hide backend not working

  • wy

    (@wesyah234)


    5 years, 8 months ago

    An intruder has found a workaround for a hidden backend. I was alerted to this because I received an alert saying someone had tried to log in, but since I have “hide backend” set I never receive any invalid login alerts. Looking in the logs I see the intruder used a particular format of the wp-login url that actually works even though hide backend is set. I’d rather not give the workaround url here in a public forum. Does ithemes security have a way that I can directly report a security vulnerability? Thank you.

Viewing 3 replies - 1 through 3 (of 3 total)

  • It sounds like this has to do with XML-PRC. Make sure you have blocked XML-PRC requests. Go to Security Settings > WordPress Tweaks and choose Disable XML-RPC (recommended). Also choose “Block” for “Multiple Authentication Attempts per XML-RPC Request” below it.

    enpersona360

    (@enpersona360com)

    Would blocking XML-PRC affect other plugins, such as Jetpack? Thanks.

    Thread Starter wy

    (@wesyah234)

    Thanks for the suggestion @demian85 , though I do have all the xml rpc stuff disabled.

    This was truly a workaround to gaining access to the login screen even if hidden backend is set. Ithemes was able to recreate the issue and they currently have released a fix in the paid version, and the free version fix is coming soon they said:

    Gerroald Barron (iThemes Support)

    Mar 12, 11:29 CDT

    Hi,

    We released 5.9.3 in the Pro version to address this. I’ll be sure to update you when we release the free version as well.

    Thanks,

    Gerroald

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘hide backend not working’ is closed to new replies.