Site Kit exposes wp-login.php – How to disable OAuth button?

Resolved rgi001
(@rgi001)

2 months ago
Hello,

I’m using the Google Site Kit plugin on my WordPress site, but I’m facing a significant security issue.

The Problem: The plugin adds a “Sign in with Google” button on my login page (wp-login.php), generated by the googlesitekit_display_login_button() function or by the script https://accounts.google.com/gsi/client.

The issue is that this login URL is now indexed and visible in search engines, which exposes my admin interface even though I had implemented a custom login URL to protect my site.

What I’ve tried without success:

I’ve attempted several solutions in my child theme’s functions.php file:

php
```
// Method 1: Disable via PHP
add_action('login_init', function() {
    remove_action('login_form', 'googlesitekit_display_login_button');
    add_filter('googlesitekit_login_form_enabled', '__return_false');
}, 20);

add_action('login_enqueue_scripts', function() {
    wp_dequeue_script('google-gsi-client');
    wp_deregister_script('google-gsi-client');
}, 20);

// Method 2: JavaScript removal
add_action('login_footer', function() {
    // Script to remove the button from DOM
}, 999);
```
Despite these attempts, the button still appears.

My Question: Is there an official filter or option in Google Site Kit to completely disable the Google Sign-in button on the wp-login.php page?

If no solution exists, I will unfortunately have to deactivate the plugin, as my site’s security is compromised with the admin URL being exposed in search engines.

Thank you in advance for your help!

Configuration:
- WordPress: [6.8.3]
- Google Site Kit: [1.165.0]
- Theme: Astra Child

Viewing 4 replies - 1 through 4 (of 4 total)

Plugin Support James Osborne
(@jamesosborne)

2 months ago

Thanks for reaching out @rgi001. If you’d like to share your site health information I’d be happy to check your current set up and also custom login page. Making use of Sign in with Google, via Site Kit or if implemented manually, doesn’t result in your standard WordPress wp-login page being visible in search if it wasn’t previously.

By default, WordPress also includes a noindex directive on the login and lost password pages to prevent them from showing up in search results. This doesn’t change if you activate Sign in with Google via Site Kit. What may be happening in your case, if a third party plugin, or how your custom page works, is the directive to not index may be removed.

It’s also possible that some search engines still display your login page in their results, as noindex is only a directive to tell search engines not to index. It’s possible some still may, or the directive wasn’t in place for a period and the page was captured from then. I’ll know more once I can check your site.

My Question: Is there an official filter or option in Google Site Kit to completely disable the Google Sign-in button on the wp-login.php page?

This is the primary function of Sign in with Google, to place the button on the login page. There are options to enable the button across all pages via one tap, but the login page is the main focus, so there is no filter specifically to disable from this page. While you can of course deactivate Sign in with Google in full, there you looking to disable the plugin only on your custom wp-login page or the default wordpress login.php page? Let me know and I’ll see if I can provide you with a snippet using the googlesitekit_sign-in-with-google_tag_blocked filter.

Looking forward to hearing from you.

Plugin Support James Osborne
(@jamesosborne)

1 month, 1 week ago

As we didn’t receive a response I’ll mark this as resolved. Feel free to open a new support topic if you continue to encounter issues, or reopen this topic and we’d be happy to assist.

Thread Starter rgi001
(@rgi001)

1 month, 1 week ago

Thank you for your help, I’m delighted with your response (received unexpectedly in my inbox). I have no idea what could have happened. I had a problem with the cron job and probably a problem with plugin updates, or perhaps Google Site Kit did an update a few days ago, and my interface is no longer the same!

Plugin Support James Osborne
(@jamesosborne)

1 month, 1 week ago

No problem @rgi001, happy to help. When you mention that the interface is no longer the same, do you see any errors or warnings, or is it maybe that some services that were previously connected were since disconnected?

Viewing 4 replies - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

Tags