backend hidden but wp-login is still available

  • I have backend hidden in settings
    so wp-admin is ‘not found’ but if i type wp-login i get to the login page despite having changed the slug

    ‘wp-login.php’ shows not found but ‘wp-login’ takes me to login

    is there a setting i’m missing?

    i became aware of it because of large number of lockouts

    btw secret login slug is working
    using both chrome and firefox shows the issue
    and of course I didnt change the secret slug to wp-login! ??

    many thanks
    Kit

    https://www.ads-software.com/plugins/better-wp-security/

Viewing 4 replies - 16 through 19 (of 19 total)

  • Thanks a lot for your answer!

    I’ve solved it with a manual rewrite-rule in htaccess:

    RewriteRule ^wp-login – [F]

    hansolo

    @kitcummings

    ithemes security ‘Hide login Area’ does not work on 1&1 UK shared server stack [at this time of posting]

    I understand what you are trying to say but this statement is not true.

    The iTSec plugin ‘Hide Login Area’ feature works fine.

    It appears that 1&1 force the slug ‘wp-login’ to take you to the login page even though wordpress does not use that slug [who knows why?]

    1&1 UK should be able to answer that question.

    The iTSec plugin cannot anticipate to all the WordPress custom login slugs hosting providers provide …
    Adding easy to guess WordPress custom login slugs to the Webserver config can also be considered as a potential security risk …

    Anyway the iTSec plugin ‘Hide Login Area’ feature is security by obscurity …

    So it does not really strenghten the security of a WordPress website …(but it does help minimize host\user lockouts …)

    It also does not protect you from XMLRPC brute force attacks … (and subsequent host\user lockouts).

    I actually like the .htaccess RewriteRule solution from @hansolo98

    dwinden

    I made changes in .htaccess as below and it worked

    # BEGIN iThemes Security – Do not modify or remove this line
    # iThemes Security Config Details: 2
    # Enable the hide backend feature – Security > Settings > Hide Login Area > Hide Backend
    RewriteRule ^(/)?secretlogin/?$ /wp-login.php [QSA,L]
    RewriteRule ^(/)?/?$ /wplogin [F]
    RewriteRule ^wp-login\.php$ [QSA,L]
    RewriteRule ^wp-login /404.php [F]
    # END iThemes Security – Do not modify or remove this line

    Edit: 404.php is “Error 404 – Page not found”, the page of my theme.

    I have a similar problem (i.e. the slug ‘wp-login’ takes you to the login page) and thought I’d add a few comments.

    @kitcummings – Your solution to not use the hide feature in iThemes Security and use ‘WPS Hide Login’ is still not complete. The problem is when someone tries to use /register.php directly. Try it. You’ll see that it doesn’t work. It redirects and shows your “secret” login slug in the URL. register.php IS handled properly in iThemes Security BTW.

    So, both plugins have a weakness so to speak. WPS Hide Login doesn’t handle register.php properly, and iThemes Security doesn’t handle wp-login properly.

    I feel that it’s kind of a shame that iThemes had to go and change this feature. They removed the ability to set a the Register and Admin slug, as well as the secret key.

    Also @dwinden, you say that the plugin works fine. It doesn’t work for me and I’m running a fairly vanilla WP install on my own hardware. The suggested .htaccess fixes haven’t worked for me, so I’ve actually reverted back to my last backup of the original bit51 plugin, which works just fine. Agreed that this feature is security by obscurity, but it does help.

    BTW, the original plugin admin page for “Hide” is can be seen here “https://managewp.com/wp-content/uploads/2013/02/Better-WP-Security-4.png”

Viewing 4 replies - 16 through 19 (of 19 total)
  • The topic ‘backend hidden but wp-login is still available’ is closed to new replies.