iThemes Security (formerly Better WP Security)
Why does the Hide Backend Options login includ the secret key? (2 posts)

  1. luxman
    Posted 3 years ago #

    I check-marked it active, and set the login as follows:

    Login URL: http://www.domain.com/login/

    However, when viewing that page I get redirected to a:
    http://www.domain.com/wp-login.php?phxmvl1xf2kwyqovb3b32 (the secret code)

    what's going on? I thought it was supposed to just read - /login/, not include the wp-login.php stuff?


  2. Handoko
    Posted 3 years ago #

    I'm not the author but lets me try to answer.

    Default WordPress login is .../wp-login.php. Changing the file (php file) to something different (for example: .../login) is hard, might cause many issues, because that is the WordPress default. Also deleting the wp-login.php is not a good thing to do.

    So, using .htacess the author redirect it. If anyone type:
    then it will be redirect to the original WordPress login.

    The problem is, what if someone (hacker) types the orignal login? The author added something called secret code:

    .../wp-login.php -> not a valid login, disable it.
    .../wp-login.php + secret code -> allow it to login.

    I think it is good to using those trick. Because when something bad happens, we can easily edit the .htaccess file and delete the plugin folder, then we can login to the website again, this plugin doesn't make any changes in WordPress original files.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic


No tags yet.