login

It’s not a case of people making a “stupid decision” it’s a case of the plugin still allowing someone to type in /login and getting to the new login url they have just created. OK the attempts at hacking in to my websites have greatly reduced but they certainly haven’t gone away due to this.

Agree with Delta Skies. Allowing /login to reveal the everyones login is crazy. And sometimes you have to steer the user away from making stupid decisions.

The problem is that if we did it, existing users who have set it to /login would be locked out of their sites when they update the plugin.

So the plugin would have to check if the user has specifically chosen /login, and only then allow it to work. Otherwise it would be in the blacklist.

I could look into submitting my idea as a pull request, but only if Sean agrees to the concept.

For now I am sticking a redirect in htaccess…
Redirect 301 /login /

Hi James! Can you provide the exact code we should place in the htaccess to redirect /login to a 404?

Thanks!

This is what I am now doing to block /login, /wp-login.php and /admin in .htaccess, before they even get to WordPress.

# Set a simple 401 Unauthorized message
ErrorDocument 401 "Unauthorized"

# Throw out requests to the usual login addresses
RewriteCond %{REQUEST_URI} .*(wp-login.php|/login|/admin)$
RewriteRule (.*) https://%{REMOTE_ADDR}/$ [R=401,L]

Do this before the usual WordPress rewrite rules

Hi! I noticed another problem with this plugin.

I’ve never have problems thanks to this plugin, but from yesterday someone tried to enter in my site.

I have a website url like site.net (without www), I noticed that the intrusions come from the url https://www.site.net/wp-login.php. Even if I modified the plugin like written above, anyone can access from another url without know the real url.

How can I resolve the problem?

I don’t know how to redirect via .htaccess or modify the plugin, can someone help me? Thanks

(Sorry for my english, I hope you can understand)

How are you monitoring intrusions?

I assume you have a redirect setup from www to non-www. That would mean the user is actually hitting the wp-login.php of the non-www site – in other works your actual site.

The only way to avoid requests to wp-login.php from loading WordPress and slowing things down is to throw them out before they get anywhere near WordPress. The easiest way to do this is to…

1. Set up the plugin to use a different login url from the standard one
2. open the .htaccess file in the root level of your WordPress site.
3. copy and paste the lines from my post above to the very start of the file

If you do this you don’t need to worry about modifying the plugin.

Hope you can resolve it.

Hi, thanks for the reply. I opened my .htaccess and copy/pasted at the beginning but your method doesn’t work.

I noticed the intrusions with “Better Wp security” and then on cPanel I saw that they tried to enter from the www url.

I don’t understand why in the non-www site lockdown wp works and in the www site doesn’t work…

In other words I have the same problem written in this topic: https://www.ads-software.com/support/topic/subdomains-disrespect-the-url-change

I had same problem, i..e., when domain prefixed with ‘www.’ the plugin was bypassed and https://www.domain.com/wp-login.php worked. The code posted above by James SOLVED the problem!!! I am a happy camper. Thanks much!

david

So the code’s working? Am I doing something wrong?

I tried another time and at the www site and I continue to see the login screen…

Maybe something in htaccess conflict with the code? I think this can be the problem: I modified the plugin like it was in origin and it doesn’t work too.

James’ htaccess code definitely works. It works perfectly, in fact. Make sure you copied it correctly and try again. Be sure to undo any modifications you made to the plugin as well.

It doesn’t work at all and I don’t understand why :/ I deleted the htaccess rewrite option of better wp security too but nothing changes.

I undo the modification of the plugin, I put the code at the beginning of the document and just before wordpress rewrite (after better wp security code), I deleted the code of better wp security…

Nothing changes and I always see the login screen at https://www.site.net/wp-login.php

I’m sure the code works, or I’ve some conflicts in the site or I’m doing something wrong.

Have you tried clearing your cache?

When you go to https://www.site.net/wp-login.php do you get redirected to the non-www login page or does the address stay as https://www.site.net/wp-login.php

If you stay on www, you should do something about it to avoid duplicate content and other strangeness. You should redirect all www. pages to non-www pages in your DNS setup or in htaccess. How you do that depends on your web host.

Yeah, my site on https://www.site.net/wp-login.php doesn’t go to the non-www site, I don’t know why. When I go to https://www.site.net it goes to site.net without any problem…

I contacted my web host and said that it’s a wordpress problem and couldn’t resolve the issue.

Any ideas? I tried to redirect via htaccess but doesn’t work.

I’m really sorry, I’m going ot…

Nevermind, I resolved partially the problem. I mistaked the code for redirect, now it works ??

But the 401 code doesn’t work either, but I modified the plugin: if I go to https://www.site.net/wp-login.php now it throws error 404.

Thanks to all and I’m really sorry for messing the topic…