Rename Login Page security issue

Hi,
What does this “web vulnerbaility scanner” show exactly in relation to the “secret word”?

Also are you referring to the “secret word” from the cookie based brute prevention feature?

Hi,

As mentioned in the title I am referring to the secret word of ‘Rename Login Page’ brute force feature.

The scanner displays the secret word and shows that there is username and password login behind it, with a submit button through ‘wp-submit’.It is as clear as day.

Thanks
Ed

I confirm that the rename loginpage needs an update. I have used a renamed login page. Got several forced login attempts (from Russia IPs). I renamed the login page and the day after i have new forced login attempts. Is it not the meaning of this feature that the renamed page is secret?

Using latest WP + AioS&F

Hi Ed can you share which web vulnerbaility scanner you are using?

Thank you

Hi @wm,
I’m trying to figure out how they are getting through….

Regarding your WP setup, could you please tell me if you have permalinks enabled on your site?

Does your secret slug have anything other than alphanumeric characters?

Single site or multi-site?

Hi

There are a couple of them. You can try this:
Wikto and NStalker or even Burp spider.

Spidering tools should suffice I suppose as they will show the list of a website’s pages, instead of running a full security scan.

Regards
Ed

@ wpsolution:

(I try to translate since i use a different language)

– I use permalinks “postname” https://mysite.com/example-postname/
– The secret slug is only small characters and no numbers (like abc…)
– Its a single site.

I can confirm that they have continued today also even since I updated and changed the slug yesterday. Today it is Mr 194.28.84.34 that want to control my site ??

The hacker attacks have most used “admin” as user that I already have changed ofc. But I seen tries with different usernames also.

Thanks for looking in to it.

@wm,
Actually it is likely they haven’t hacked your secret login page but instead they are probably targetting the xml-rpc functionality.
Can you please enable the ping back protection in the firewall rules to see if that stops the apparent login attempts.

@ wpsolution:

That feature is already active (on the first tab of firewall settings)

Attention:
Currently the Enable Pingback Protection is active.

Hi wm,
Can you please try a quick test for me.
Using FTP grab your .htaccess file and replace the code in between the tags “#AIOWPS_PINGBACK_HTACCESS_RULES_START” and “#AIOWPS_PINGBACK_HTACCESS_RULES_END” with the following directives:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Then monitor your login attempts to see if this stops them.
Please let me know what the result is.

I will do that and test.

I also checked my server settings and there was “PHP error messages = ON” . I read some posts that this can be a security issue so I now turned this “OFF”.

I think this is the same issue I am having. I have been using my site happily with the renamed login page feature – then all of a sudden a few days ago I started getting lots of lockout notifications showing attempted logins with username ‘admin’ (which of course I do not use).

I thought at first they must have found some other way to access a login page from my site but AIOWPS does not seem to give me the URL of the login attempt and I do not know enough about WP to guess what it might be.

I changed the name of the renamed login page but that does not seem to have helped – still getting lots of attacks.

Reading this thread made me realise the problem did seem to coincide with the update to WP 4.0 and wonder if the attackers can somehow now detect the renamed login page name?

Wondering whether to change over to cookie-based login protection? I like the renamed page but as it is just me using the site, cookie-based might be ok for me.

Any other thoughts would be gratefully received. Let me know if you need any further info.

Thanks for a FABULOUS plug in!! (That always gets left till last in support requests but really you guys are fantastic with the work and expertise you put in).

Cheers
Luna (forensictranscription.com.au)

Hi @lunatrix21,
The chances are that your renamed login page has not been breached – but instead the login attempts are probably coming from attempts via the xmlrpc.php script.

Can you also try the same test I asked @wm to do?
(ie, paste the code above in your .htaccess file)

OK I have done that. Just to check: in following your instructions I REPLACED the following code in .htaccess with the lines you mentioned (files to /files). Is that right?

<IfModule mod_alias.c>
RedirectMatch 403 /(.*)/xmlrpc\.php$
</IfModule>

I will let you know what happens. I should note that the number of lockouts seems to have decreased today even before I did this, but they are still coming so it will be good if this change can stop the baddies completely.
Thanks
Luna

Yes that’s right.
Monitor the login attempts and let me know how it goes.