[Plugin: Better WP Security] Hide Backend Function Broken

I figured out the problem. The new version of wordpress does not create a htaccess file for thr wp-admin folder. You need to create one manually and deny all aCcess to all other ip’s but your own (or ip addresses of admins)
This fixed the issue for me.

@bit51 I tried using slugs without any reference to login, admin or register. No luck with (MT), same issue.

With that said, I will wait for case number 1 ??

Thanks again!

Using different slugs won’t work if uve hidden your admin area with a custum login url. If you would like a copy of the htaccess file I can supply it. Just edit with your own info and upload via ftp or file manager

I have the same problem. I use the Suffusion theme. The back-end is hidden in that it showed an error ‘redirecting’ the page instead of ‘page not found’.

Also, this morning, a hacker somehow went directly to my hidden admin page to try to login (not a single 404 error detected). So someone is using/exploiting this issue and is trying to get to the backend now, which is how I search the net and found this post.

Great plugin! Still protected my site many times over….

OK….

….Here’s the issue. WP 3.4 redirects all 404 errors (the error wp-admin/etc should throw if moved) to index.php which then sees them as the admin section thereby breaking the feature entirely.

…What would you all like to see? I could change it to show a 500 error or some other error code which would fix the issue but not really hide it as an attacker would potentially still think it’s there which would at least help it identify the site as a WordPress installation. I could try some core hacks that may cause other incompatibilites with other plugins/themes/etc, or I could do something else?

I’ll take the route recommended by the community I just want to know what you all think will serve folks best as it is even possible that many are using this feature for usability reasons rather than security reasons (I know at least a few folks in that boat).

I’d like to avoid core hacks if at all possible myself. Having to remember to set the hacks again after upgrade surely would suck. Plus some of the incompatibilities if any.

I don’t have any ideas off the top of my head to address “something else” so, for now, 500 error gets my vote.

Thanks Nate!

Its a tough call, Core hacks should be avoided at all cost since who knows how WP X.X will evolve.

Its nice to stick with 404 errors since its a standard metric for landing missed pages.

I Love the plugins other features and would really like to use the hidden backend feature but it is just to sensitive with my Plesk / ngenx enabled host that redirects requests in the pursuit of speed but at the peril of login in process alterations.

While the Hide Backend Function is being reworked, the dashboard needs a big Red Warning and some guidance on self extraction if it all goes horribly wrong.

Race

Happened on a cpanel multisite install (not plesk) with only the Hide backend section enabled- the site froze up so I removed the htaccess rules.

Subscribing to this thread.

Don’t know much about WP 3.4, what would it do if a 400 (bad request) or 403 (forbidden) is thrown? If not, I will vote for 500 I guess.

btw, I am getting daily attempts on my ‘un-hidden’ admin page now….

A side question: I try to use the Away Mode to deter the hacker as it always try to come in around the same time. However, on top of the Away mode page of the plug-in, it always show me GMT as the local time. Check my WP setting and the local time is set and displayed properly. So the plug-in is not picking up the time zone properly under 3.4.1?

Sorry, a correction about the away mode time problem:

– UTC is 2am (next day)
– Local time is 10pm (from WP settings page, which is correct)
– but plug-in showed me 6pm (same day)? kind of weird.

I should probably move this to a new topic.. sorry.

OK Everyone. I’ve put a fix into the development version (https://downloads.www.ads-software.com/plugin/better-wp-security.zip) that has fixed it on the 9 websites I’ve tried it on so far. Can some of you give it a try on your own installations and let me know what you get?

Thanks!

I just tried this “Hide Backend” feature for the first time, and it doesn’t work at all. I can still access /wp-admin and /wp-login.php.

When I try to use the modified slug of /logins it doesn’t work.

The server is using Cpanel if this helps.

@dukejames there is a problem with 3.3. Can you confirm you are using the dev version to try the fix?