Web URL transmitted in Block notification emails

  • Resolved thoraldus

    (@thoraldus)


    7 years, 4 months ago

    The WP Cerber block notifications are sending my login urls in open text.

    Your login page: http://rickster.org/xxxxxxxxxxxxxxxxx/

    I’d think it would be better not to broadcast this in unsecured emails???

    I would like to be notified when the blocks are increasing, but I have to turn off the notifications until this security issue is resolved

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author gioni

    (@gioni)

    7 years, 4 months ago

    Yes id does and it will. I understand your concern, but Custom login URL is intended to reduce attack surface. It’s not a password to hide it absolutely secretly. The main protection mechanism is a set of security algorithms/rules that are implemented in the plugin. BTW the vast majority of modern email clients establish a secure and encrypted connection to email servers.

    Thread Starter thoraldus

    (@thoraldus)

    7 years, 4 months ago

    To me it seems there is not much use for an obfuscated login URL unless it can remain relatively secure. I might just as well not use the feature as it is not without its own downsides. Yes, my email client is secure in its connection to my email server, but I do not control the entire path that emails may travel to me.

    Security through obscurity. 😉

    Thank you for your prompt response, it is sincerely appreciated.

    And thank you very much for WP Cerber, it is an outstanding plugin!

    • This reply was modified 7 years, 4 months ago by thoraldus.
    wallyO

    (@wallyo)

    7 years, 3 months ago

    Please reconsider this request.
    I too am going to disable Weekly Reports if they are to contain the obscure login url.
    I appreciate the more recent, more sophisticated mechanisms for identifying malicious requests, but the most important function of WP Cerber for me is how effective it is in preventing any level of success for a username/password list brute force attack.
    A large part of the effectiveness comes from the obscure login url remaining secret.
    In the last 2 years, for 20 sites, no failed logon has been on the actual login url (down from 5000/week on the actual login url before WP-Cerber).
    Please help me protect that obscurity.
    Sanity through Obscurity!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Web URL transmitted in Block notification emails’ is closed to new replies.