1xBet global,Hacksaw Gaming free play.REGISTER NOW GET FREE 888 PESOS REWARDS!

Resolved cgzaal
(@cgzaal)

8 years, 3 months ago
In my server logs I found a bot hitting my hidden login URL.
At first I was stupified: how could a (Russian) bot guess my secret login slug?

I found out that the bot hitting https://www.mywebsite.com/wp-register.php
got redirected to https://www.mywebsite.com/secret-slug?action=register, which,
by the way, got redirected to https://www.mywebsite.com/secret-slug/?registration=disabled

Is this a bug? Is this general behaviour?
Maybe you can fix this?

I fixed it in htaccess by denying access to wp-register.php, which,
strangely enough, isn’t a proper wordpress-file.
- This topic was modified 8 years, 3 months ago by cgzaal.

Viewing 2 replies - 1 through 2 (of 2 total)

Julie
(@habannah)

8 years, 2 months ago
Same thing happens on my site… Would you be able to help me with the htaccess code? I tried the following but it doesn’t do anything (as in, it still redirects).
```
# BEGIN Block direct access to wp-register.php

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-register.php*
RewriteCond %{HTTP_REFERER} !.*mysite.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^https://%{REMOTE_ADDR}/$ [R=301,L]
</IfModule>

# END Block direct access to wp-register.php
```
Thanks!
Thread Starter cgzaal
(@cgzaal)

8 years, 2 months ago
I denied all access to wp-register.php, because I haven’t any other users besides myself:

<FilesMatch “\.htaccess|wp-config\.php|wp-register\.php”>
Order allow,deny
Deny from all
</FilesMatch>

Furthermore you should check you regex expressions.

The following line has a strange regex syntax (just leave out the . and *):
RewriteCond %{REQUEST_URI} .wp-register.php*

Same thing with the next line: leave out the .* (try to learn about regex somewhere).

Also the following line is strange. Having a rewrite URL with regex tokens in it is meaningless (leave out the ^ and $):
RewriteRule (.*) ^https://%{REMOTE_ADDR}/$ [R=301,L]

Finally: to check your code, you should POST to wp-register.php with an other website as referer or with an empty user-agent. How do you check? With curl?
- This reply was modified 8 years, 2 months ago by cgzaal.
- This reply was modified 8 years, 2 months ago by cgzaal.
- This reply was modified 8 years, 2 months ago by cgzaal.
- This reply was modified 8 years, 2 months ago by cgzaal.
- This reply was modified 8 years, 2 months ago by cgzaal.
- This reply was modified 8 years, 2 months ago by cgzaal.
- This reply was modified 8 years, 2 months ago by cgzaal.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Hidden URL gets revealed by hitting wp-register.php’ is closed to new replies.