WordPress redirect bypasses plugin

Resolved mwarbinek
(@mwarbinek)

12 years, 3 months ago

I really feel like a guinea pig in all this. I found another hack to your plugin.

A new hack I found is when someone types a URL as follows:

“http://(sitename.com)/WordPress/wp-admin/edit-comments.php”,

they are redirected to the login page showing the renamed login. I tried a few others, some worked the same way (redirected to the login), others failed.

I noticed that the recent hack attempt to my site because my security sends a warning email to me for every login page access. This email showed a blank referral. Normally, the referral would show the URL the person used to access the login page, but it was blank.

I had no idea how a hacker was accessing the login page, bypassing your plugin and giving a blank referral.

Then today, it so happened that I was replying to a visitor to my site, a comment he made and my security plugin sent me an email when I accessed comment page via my dashboard, yet at that time, I was not redirected. But, when I used the URL directly into my browser, WordPress redirected me to my login. Viola, I got the warning email and the referral was blank.

With some research, I found that WordPress designed the blog software to redirect incomplete URL’s and other non-related URL’s. I tried some mods to php files to stop the redirect and all failed to stop the redirect to the login page.

Any suggestions?

https://wordpress.org/plugins/rename-wp-login/

Viewing 6 replies - 1 through 6 (of 6 total)

Thread Starter mwarbinek
(@mwarbinek)

12 years, 3 months ago

Does anyone have an answer to this issue?

I am still getting hackers to my login page with this problem.

Thread Starter mwarbinek
(@mwarbinek)

12 years, 3 months ago

Here again is the problem.

When a hacker types in the URL like this:
“http://(sitename.com)/WordPress/wp-admin/edit-comments.php”,

WordPress redirects him to my login page and the URL redirect looks like this:
“http://(sitename.com)/(my renamed login name)/?redirect_to=http%3A%2F%2F(sitename.com)%2FWordPress%2Fwp-admin%2Fedit-comments.php&reauth=1”

It appears to resolve this, maybe change the redirect URL to somewhere else or change the “reauth=1” to another authorization code number so the hacker does not get the login page?

Anyone have ideas?
(PS I am not fully versed in PHP so this is why I am asking here)

Plugin Author Ella Van Durpe
(@ellatrix)

12 years, 3 months ago

I tried several websites and I can’t reproduce this. What other plugins do you have installed? Which other setting do you think might be causing this? Any special comment settings or website configuration?

Thread Starter mwarbinek
(@mwarbinek)

12 years, 3 months ago

Ok, your right. I should have thought of that before posting.

The plugin that conflicts with your “rename login” is:

“WPtouch Mobile Plugin”

Sad, because that plugin allows people to view my blog from a cell phone.

Oh well, I will let them know and in the mean time find something else to use.

Now that I deactivated the “WPtouch Mobile Plugin” I get an error page that says I have to be logged into admin to access that php file. That is good. No more redirects to my login page.

Of course, I will keep you up to date on new hack attempts, after all I am the official guinea pig now.

🙂

Mark

Thanks

Plugin Author Ella Van Durpe
(@ellatrix)

12 years, 3 months ago

Well, I appreciate your help with detecting these things. Just address the issue on their forum, that’s weird behaviour for a mobile plugin.

Thread Starter mwarbinek
(@mwarbinek)

12 years, 3 months ago

Welcome, that is what a guinea pig is for 🙂

I just finished posting in their help forum for that plugin.

Thanks
Mark

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘WordPress redirect bypasses plugin’ is closed to new replies.