This is 100% insecure as-is, but can be fixed

  • I just tested this plugin to counter brute-force attacks on my client’s wp-login.php page. The idea is sound, however I found that there does not need to be any value for ‘sk’ entered – as long as the ?sk is there after the rest of the URL the login page shows every time.

    What I did that works great so far is to do a search and replace in the plugin’s php file – I replaced all values of ‘sk’ with my own passcode. The passcode that’s set in the WP backend becomes totally unnecessary. The stealth setting needs to be on.

    Your login url then becomes https://domain.com/wp-login.php/wp-login.php?secretcode

    If the programmer will fix this to work like that by default this could be an essential plugin.

Viewing 1 replies (of 1 total)

  • For me it’s 100% secure. I don’t have any brute-force attacks after installing this plugin. Before that there were lots of attacks on wp-login.php.

Viewing 1 replies (of 1 total)
  • The topic ‘This is 100% insecure as-is, but can be fixed’ is closed to new replies.