iThemes Security (formerly Better WP Security)
[resolved] [Plugin: Better WP Security] Securing admin area seems to still allow POSTs. (7 posts)

  1. dogweather
    Posted 3 years ago #

    First; excellent plug-in. Thanks.

    Just today, I noticed that an attacker was getting 200's back from the server, even though I've enabled the 'secure admin area' feature:

    200 www.g33klaw.com:80 - - [16/Jul/2012:21:20:50 -0700] "POST /wp-login.php HTTP/1.1" 4747 "http://www.g33klaw.com/wp-login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

    Here's me doing a GET request which is correctly redirected, eventually to get a 404:

    302 www.g33klaw.com:80 - - [16/Jul/2012:22:16:21 -0700] "GET /wp-login.php HTTP/1.1" 549 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11"


  2. Thanks for the report. Now wp-login.php itself still needs to take the post request to process login however, if you have "Hide Backend" enabled access to wp-login.php requires the "Secret Key" get variable.

  3. dogweather
    Posted 3 years ago #

    Ah hah, I see. wp-login.php is something of a beast, performing a lot of roles.

    For now, I'm just going to manually rename my wp-login.php file. The only problem with that is possible issues when I upgrade wordpress.

    I wonder if there'd be a way to do the same thing, without actually changing a filename? Some kind of set of Apache rules, maybe: first, 404 the wp-login.php path. Then, add some kind of rewrite or proxy rule for the alternate path to the file...

  4. dogweather
    Posted 3 years ago #

    still needs to take the post request to process login however

    I guess that the login form would need to be modified to include the key as a hidden variable.

  5. That is correct. There really is no good way around this short of hacking core to work around it. That's something I really don't think should be in a plugin ;)

  6. dogweather
    Posted 3 years ago #

    I tested some rewrite rules, and I see that it'd be easy to hide the actual wp-login.php.

    I was optimistic until I looked at the source for the wp-login.php file. The filename is hardcoded all over the place. Even where it doesn't have to be; ie, the form action. So there's no way my idea would work.

    But talk about a culture shock; coming from Rails programming, paths and filenames are never hardcoded. The path can be changed in one spot.

  7. Haha! Welcome to WordPress. In their defense many other important paths such as wp-content can be overridden. wp-login.php is one of the few exceptions.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic