How to hide resetpassword url?

same problem to me!!!
please help!!!

I just installed this plugin and I think this concern is not one to be worried about.

Before you activat the plugin, the wp-login.php page has the lost password link and it it will be this

https://yoursite.com/wp-login.php?action=lostpassword

so you had to get to the login page to do the lost password link.

With the plugin activated on your site, the login page is

https://yoursite.com/loginhere/

On that page, the link to the lost password page is like you said

/loginhere?action=lostpassword

I think everything is okay since the lost password link is tied to the wp-login.php and your chosen slug for the login page (loginhere) replaces wp-login.php. If someone does not know your slug, they cannot get to the lost password page.

With the plugin activated, please try to go to

https://yoursite.com/wp-login.php?action=lostpassword

It should redirect.

If I am wrong, can the developer please chime in?

• This reply was modified 4 years, 7 months ago by honuware. Reason: added something to try

@honuware Thx for the reply. Unfortunately if i use the https://yoursite.com/wp-login.php?action=lostpassword i get a 404 error.
Also, if it would redirect me to the /loginhere?action=lostpassword page i’d be back at square one, the login url would be disclosed.

When I said “it should redirect” that was supposed to mean redirect to not your login page so the 404 error is a good thing since it does not expose your slug and disclose your URL.

I am using this plugin to avoid automated programs looking for wp-login.php positive experiences to flag my site for further malicious action. When the plugin is activated, all the URLs I would try to get a positive hit either redirected to my chosen page in the plugin settings or gave the 404 error which I thought was a good thing.

I guess what I am trying to say is the only way someone would know your reset password URL thus knowing your login URL is if they knew your login URL in the first place so they could click on the appropriate reset password URL from that page.

Am I missing something? I am trying to work through this with you so we both have a level of comfort knowing this plugin meets our needs and comfort level.

Thanks for your engagement on this so I better understand.

H

• This reply was modified 4 years, 7 months ago by honuware.

The site has (will have) other users. I have to provide them a forgot password link.
https://yoursite.com/wp-login.php?action=lostpassword is not working, i get a 404 error.
https://yoursite.com/loginhere?action=lostpassword is working, but clearly shows the login path. Maybe not that clear for average users but i guess totally clear for malicious ones. (I have another site, someone tries to break it every day, no matter how many times i change the login url, i guess this is the explanation to that).
As i see the solution would be to set a custom url for the lost password. Like https://yoursite.com/lostpassword?action=lostpassword and doing the same with the link that they get in the lost password email. But i have no idea how to do that, this is what i asked in the first post.
Btw, you’re right, the protection is good against unregistered visitors.

Having other users able to register, log in, and request a password reset involves a public exposure of some kind no matter what. That is the ultimate solve to harden this process.

Even if you had a login in area on the front of the site, when they make a “mistake” the default is to go the traditional log in page, which again, defeats the purpose you want solved.

Let me think on this a bit.

@atis10 search for frontend reset password in the plugin search box. It uses short codes on pages you specify so the defaults are bypassed.

UsersWP is another one that is more feature rich.

• This reply was modified 4 years, 7 months ago by honuware.