honuware
Forum Replies Created
-
Forum: Plugins
In reply to: [WPS Hide Login] How to hide resetpassword url?Forum: Plugins
In reply to: [WPS Hide Login] How to hide resetpassword url?Having other users able to register, log in, and request a password reset involves a public exposure of some kind no matter what. That is the ultimate solve to harden this process.
Even if you had a login in area on the front of the site, when they make a “mistake” the default is to go the traditional log in page, which again, defeats the purpose you want solved.
Let me think on this a bit.
Forum: Plugins
In reply to: [WPS Hide Login] How to hide resetpassword url?When I said “it should redirect” that was supposed to mean redirect to not your login page so the 404 error is a good thing since it does not expose your slug and disclose your URL.
I am using this plugin to avoid automated programs looking for wp-login.php positive experiences to flag my site for further malicious action. When the plugin is activated, all the URLs I would try to get a positive hit either redirected to my chosen page in the plugin settings or gave the 404 error which I thought was a good thing.
I guess what I am trying to say is the only way someone would know your reset password URL thus knowing your login URL is if they knew your login URL in the first place so they could click on the appropriate reset password URL from that page.
Am I missing something? I am trying to work through this with you so we both have a level of comfort knowing this plugin meets our needs and comfort level.
Thanks for your engagement on this so I better understand.
H
- This reply was modified 5 years, 10 months ago by honuware.
Forum: Plugins
In reply to: [WPS Hide Login] How to hide resetpassword url?I just installed this plugin and I think this concern is not one to be worried about.
Before you activat the plugin, the wp-login.php page has the lost password link and it it will be this
https://yoursite.com/wp-login.php?action=lostpassword
so you had to get to the login page to do the lost password link.
With the plugin activated on your site, the login page is
https://yoursite.com/loginhere/
On that page, the link to the lost password page is like you said
/loginhere?action=lostpassword
I think everything is okay since the lost password link is tied to the wp-login.php and your chosen slug for the login page (loginhere) replaces wp-login.php. If someone does not know your slug, they cannot get to the lost password page.
With the plugin activated, please try to go to
https://yoursite.com/wp-login.php?action=lostpassword
It should redirect.
If I am wrong, can the developer please chime in?
- This reply was modified 5 years, 10 months ago by honuware. Reason: added something to try