Support » Plugin: iThemes Security (formerly Better WP Security) » Vulnerability exposes hidden admin

  • First, thanks for a very helpful plugin.

    There’s one RewriteRule in the set of rules added to .htaccess for hiding the backend that creates a bit of a vulnerability. I do not see the equivalent rule in the nginx configuration, but I’m not as familiar with that rewrite syntax.

    Here’s a scenario:

    1. Hacker visits the blog and suspects it is running on WordPress
    2. Hacker attempts to login by visiting /wp-login.php
    3. Hacker receives a 404 error, but suspects Better WP Security may be installed and hiding the login URL
    4. Hacker visits /?loggedout=true and gets redirected to the login page with the secret key appended

    I’m sure you are aware of the rule I’m talking about. It appears in lines 699-700 of inc/admin/common.php and looks like this in .htaccess:

    RewriteCond %{QUERY_STRING} ^loggedout=true
    RewriteRule ^.*$ /wp-login.php?[secret-key-here] [R,L]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thank you so much for pointing this out. I was wondering how people were managing to access login when it is hidden by a scrambled key!

    I changed the $key to $dir in line 700 and they now get a 404 error instead:

    "RewriteRule ^.*$ " . $dir . "wp-login.php?" . $dir . " [R,L]" . PHP_EOL;

    You then need to “unhide” the backend and “save”. Then re-hide it and “save” again, so the .htaccess file gets updated.

    I also changed the permissions for common.php to 444 in the hope it won’t get overridden on an update. Don’t know how that will go though.

    There must be another loophole.

    As soon as I released a hacker from lockout he was able to attempt to login again, despite me having generated a new key.

    I tried to login myself with the old key and couldn’t, so I don’t know how he is doing it.

    Hi Graham,

    Glad I could help a bit. Two things:

    1. Rather than replacing $key with $dir, which would definitely do the trick, I’d recommend just commenting out those lines. (Adding a # in front; so “#RewriteRule…”) It’s a little cleaner and would, I think, deliver the same end result of a 404. Keep in mind that if someone logs out of the admin and immediately tries to log back in, they’ll get an error, but that may be a price that has to be paid for security. (There may be a way to fix this too, but I haven’t explored it.)
    2. Have you changed the default slugs that are used when hiding the admin? I’d recommend always changing them since they are easily guessable as-is. For instance, use “abx-login” instead of “login” and “abx-admin” instead of “admin”. Choose a prefix that’s meaningful, but obscure.

    If you do update the slugs, you’ll want to generate a new secret key too, since the current one will now be familiar to your hacker.

    Hope that helps!

    Oh, just realizing I wasn’t quite thorough in my last response, when I recommended commenting out the rewrite rule. You’d also need to comment out the preceeding RewriteCond statement(s). If memory serves, it’s just one RewriteCond statement, so you’d have two lines commented out in total.

    I don’t get an error if I log straight back in again.

    Yes I changed the slugs and generated a new key. I don’t want to fiddle with it any further, as it is doing its job just by changing the one variable.

    If it works – don’t fix it I reckon. Besides, I’m not a programmer and the lines must have been put in there for a reason and I have no idea what it is. So I prefer to leave them there.

    Thanks for your advice anyway, I appreciate it.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Vulnerability exposes hidden admin’ is closed to new replies.