How to remove links in wp-login.php

  • Hi Folks –

    I’m building a website that is entirely private. If you go to my site, you’ll get my customized wp-login.php page.

    I’ll be hardening the site as much as possible, but one of the things I can’t seem to conquer is completely blocking the registration, password reset and back to blog links that appear under the login form. I’ve found ways to keep them from being displayed, but they are still found in the page’s source code. Is there a way to block them from being pulled into the code at all? They useless for this site (invite-only, no registration, no pass reset – if someone wants a pass, I create and provide it manually), but it’s also giving away the fact I’m using WordPress, which I’m trying to hide for both security and esthetic reasons.

    Any help would be greatly appreciated. Please bear in mind, I’m coming more from the design side than the coding side. I’m more than willing to go in and play with php and css, etc, but you might have to explain it to me like a newb.

Viewing 10 replies - 1 through 10 (of 10 total)

  • Have you looked at these, https://www.ads-software.com/plugins/search.php?type=term&q=private+site

    Can you post a link?

    Thread Starter dmgcom

    (@dmgcom)

    Hi kmessinger –

    Thank you for the quick reply.

    Setting my site to private isn’t the problem, it’s blocking rather than hiding elements in the wp-login source code. That said, I’ve tried a few membership/private site plugins to accomplish this before getting here, as well as plugins that let you redesign the wp-login page. All the ones that offer options regarding these links appear to be using the nav display:none css you can find in the forums, which only hides the links but still leaves them in the source code.

    I don’t have a live site to share at the moment. I’ve been trying to get this fixed before it goes up. But, basically, what’s happening is that I can use php or css to hide the links – they don’t appear on the page itself – but if you look at the page’s source code, you still see them around line 70. So, the tricks I’ve found so far are just telling the browser not to display items that are in its code. I’m trying to block those before they reach the page code.

    Thread Starter dmgcom

    (@dmgcom)

    I should add – I’ve been banging my head against a wall for a couple of weeks on this. I feel like I’ve done due diligence in trying to conquer it on my own, but nothing I’ve come across works. It’s just beyond my ability to overcome it without help from you guys.

    Option 2 in this article might help. You would need to test it with your version and it might get overwritten with an upgrade although I don’t think so.

    https://www.wpbeginner.com/wp-tutorials/how-to-remove-the-password-reset-change-option-from-wordpress/

    If this works please let us know.

    Thread Starter dmgcom

    (@dmgcom)

    Hi kmessinger –

    Unfortunately, that gives me the same results. It’s hidden from visibility, but I’m still seeing the href code.

    In reading this again, I am not sure you can block references to your site.

    action=lostpassword could be changed maybe in a child theme, functions.php and backtoblog deleted in functions.php.

    You have to have a link to your site in login.php to reach your site. What about a static page that requires another login. Once you have DNS that works I not sure what you can do.

    I am going to change your title, if that is ok, to see if we can get some other eyes on this.

    Thread Starter dmgcom

    (@dmgcom)

    Hi kmessinger –

    Yes, please feel free to change the title. I really appreciate your trying to help me get it solved.

    I considered an option similar to what you’re describing – perhaps using a login widget on the home page that redirects to a protected area after login. My only hesitation was that I wanted the private area to be at the ‘subdomain.example.com’ level rather than the ‘subdomain.example.com/protected’ address. Plus, I wanted to make sure my wp-login horse was sufficiently dead before moving on to beat others. This horse is so close to dead.

    EDIT: I forgot to add, I did experiment a little with above approach, but found that the login widget provided by s2member redirects to the wp-login page anyway if you enter a wrong password, so it leaves me with the same problem.

    Maybe someone will have an idea.

    My host has a tool that allows you to make the administration panel of your application accessible only from selected IP addresses. Useful if you access your application only from familiar networks (home, office, etc.) and want to avoid potential attacks.

    You might ask your host or do a web search.

    Thread Starter dmgcom

    (@dmgcom)

    That might be an option. Security is a big part of why I’m trying to accomplish this. Another is that I’m serving copyrighted content back to it’s copyright holders, who understand the internet pretty well. So I’m not only trying to secure it for my own protection, but also make sure it also “feels” secure to anyone who might want to look behind the pages to see how their content it being protected. Making everything clean and appear proprietary, without extraneous code or obvious cms footprints can go a long way toward that.

    Also, I should add (to complicate things even more) – I’m running multisite with subdomains, and plan leave the password recovery link on the primary domain. That way, if i do ever lose my password, I can still get into the subdomain via the primary domain as an admin. So I’m only looking for a way to block it for one site. Or even possibly at just the subdomain level.

    So it would be:
    example.com = password recovery link remains
    subdomain.example.com = all login links blocked from visibility and from appearing in the code.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘How to remove links in wp-login.php’ is closed to new replies.