@seinomedia because there’s no possibility to login any other way than by knowing the changed site URL.
Otherwise how else would your plugin be useful?
@semoliner DNS has nothing to do with login page. Your browser cache might.
Yes the browser cache was probably the cause of not being able to see the modified login page (I modified my post when I figured that out, I hoped you wouldn’t see it, ha!) so now the mystery is only how the would-be hacker found my original login page? Anyway now I’ve changed the login page and let’s see what happens.
PS: I just read another thread “Website getting failed login attempts” in which the reply was “Robots crawl your pages and can find any link. If there’s a public link to your login page, this one is reachable by anyone.”
Is this the answer we have been seeking here?
Note that my WPS Hide Login slug has no published link but perhaps robots find it anyway?
Hello @semoliner,
Yes, that’s why I asked to everyone if the case “Everyone can sign up” was checked, if there was a public login page and wether users could comment.
Maybe the login page link is displayed somewhere in the theme without your agreement too.
The website does not have any option in General settings for “Everyone can sign up”.
There is an option called Membership “Anyone can register” and this is unchecked.
We do not have any comments section where users can reach the login page (in fact we don’t have any comments section at all).
There is no public login page, the only login page is the WPS Hide Login URL, which is only known to me. The link to it is not displayed anywhere in the theme.
So far I am unaware of any further attempts to hack the login since I changed the slug, but the original slug could not be guessed, so it should not have been necessary to change it, unless it can be derived by bots?
Hello @semoliner
/wp-login.php default slug is set for every new WordPress. Then, everyone knows it and can reach it… Robots are programmed to find this default slug…
Then, I understand you don’t have any login attempt since you installed WPS Hide Login. So, there’s no problem.
I have posted here in this forum because someone discovered my WPS Hide Login page. The fact that they have not discovered it since I changed the page does not mean there is no problem, it just means no one has discovered the new page – yet.
Sorry but I really can’t describe it any clearer than in my last post.
HYE,
same problem.
and read other french webmaster have it.
Robots discover hide login url (and try to connect by it).
i search all around my site, any link on the hide login.
i have woo membership plugins but all its links are on /my-account/ not on hide login page.
I can give you acces on site if you want, it’s not in prod.
-
This reply was modified 1 year, 6 months ago by
khahina.
Hello @khahina
Your website seems to have a membership plugin. Then, I think users can sign up on your website. So, the login page must be public.
hye
not membership plugins, the connexion done by url my-account no problem with it.
BUT
i found it : (i have a lot of posts) found the link on comments part but : old post (before comments was closed) and Elementor post template and comment widget in.
Also resolved for me …
ty
Hello,
Unfortunately we seem to be in the same boat as some of the others where all of a sudden yesterday we’ve had almost hundreds of attempts even after hiding the homepage.
We originally installed the plugin months ago, and after a week our page was found, we changed it, then two days, we changed it, and then we made it something very random and it was fine until yesterday evening.
Since then, it doesn’t matter if we’ve changed the login path, flushed the site cache, uninstalled and reinstalled the plugin and then put up a new page, we are still getting attempts and all paths (/login, /admin, /wp-login.php) are closed and properly leading to a 404 page.
Looking through previous comments:
– We do not have any comments or commenting on the website. Commenting was removed a while back as we just didn’t use it and all pre-existing comments have been removed so there’s nothing there.
– We also do not have the ability to sign up or have a membership.
– We’ve searched as a just in case and we have no links to lead to our login page as this is not a feature we offer.
– We are not using a CDN or performance tools like Cloudflare
– WordPress is currently up to date and using the latest PHP
Could it be that there’s an exploit in the WPS Hide Login plugin allowing a person to follow through to the established re-direct?
Any advice would be helpful in case we’ve missed something…
PY
I’m no expert at all but it would seem to me that it would be quite trivial for someone to write a script that would trawl websites for login pages, and it wouldn’t matter what the ‘obfuscated’ URL might be, if it’s online it will be found.
If this is the case, then it doesn’t matter how many times you change your WPS Hide Login URL, eventually it may well be found by such a script.
All WPS Hide Login does is remove the possibility of the average person (without the aid of such a script) gaining access to your website via the default WordPress login URL.
I would be interested to hear if this is correct… or just my imagination?
Hi @semoliner,
That’s my understanding of it as well, but I would expect when you change the address, that the process would have to start all over again. In this case, even if we changed it, the attempts have continued.
At least the first time, it took a week, and then it was guessed fairly easy after that as we had tried a variation. But when this time, we went almost two months because of a randomized string of characters.
But since that sudden restart, doesn’t matter what we changed it to, it’s continued which leads me to wonder if someone worked out how the WPS Hide Login works and is just now following the redirect without any work.
Ok, same case here. No public sign up, no membership plugin, no Cloudfare, no posts, no commenting allowed, and yet the nasty bugger can still try to log in. I really don’t get how that’s possible…
