage of the "wp-login.php?loggedout=true" loophole.

    The access is straight to ""wp-login.php" ... and the server is responding with a "200 all okay status code" NOT the "302 redirect to /notfound" that I see when I try and read the status code from "wp-login.php".

  28. giti
    Member
    Posted 1 year ago #

    Attackers are doing POSTs, and after a little investigation it seems that this plugin doesn't protect from POSTs at all....

  29. AITpro
    Member
    Posted 1 year ago #

    These Brute Force Login POST attacks are all using Server Protocol HTTP/1.0. We have researched, tested, documented and are using the successful solution in the link below.

    http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/

    We are successfully blocking 280,000+ Brute Force Login attacks per month on our websites with this .htaccess code, which you can add to your root .htaccess file.

    If you have a BuddyPress/bbPress Forum site then here is a similar solution that blocks spam registrations and Brute Force Login attacks.
    http://forum.ait-pro.com/forums/topic/buddypress-spam-registration-buddypress-anti-spam-registration/

  30. rosenzweig70
    Member
    Posted 1 year ago #

    AITpro thank you but I'm fairly certain that implementing your strategy ended up breaking my entire permalink structure. Everything but my home page and admin page yielded 404 errors until I scrapped the .htaccess with your code.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.