• When I ativate the “Disable wp-login.php”, no one can recover their password again, because the link for recovering the password is:
    “wp-login.php?action=lostpassword”, and your plugin hides the lostpassword form also.

    I don’t want to have my wp-login.php showing up. So, is there a way to go around that?

    Thanks

    https://www.ads-software.com/plugins/wp-cerber/

Viewing 14 replies - 1 through 14 (of 14 total)
  • Plugin Author gioni

    (@gioni)

    No worries. That’s easy. You just need to specify Custom login URL. It will work as your new login URL and also as your lost password URL at the same time.

    Thread Starter alexmbr

    (@alexmbr)

    Well, I tried using this plugin here:

    https://www.ads-software.com/plugins/custom-login-url/screenshots/

    but enabling the “Disable wp-login.php”, still prevents this other plugin to work. As soon as I disable that option, the Custom plugin works fine.

    It would be nice to have those “Custom Lostpassword URL” inside your plugin as well, since it calls the

    Plugin Author gioni

    (@gioni)

    Please, don’t use Cerber and Custom Login URL plugins together. Cerber’s Custom login URL setting is not intended to be compatible with any plugins which have similar functionality.

    It would be nice if you could clarify me a reason to have a specially configured different lost password URL. I don’t see any reason. Maybe I miss something…

    Thread Starter alexmbr

    (@alexmbr)

    Well, if I use a “Custom login URL” instead of the default to make it harder for a hacker, changing to something that only I know, but I have the Lost password url, that will reveal that “Custom login URL”. That doesn’t make it too secure.
    I change the login to = “https://mydomain.com/secretURL”,so noone knows it, but the user goes and click on the lostpassword, and the url appear as:
    https://mydomain.com/secretURL?action=lostpassword. Now the user knows the login secret page.

    Plugin Author gioni

    (@gioni)

    I don’t understand it anyway. Well, if users have ability to to reset password (and you provide them with a lost password link) that means that they can log in to the site? What is the reason to give the link to reset password and hide an URL for logging in? To me, you just don’t need to provide that password reset link.

    Thread Starter alexmbr

    (@alexmbr)

    Users can login only by using for example this link: “https://mydomain.com/my-account/”. Even a admin won’t ever go into the Admin area using that login link.
    The secretURL (wp-login.php) is for admin logging in only.

    With that plugin that showed you, this would be my site:
    https://mydomain.com/clientlogin”
    https://mydomain.com/adminlogin”
    https://mydomain.com/recoverpassword”

    But with Cerber this is what I have:
    https://mydomain.com/my-account”
    https://mydomain.com/secretURL”
    https://mydomain.com/secretURL?action=lostpassword”

    Plugin Author gioni

    (@gioni)

    I’m sorry, but I don’t see a reason to have two different URL to log in. I mean your “https://mydomain.com/clientlogin” and “https://mydomain.com/adminlogin”. They both work identically. Despite how someone was logged in, they have identical capabilities and permissions. Those capabilities is based on user role. Right? Probably you want to redirect ordinary users to some different place on the site after logging in? If so, you should use something like this: https://www.ads-software.com/plugins/peters-login-redirect/

    Thread Starter alexmbr

    (@alexmbr)

    No, they are not same. Only “https://mydomain.com/adminlogin” can take the user to see the admin panel. Also, using that URL, the user won’t be able to see or have acess to the “wp-login.php”. That is the point, right, to hide the wp-login.php.

    Anyway, I did set a new “Custom Login URL” and enabled “Block direct access to wp-login.php and return HTTP 404 Not Found Error”. But when I click on the lost password links on my site, it only calls the 404.

    Also, if I enabled the “Immediately block IP after any request to wp-login.php” option, whenever I click on the any lost password link, my IP becomes Blocked.

    Plugin Author gioni

    (@gioni)

    Sorry, that is not right way to block access to the admin panel for ordinary users. You should restrict access by using user’s role, not by using some URL.

    Both options “Block direct access to wp-login.php and return HTTP 404 Not Found Error” and “Immediately block IP after any request to wp-login.php” handle ANY REQUESTS to the wp-login.php script.

    If you try to open lost password link which is based on wp-login.php like wp-login.php?action=lostpassword you will get blocked.

    Thread Starter alexmbr

    (@alexmbr)

    That is not the right way of hidding the wp-login.php file as well. I hide it, but then I showing to the users. That does not make any sense. If I need to hide the file, it does not make sense, that I show it to the users.

    About the blocking part, I change it inside your code to make it work.

    if ( $script == '/'.WP_LOGIN_SCRIPT || $script == '/'.WP_SIGNUP_SCRIPT) { // no direct access
    		if ($_REQUEST['action'] != 'lostpassword'){
    			if (cerber_get_options('wplogin'))	cerber_block_add($wp_cerber->getRemoteIp(),__('Attempt to access','cerber').' '.$script);
    			if (cerber_get_options('loginnowp')) cerber_404_page();
    		}
    	}
        elseif ($script == '/'.WP_XMLRPC_SCRIPT || $script == '/'.WP_TRACKBACK_SCRIPT) { // no direct access
            if ($opt['xmlrpc']) cerber_404_page();
        }

    Plugin Author gioni

    (@gioni)

    Both options are intended to hide wp-login.php from bots and scanners. Not humans.

    I recommend to use this role based approach to block access to the /wp-admin/. You may use code below to redirect all non-admins to the home page if they are trying to open /wp-admin/.

    add_action('admin_init', 'block_dashboard');
    function block_dashboard(){
    	if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) return;
    	$current_user = wp_get_current_user();
    	if (in_array('administrator',$current_user->roles)) return;
    	wp_redirect(site_url());
    }
    Thread Starter alexmbr

    (@alexmbr)

    Thanks.

    Would it be possible for to give a feature suggestion here?

    It would be a nice security feature to have, if the plugin detect if too many no existent pages.
    Something like: Immediately block IP when attempting to hit non-existent pages above 3 tries.

    Plugin Author gioni

    (@gioni)

    Do you mean some situation when someone is trying to find out URL to log in? If so, that is certainly reasonable idea. I think I can put it on my TODO list.

    Thread Starter alexmbr

    (@alexmbr)

    Yes, something like that. Just image in less than 1 minute someone is trying to find several pages that don’t exist
    https://yourdomain.com/mylogin.php
    https://yourdomain.com/admin.php
    https://yourdomain.com/hidenadmin.php

    1o: is that a registered user? If so, send an email to admin and block him.
    2o: detect if those came from the same ip, and if so: Block it!
    3o: not from the same ip? Perhaps disable the logging in for an ammout of time?!

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Disable wp-login.php and Lost Password problem’ is closed to new replies.