Support » Plugin: WPS Hide Login » The hidden URL can be bypassed in Firefox

Viewing 15 replies - 1 through 15 (of 17 total)
  • I confirm Firefox and Safari on Mac osX reveals hidden login URL.

    @nephalem for security reasons – perhaps this thread needs to be removed and sent directly to developer?

    Moderator Steve Stern

    (@sterndata)

    If I understand what this plugin does, there’s no security issue. It just hides the login page. Big deal. As long as you have good passwords and well secured site, you’re OK.

    The issue is whether the plugin works as it should, not whether your site is secure.

    thumbs up

    • This reply was modified 11 months, 1 week ago by  nicozanches.

    Hi,

    Not only for {your-site}/wp-admin/wp-register.php, you can bypass the login url by {your-site}/wp-admin/customize.php. But so far I didn’t receive any bruteforce attack in my login url.

    Thanks.

    I can verify that this plugin can be bypassed using {your-site}/wp-admin/customize.php, disappointing. I did a bandaid fix by blocking all access to customize.php, as I never use it. Not sure what to do about the other bypass URLs. Disappointing as this used to be a very good plugin, now it’s so so. MTN

    I have tried all permatations of the above in firefox and none of them allow a user to log in, or even display a log in page. They all go back to the main page
    I use a redirect for any pages not on my sites to take them back to the main page.

    My tests were in Chrome browser. Glad to hear the plugin works correctly in Firefox. It needs to work with _all_ browsers to not be deemed defective, lame, and worse. MTN

    ClaytonL

    (@claytonl)

    @tabrisrp, You might be interested in how iThemes Security is approaching this. They seem to have a combination of actions and filters that are working for them. https://github.com/wp-plugins/better-wp-security/blob/master/core/modules/hide-backend/class-itsec-hide-backend.php

    Please correct me if I’m wrong but the OP and others appear to be misunderstanding what this plugin does.

    It is meant to allow you, the site owner, to alter the admin and login paths from something guessable (like /wp-login.php) TO something unguessable.

    It is not designed to block someone who already knows the paths; whether by URL encoding or not.

    • This reply was modified 6 months, 4 weeks ago by  willberforce.

    @willbeforce, It isn’t clear, but OP’s encoded version is actually the encoded version of the guessable http://www.mysite.com/wp-login.php. The plugin was revealing the hidden path after being passed an encoded guessable path.

    @claytonl – sorry, yes forive me, I think I misunderstood the issue.

    On testing, WP is redirecting from the following to the hidden login page.

    /wp-admin/customize.php
    /wp-register.php
    /%77%70%2D%6C%6F%67%69%6E.%70%68%70

    Does anyone have a working fix?

    Presumably wp-register is unlikely to be necessary in most scenarios if the login url is being obfuscated.

    wp-customize and the encoded wp-login.php must be fairly easy to block in htaccess – though this mod prides itself on being non-htaccess based, so a redirect to 404 on path hook would do the job.

    Thinking out loud.

    Wellll, my understanding wp-register.php is depreciated, WordPress runs without it and it shouldn’t exist in a current install. I deleted it a long time ago. Just for grins, I keep wp-register.php blocked using both Wordfence and .htaccess.

    Something must have changed

    Without the Wordfence blocking I get a “this has been disabled” message in IE, and Chrome when browsing to
    website/wp-admin/customize.php/wp-register.php/%77%70%2D%6C%6F%67%69%6E.%70%68%70

    BUT, if I browse to //www.mysite.com/%77%70%2D%6C%6F%67%69%6E.%70%68%70
    The only thing stopping it from landing on wp-login.php is the blocking of wp-login.php in my .htaccess.

    So, suggestions: test the plugin with the permutations above. Check to be sure wp-register.php doesn’t exist on your server, and block wp-login.php in your .htaccess.

    In other words WPS Hide Login can be bypassed to one degree or another, requires testing, and tweaking of server configuration for it to work as advertised.

    MTN

    Ok I have a solution:

    I installed BPS security plugin with default settings, ran the wizard and its blocking url encoding and wp-login.php – showing a 404 for each.

    It wasnt doing the wp-register.php so I added this file to htaccess custom code as follows:

    Root htaccess (BOX 6):

    # DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
    RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$
    RedirectMatch 404 wp-register\.php$

    Save
    Activate

    This successfully 404s these 3 urls.

    Its an easy fix. A more elegant solution would be for the plugin to itself prevent these redirects via hooking.

    nice

Viewing 15 replies - 1 through 15 (of 17 total)
  • You must be logged in to reply to this topic.