Support » Plugin: iThemes Security (formerly Better WP Security) » [Plugin: Better WP Security] Bypass to Login hide (or "hide backend")

Viewing 15 replies - 1 through 15 (of 32 total)
  • yes I can verify the same problem

    upgrading WordPress to the latest version (3.4.2) solved this problem for me.
    But I’ve found a way to bypass it even in the latest wordpress version.

    by sending a request to “http://YourDomainHere/wp-login.php?loggedout=true” with Referer of “http://YourDomainHere/wp-admin/” the website redirects you to the secret login page.

    This is an HTTP packet sent to the server:

    GET /wp-login.php?loggedout=true HTTP/1.1
    Host: YourDomainHere
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip, deflate
    Proxy-Connection: keep-alive
    Referer: http://YourDomainHere/wp-admin/

    Try using this to hide the backend. Just remember to use something other than the default WordPress Permalink structure.

    http://wordpress.org/extend/plugins/wsecure/

    The hide backend feature requires to change the default permalinks.
    The setup page sats that: “In both cases it requires permalinks to be turned on in your settings to function.”

    So it’s not the issue.

    dr.yoni wrote:

    The hide backend feature requires to change the default permalinks.
    The setup page sats that: “In both cases it requires permalinks to be turned on in your settings to function.”

    So it’s not the issue.

    Which plugin are you referring to? I was referring to the wSecure plugin, not the Better WP Security plugin.

    thealchemist

    (@thealchemist)

    Didn’t redirect me to the login page. I can’t seem to access the login page regardless of what I do.

    oh god, /wp-login.php?loggedout=true redirect me to login page! 🙁

    I get redirected to a login page when I use

    /wp-login.php?loggedout=true

    Very frustrating that I cannot hide my login page using Better WP Security

    Handoko

    (@handoko-zhang)

    Hello all.

    I think I found a quick fix. I have tested the trick on my website and it works. Hope it can help you too. But I guarantee nothing and don’t blame me if it breaks your website.

    I have posted the fix on this thread:
    http://wordpress.org/support/topic/after-enabling-hide-backend-still-i-am-getting-bad-login-attempt-how

    Better WP Security needs to take the approach of the Lockdown WP Admin plugin (http://wordpress.org/extend/plugins/lockdown-wp-admin/). When using the Lockdown WP Admin plugin, going to http://YourDomainHere/wp-login.php?loggedout=true will generate a 404 error. Anything off of the /wp-login.php or /wp-admin url will generate a 404 error if logged out.

    Hello all. Has there been any progress on eliminating the bypass of http://YourDomainHere/wp-login.php?loggedout=true originally reported? I tend to agree with HCE on the preferred approach.

    I’m experiencing the very same issue (backend hidden, still getting lockout notifications).

    I will notify the author, since this seems a bug rather than a support request.

    Today I got the same issue – Bypass to wp-login.php with “hide backend”. I have brute force attack the whole day.

    109.196.190.90 – – [07/Jul/2013:14:41:41 +0400] “POST /wp-login.php HTTP/1.0” 200 3426 “http://mysite.com/wp-login.php” “Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.8.131 Version/11.10”

    It’s not http://YourDomainHere/wp-login.php?loggedout=true flaw, because rewritten rules (below) work just for me. (Not for attacker)

    RewriteCond %{QUERY_STRING} ^loggedout=true
    RewriteRule .* http://mysite.com%{REQUEST_URL}? [R=301,L]

    I’m doubly surprised because wp-admin folder is password protected using htaccess as well. How does this happen?

    123 brute force attack attempts today.

    Same here, posts to wp-login

    207.248.110.135 – – [09/Jul/2013:05:56:44 +0200] “POST /wp-login.php HTTP/1.0” 200 5304 “mysite.com/wp-login.php” “Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0”

    Since the proposed fix causes an infinite redirect on chrome, I removed the ^loggedout string in htaccess at all.

    I will let you know if attacks continue

    PS: the author didn’t answer my mail.

    Same volume of attacks here today too.
    Hope the author has a fix soon or we may need to drop BWPS.

Viewing 15 replies - 1 through 15 (of 32 total)
  • The topic ‘[Plugin: Better WP Security] Bypass to Login hide (or "hide backend")’ is closed to new replies.