WordPress.org

Support

Support » Plugins and Hacks » Plugin misbehaving when WP installed into a subdirectory

Plugin misbehaving when WP installed into a subdirectory

Viewing 6 replies - 1 through 6 (of 6 total)
  • GermanKiwi
    Member

    @germankiwi

    Hi Sean, I’ve just installed the new v2.0.2 of this plugin, as I saw in the changelog that you’ve fixed some issues with WP installed in a sub-directory. I’ve done some tests and it’s definitely an improvement, but it still doesn’t work correctly I’m afraid.

    Specifically, it won’t let me log in at all using the login URL I set in the plugin – same problem as before.

    I set the login URL to “dashboard”, ie. http://www.example.com/dashboard.

    Then I logged out, and went to http://www.example.com/dashboard and it correctly showed the login panel. I entered my username/password, and instead of logging me in and taking me to the WP Dashboard, it actually redirected me to http://www.example.com/wordpress/wp-admin/ and gave a 404 error. So I still have no chance to log in at all, without removing the plugin. 🙁 Any idea what’s causing this? (And please note that the URL it redirected me to, includes the /wordpress/ sub-directory in the URL)

    Additionally, when it redirects to http://www.example.com/wordpress/wp-admin/ the page there inserts the text “Page not found” at the top of the page, above the normal 404.php page content – this is odd. It should simply display the standard 404.php page from my template, without inserting any extra text at the top of the page.

    In addition, the following URLs are still problematic for me (with the login URL set to “dashboard”):

    When NOT logged in to WordPress:

    1) http://example.com/login redirects to http://example.com/wordpress/wp-admin/ and gives a 404. But this reveals the path to my WordPress installation subfolder, which is not good. I want to keep that hidden. Obviously one of the main advantages of this plugin is securing WordPress by obscurity – keeping the path and login page hidden – therefore I think the plugin should not reveal the WP installation subfolder if possible.

    2) http://example.com/wordpress/login redirects to http://example.com/wordpress/wp-admin/ and gives a 404. I think it would be better to give the 404 at the original URL without redirecting it to wp-admin.

    3) http://example.com/admin/ redirects to http://example.com/wordpress/wp-admin/ and gives a 404. Not good for the above reason.

    4) http://example.com/wordpress/admin/ redirects to http://example.com/wordpress/wp-admin/ and gives a 404. Not good for the above reason.

    5) http://example.com/wp-login.php does not redirect – just gives a 404. This is great!

    6) http://example.com/wordpress/wp-login.php does not redirect – just gives a 404. This is also great!

    7) http://example.com/wp-admin/ redirects to http://example.com/wordpress/wp-admin/ and gives a 404. Not good for the above reason – it reveals the WP subdirectory.

    8) http://example.com/dashboard does not redirect, but shows the WP login page (good!)

    9) http://example.com/wordpress/dashboard redirects to http://example.com/wordpress/wp-admin/ and gives a 404. I think this is not good – it should either redirect to http://example.com/dashboard and show the login page, or else it should not redirect anywhere, and give a 404 error without changing the URL.

    In conclusion, I think it’s best when the plugin doesn’t redirect (doesn’t change the URL) in order to give the 404 error, because changing the URL reveals the WP subdirectory and lets the user know that WordPress is being used – which defeats the purpose of using this plugin for “security through obscurity”. Also, when the URL is changed, the resulting URL ends with “wp-admin” which also gives away the fact that WordPress is being used. So it would be best if the 404 error is given without the URL changing, Maybe this is not possible with this plugin, I don’t know. But if it is possible, I think it’s the best solution. What do you think?

    Thanks!

    Confirm: with WordPress on subdir this plugin show subdir name and redirect improperly!
    This need a security patch for me …

    Another problem is 404: 404 error is embedded on plugin, but for best caching performances and security masking, is needed, imho, that 404 error call directly real 404 of hosting.

    Is possible to add on control panel one option to enable it on future releases of this plugin?

    Thanks!

    GermanKiwi
    Member

    @germankiwi

    The 404 error page that I get via this plugin is just the standard WordPress 404 error page, that you would also get when you go to any other invalid URL – which I think is fine. It provides consistency with the rest of the site. It’s not built into the plugin, but it’s provided by your WordPress theme.

    The 404 error page itself doesn’t reveal anything wrong in terms of security. The only issue I have is that the URL still reveals the WP subdirectory location.

    the URL still reveals the WP subdirectory location

    Yes! This is real big problem …

    The 404 error page that I get via this plugin is just the standard WordPress 404 error page, that you would also get when you go to any other invalid URL – which I think is fine. It provides consistency with the rest of the site. It’s not built into the plugin, but it’s provided by your WordPress theme.

    If your theme support 404 it bypass 404 of plugin, but if your theme not support 404 the plugin show your internal 404 located on line 657 on lockdown-wp-admin.php file. Not all themes support 404 … for example, if you use wordpress as simple cms … for best caching on wordpress and reducing memory and cpu load the best solution is to serving the real 404 of hosting and not 404 embedded on plugins or themes. This pratice is also used by W3 Total Cache …

    GermanKiwi
    Member

    @germankiwi

    It’s still broken after upgrading to 2.1 today.

    If I set the login URL to http://www.example.com/dashboard (by entering “dashboard” into the login URL field of this plugin), and then I go to http://www.example.com/dashboard in my browser and enter my username/password, it then gives me a 404 error page instead of logging me in.

    Hi,
    I have the same problem with wp installed in subdirectory.
    It generates too many redirects.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Plugin misbehaving when WP installed into a subdirectory’ is closed to new replies.