anorris1

Hackers use base64/eval to hide their code, so as much as I agree with you it would be good if you could use a method/code that isn’t used by hackers… thus preventing false positive in security plugins etc.

Of all the plugins used. Nextgen is the only one being flagged….

I’ve asked WordFence but they just want me to ignore it rather do anything on their part :(. So my only hope is that you can change the code to something that doesn’t result in false positives.

Thats fine are you are able to not use base64/eval so it doesn’t get flagged?

You should make this a login security feature that u can enable in your plugin with one click. Rather than hack a .htaccess file etc.

NP

My own post: https://www.ads-software.com/support/topic/suggestions-user-login?replies=1

I think the issue i’ve identified is due to the sites host or wordpress itself. As I’ve disabled all plugins and the issue persists.

Can you update my post above to remove the domain and replace it with mysite. I can’t edit my post anymore.

It be good if the plugin sends an email alert for failed logins like wordfence. It would also be good to whitelist logins and IP for email alerts so it doesn’t alert that you just logged it. So only alerts to potential hack attacks…

Another suggestion would be to allow automatic updates?

I’ve updated the plugin and the cookie test still fails. Its no doubt due to the hosting provider…

Good job on the honeypot feature, I’ve enabled that. Not that we get search bots but hopefully it can help against hack bots? Can’t hurt to
have it enabled either way.

Sorry for hijacking the thread, I will post my own thread.

Thanks for your assistance

I don’t use that feature, as the site fails the cookie test. Is my problem related?

If your session has expired between visits to the login page you will be redirected and get a 404.

The url that ends up in the address bar is:
https://www.mysite.com/wp-login.php?redirect_to=https://www.gracebree.com.au/wp-login.php&aiowps_login_msg_id=session_expired

I thought it was due to the “&” after wp-login.php but you still get a 404 if your url is just
https://www.mysite.com/wp-login.php?redirect_to=https://www.mysite.com/wp-login.php
as well.

The file exists as if you just access you get the login page, but a 404 if the redirect argument or another argument is placed in the url.

May not be a problem with your plugin or it maybe as I only started having issues after I renamed the login page. I’ve since stop using that feature and the problem persists.

I get the problem even if I don’t have a .htaccess file so I doubt its coz of the security I applied to that? I deactivated all plugins and still get a 404, so I am at a loss at what it is.

Thanks as I said I disabled all plugins and the problem persists, so I doubt its plugin related….

As I said in my post anything can be after the ampersand and it will return a 404…

Same problem.

Only if your session expires, say when you return to the site the next day… and you want to login via
/login
wp-login.php
/wp-admin

You’ll get sent to
/wp-login.php&aiowps_login_msg_id=session_expired

I also disabled all plugins, changed themes, renamed .htaccess, saved perm links (don’t have any) and the problem persists (404).

If you remove the ampersand the url works. If you just even have an “&” appended it will 404. So it makes me think the argument isn’t valid and causing the 404?

You don’t get an error on anything else, only when your session expires and its annoying as your session will expire each day…

I’m running latest WP & plugins…

Has to be something in the php file(s) its loading? As the .htaccess 404’s with it or without it (just changed what it looks like e.g. generic 404 or theme 404).

definately an issue with .htaccess and wp-login.php, if i append & to the end of the wp-login.php login it results in the generic 404 page. If I rename htaccess back I get my themes 404.

So I’m guessing wp-login.php doesn’t like the “&” and serves up a 404 page (default for the webserver or wordpress’s theme 404 page).

I don’t reall code, so I’m unsure what needs to be in wp-login.php

ok its the .htaccess file in the web root, renaming it even tho “redirect_to” still doesn’t go to whatever site is listed, at least I get my login page (asked to login).

So obviously the .htaccess file is doing something with the url, files etc.

No idea whats in .htaccess that is causing it to not recognise wp-login.php when redirect_to is present. Works when its just wp-login.php

ok the redirecto_to issue is not with the plugins as I disabled both and get the same error.

Maybe an issue with WP or a .htaccess file?

Ok looks like the redirect is to do with WP (wp-login.php)?

The url it uses, even tho wp-login.php exists, at the url it gets a 404.
The url it uses, which is a 404 is (XXX = site):
https://xxxxxxx/wp-login.php?redirect_to=https://XXXX/

I guess wp-login.php doesn’t recognise “redirect_to=”?

As when I try to access the sam url without redirect_to, I get my login page. I get a 404 when I append “redirect_to” to the end of the url.

This feature is broken somewhat.

If it detects your session has expired it tries to access wp-login.php and results in a 404 page.

The url contains the wp-login.php with a redirect string to the correct address.

If you try the login page again, it works as I guess your cookie has been cleared.

You can then login successfully.

I’ve disabled the feature, as I’d like to “catch” potential hackers. Tho it be nice if it was 100% and sends you to the correct (renamed) url if your session expires instead of the 404 page.

My site is using the “Contrast” theme if it helps. It does know the correct url as its listed as the redirect_url in the address bar.

I’m guessing wp-login.php when it detects a session expiry and due to .htaccess (?) it gives you a 404 page?

Any help greatly appreciated.

Saw this was listed as resolved so prolly if i make my own post