Support » Plugin: iThemes Security (formerly Better WP Security) » [Plugin: Better WP Security] Securing admin area seems to still allow POSTs.

  • Resolved dogweather

    (@dogweather)


    First; excellent plug-in. Thanks.

    Just today, I noticed that an attacker was getting 200’s back from the server, even though I’ve enabled the ‘secure admin area’ feature:

    200 www.g33klaw.com:80 46.119.114.80 - - [16/Jul/2012:21:20:50 -0700] "POST /wp-login.php HTTP/1.1" 4747 "http://www.g33klaw.com/wp-login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

    Here’s me doing a GET request which is correctly redirected, eventually to get a 404:

    302 www.g33klaw.com:80 67.168.204.53 - - [16/Jul/2012:22:16:21 -0700] "GET /wp-login.php HTTP/1.1" 549 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11"

    http://wordpress.org/extend/plugins/better-wp-security/

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thanks for the report. Now wp-login.php itself still needs to take the post request to process login however, if you have “Hide Backend” enabled access to wp-login.php requires the “Secret Key” get variable.

    dogweather

    (@dogweather)

    Ah hah, I see. wp-login.php is something of a beast, performing a lot of roles.

    For now, I’m just going to manually rename my wp-login.php file. The only problem with that is possible issues when I upgrade wordpress.

    I wonder if there’d be a way to do the same thing, without actually changing a filename? Some kind of set of Apache rules, maybe: first, 404 the wp-login.php path. Then, add some kind of rewrite or proxy rule for the alternate path to the file…

    dogweather

    (@dogweather)

    still needs to take the post request to process login however

    I guess that the login form would need to be modified to include the key as a hidden variable.

    That is correct. There really is no good way around this short of hacking core to work around it. That’s something I really don’t think should be in a plugin 😉

    dogweather

    (@dogweather)

    I tested some rewrite rules, and I see that it’d be easy to hide the actual wp-login.php.

    I was optimistic until I looked at the source for the wp-login.php file. The filename is hardcoded all over the place. Even where it doesn’t have to be; ie, the form action. So there’s no way my idea would work.

    But talk about a culture shock; coming from Rails programming, paths and filenames are never hardcoded. The path can be changed in one spot.

    Haha! Welcome to WordPress. In their defense many other important paths such as wp-content can be overridden. wp-login.php is one of the few exceptions.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘[Plugin: Better WP Security] Securing admin area seems to still allow POSTs.’ is closed to new replies.