backend hidden but wp-login is still available

@kit

When you use wp-login to access the WP Dashboard login page, does the URL get redirected\changed ? Or does it stay the same (wp-login) ?
If not how does the URL look like when the WP Dashboard login page is displayed ?

If it stays the same (wp-login) please check your .htaccess file in the root of the WP install. Check for a wp-login RewriteRule entry.
Actually check it anyway.

dwinden

Hi dwinden
many thanks for your help on this..

when using wp-login the url doesn’t get redirected or changed, it stays as:
https://www.sitename.com/wp-login

.htaccess has the following:

# BEGIN Hide Backend
			# Rules to hide the dashboard
			RewriteRule ^(/)?new-login/?$ /wp-login.php [QSA,L]

	# END Hide Backend

should there be anything else?

Kit

@kit

No, those are the expected Hide Backend feature lines.
Was the iTSec plugin installed recently ? Or has it been running for a while ? (1, 2 or more years).

Does the wp-login slug still work when you disable the Hide Backend feature ?

dwinden

@kit

If the wp-login slug is still working after disabling the Hide Backend feature obviously it is not an iTSec plugin issue.

You may need to flush the WP rewrite rule cache to get rid of it.

The WP flush_rules() method is called whenever permalink settings are changed or saved in the WordPress admin, so rewrite rules can be manually refreshed by visiting the Settings > Permalinks screen in WordPress’s admin.

Make a note of the current Permalink setting (Post name most of the times).
Tick the Default option box and then click on the blue Save Changes button at the bottom of the page.
Then tick the previous Permalink setting again and click on the blue Save Changes button at the bottom of the page.

Logout and try and access the wp-login slug … (With or without the iTSec plugin Hide Backend feature enabled).

dwinden

@dwinden

the itsec plug has been running about 10 months on the site

the wp-login slug still works after hide backend is disabled

i reset permalinks to default and then back again but the issue still exists

i used plug regenerate permalinks but issue still exists ie wp-login is still available

if not an itsec issue, do you think its a plugin conflict or a server issue perhaps?

i have two other sites that were originally based on a clone of this one and they both show the same issue

@kit

It could be a plugin, the active theme or a server conf issue.

If the 3 sites are using the same theme try and activate a standard WP theme like TwentyFifteen in one of them and see whether the wp-login slug still works.

Otherwise temporarily deactivate all plugins. If that helps, activate the plugins one by one till the wp-login slug starts working again …

dwinden

Sorry for the delay…

I deactivated all plugins [inc. itsec] and activated a default theme [2015].

Checked the .htaccess file and all itsec bits were removed…just WP default version of .htaccess remained

Tried: wp-admin, wp-admin.php, wp-login.php, wp-login, login, admin and all took me to login page as expected.
Tried secret slug and it failed as expected.

I then enabled itsec on the naked WP [no plugs, default theme] and the issue still exists …

i.e wp-admin, wp-admin.php, wp-login.php, login, admin = not found…great!
secret slug gives login page….great!
but frustratingly ‘wp-login’ ALSO gives login page…

.htaccess appears to be writing and performing correctly otherwise..

Could it be something residual in my database that has ring fenced the slug ‘wp-login’?

What server misconfiguration could cause this?

Most grateful for any ideas or thoughts..

cheers

this is the entry in the database for: wp_options/option_name/itsec_hide_backend

a:7:{s:7:"enabled";b:1;s:4:"slug";s:9:"secretslug-login";s:17:"theme_compat_slug";s:9:"not_found";s:16:"post_logout_slug";s:0:"";s:12:"theme_compat";b:0;s:12:"show-tooltip";b:0;s:8:"register";s:15:"wp-register.php";}

anyone know if this looks correct?

@kitcummings

Yes, that looks like it is correct.
We have already determined this is not an iTSec plugin issue.

I noticed something weird in your other post.

Does wp-admin.php really take you to the WP login page ?

If so that might points us in the right direction.
That’s not supposed to work as that file does not exist in a clean WP env … you should get a page cannot be found (404).

To move this forward it might also be a good idea to open a new topic in the WordPress forum … (if not already).

dwinden

@dwinden
many thanks for your help on this..

firstly apologies… my error… wp-admin.php does indeed show a ‘not found’
all else is as above

[working late last night! – retested this all again this morning after your post]

you’d mentioned earlier, ‘If the wp-login slug is still working after disabling the Hide Backend feature obviously it is not an iTSec plugin issue.’

can i ask why this is?

Ah, ok no problem. Shit happens.

I’m afraid I didn’t phrase that the way it should have been phrased.
It should be:

If the wp-login slug is still working after disabling the Hide Backend feature obviously it is not a Hide Backend feature issue.

But also:

If the wp-login slug is still working after deactivating the iTSec plugin obviously it is not an iTSec plugin issue.

In a default WP env wp-login is not a valid WP Dashboard slug. It should not work to begin with.
So enabling the iTSec plugin Hide Backend feature will not filter and block wp-login requests …

Your first test result in post #8 confirms that the wp-login slug works despite having disabled all plugins and having switched to a default active theme (2015). It should not work.

Set up a vanilla WP test env (utilizing the same Apache\PHP\MySQL stack that is being used by the WP site exhibiting this behaviour) and see whether wp-login works on that test env. Do create a new database for the WP test env.

If it works the wp-login must be configured somewhere in the Apache\PHP\MySQL stack. So then we know for sure it’s not caused by something in the WP env.

In post #6 you mentioned:

i have two other sites that were originally based on a clone of this one and they both show the same issue

Are you running these 3 sites on the same Apache\PHP\MySQL stack at the same hosting provider ?

dwinden

yes the two others are on the same stack…

i have a few other WP sites on other server stacks and have just checked and indeed you are right wp-login slug does not work…can’t believe i never noticed that before!

i have just copied one of the sites in question on to another server and voila…it works as expected

so it would appear to be something in the 1&1 business stack

if i find out anything further i will post the solution

many thanks for your help dwinden!

@kitcummings

Ok great. So finally moving forward.

dwinden

@kitcummings

Hi Kit,

i have the same problem.
Have you solved it and is it sure a problem with your provider?

Thanks for a comment,
hansolo

Hi @hansolo98

apologies , should’ve posted conclusion

ithemes security ‘Hide login Area’ does not work on 1&1 UK shared server stack [at this time of posting]
it works on some other server stacks but not 1&1
[don’t know if it works on 1&1 US stacks?]

users are generally not aware of this issue because no-one tests the slug ‘wp-login’ because wordpress doesn’t use it and it shouldnt work on any site.
[wp does use ‘wp-login.php though]

It appears that 1&1 force the slug ‘wp-login’ to take you to the login page even though wordpress does not use that slug [who knows why?]

solution for me was to disable the feature in ithemes security and use another plugin which operates differently called ‘WPS Hide Login’ …it blocks all other urls except your secret one. [ithemes should take note?]

have notified both 1&1 and ithemes security, but no fix yet from either.

thus solving unusually high number of lockouts despite ‘hide login area’ enabled in ithemes security !!

hope this helps

best
k