Login Hell

  • Im running a multisite with a few sub sites using different themes.

    When users log out of a site, they get redirected to the network master, which in their eyes is a totally different website and is confusing. Its like logging out of NBC and being redirected to Microsoft. On some sites people logging out get redirected to the backend login screen. This is crazy, why is it so hard to keep website users inside the website?

    The second issue is with the wp-login page. It is a known security flaw because its consistent on all WP sites unless someone changes the code or uses a plugin. I think this should be addressed in the basic WP installation and not left to 3rd party modification. As soon as I enable registrations, my sites get spammed with bots trying to login because of course they know the login address /wp-login.php. Is there a simple, non technical, non over bloated plugin solution?

    Lastly, I am trying to find a way for people to login to my websites using Facebook and Twitter but the plugins I have found so far seem to be dependent on 3rd parties or poorly supported. Its so common around the internet, I guess I was expecting one plugin to stand out from the crowd and be the default that most WP people use.

    If you could help me out of login hell I would greatly appreciate it, I just want to make the process a lot smoother for users than it is now.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator James Huff

    (@macmanx)

    This is crazy, why is it so hard to keep website users inside the website?

    Try this plugin: https://www.ads-software.com/plugins/remove-dashboard-access-for-non-admins/

    [wp-login.php] is a known security flaw because its consistent on all WP sites unless someone changes the code or uses a plugin.

    I wouldn’t call it a security flaw. If wp-login.php is a security flaw, then so is https://accounts.google.com/ServiceLogin and https://twitter.com/login and https://www.facebook.com/login

    Security comes down to the quality of your password, and perhaps an added 2-factor-authentication or any other security plugin.

    Is there a simple, non technical, non over bloated plugin solution?

    First, add this to your .htaccess file:

    <IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.*(example.com|jetpack.wordpress.com).* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) https://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>

    Replace “example.com” with your domain, and if you aren’t using Jetpack Comments, remove “|jetpack.wordpress.com”.

    This will prevent bots from directly attacking wp-login.php and wp-comments-post.php, they will need to go through the forms to login or leave comments.

    After that, install a plugin like https://www.ads-software.com/plugins/bruteprotect/ to catch anything else that makes it through.

    I am trying to find a way for people to login to my websites using Facebook and Twitter but the plugins I have found so far seem to be dependent on 3rd parties or poorly supported.

    Have you tried https://www.ads-software.com/plugins/facebook/ ?

    Thread Starter micvideo

    (@oceandigital)

    Thank you for the reply, I really appreciate the help.

    I wouldn’t call it a security flaw. If wp-login.php is a security flaw, then so is https://accounts.google.com/ServiceLogin and https://twitter.com/login and https://www.facebook.com/login

    I believe those are the URLs for user logins, not administrators. I doubt Mark Zuckerberg goes to that address to login to the back end of Facebook. WP uses one login page for both front and back, or at least it looks that way. I used to use Joomla a lot and to access the ‘dashboard’ I used a /administrator URL. Anyway, it would be nice if the back end login was completely separate in WP. I’ll have a look at the plugin you suggested and get back to you.

    I really do not want to modify my htaccess file, it’s taken me out many times when I manually edit. I use Wordfence which I think locks out attackers and defends the site like you suggest. I would like to know more about that code before inserting it and check what I currently have.

    Have you tried https://www.ads-software.com/plugins/facebook/ ?

    No, but I want more than just Facebook login. Twitter and google are also important.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    I believe those are the URLs for user logins, not administrators. I doubt Mark Zuckerberg goes to that address to login to the back end of Facebook. WP uses one login page for both front and back, or at least it looks that way.

    Surprisingly ….

    Google at least that’s how you get in to admin the services. Not the serVER, but then again, I have to SSH in for that. But to use and admin WP? Or google apps mail? Yep, same login.

    Using WordFence instead of that htaccess code James suggested is the epitome of what you said you didn’t want to do. Large, bloated, plugin (nothing against WordFence, it’s just huge), vs a quick and simple fix.

    There are plugins like LoginRadius which I hear can do what you want, but you’re really going to have to experiment to find the one you want. :/

    Thread Starter micvideo

    (@oceandigital)

    Can either of you explain a little bit more about the htaccess code you recommended? I don’t know what any of it means.

    Can I add it to my existing code or overwrite it? I can post what I have already here if that would help.

    Moderator James Huff

    (@macmanx)

    The code takes anyone directly accessing the login and comment posting files (without accessing them through the website, in other words something no human in a browser will never do) and simply just redirects them back to themselves, so they can’t even attempt to log in or post a comment.

    More details at https://halfelf.org/2013/wp-login-protection-htaccess/

    Just add it to your .htaccess file, don’t overwrite anything.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Login Hell’ is closed to new replies.