willberforce

Thanks Predrag. Obviously, this isn’t critical as (a) its only a PHP warning and not an error, and (b) I can run this on PHP 7.1.x without a problem.

Here are the settings in case it helps.

11/11 Security Tweaks actioned…

Disable trackbacks and pingbacks
Update WordPress to latest version
Update PHP to latest version
Change default admin user account
Change default database prefix
Disable the file editor
Hide error reporting
Update old security keys
Prevent Information Disclosure
Prevent PHP execution
Manage Login Duration

Login protection is enabled. There are no lockouts logged yet.
Lockout threshold 5 failed logins within 300 seconds
Lockout time: 300 seconds

Lockout threshold 20 errors within 300 seconds
Lockout time 300 seconds
Permanently ban 404 lockouts: Off
Exclusions
Monitor 404s from logged in users: On

Login Protection Lockout: On
404 Detection Lockout: On

IP Banning
Blacklist: empty
Whitelist: my IP address is listed here

NOTIFICATIONS
Send email notifications
Login Protection Lockout: enabled
404 Detection Lockout: enabled
Email recipients: my username
Repeat Lockouts:
Limit email notifications for repeat lockouts: off (3, 24h)

Settings
Storage 30 days

Thanks again.

• This reply was modified 6 years, 3 months ago by willberforce.

If you make changes to a core plugin file, when the plugin gets updated, you loose your code and functionality.

So best to place your code in a custom or child theme.

Ok I have a solution:

I installed BPS security plugin with default settings, ran the wizard and its blocking url encoding and wp-login.php – showing a 404 for each.

It wasnt doing the wp-register.php so I added this file to htaccess custom code as follows:

Root htaccess (BOX 6):

# DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$
RedirectMatch 404 wp-register\.php$

Save
Activate

This successfully 404s these 3 urls.

Its an easy fix. A more elegant solution would be for the plugin to itself prevent these redirects via hooking.

@claytonl – sorry, yes forive me, I think I misunderstood the issue.

On testing, WP is redirecting from the following to the hidden login page.

/wp-admin/customize.php
/wp-register.php
/%77%70%2D%6C%6F%67%69%6E.%70%68%70

Does anyone have a working fix?

Presumably wp-register is unlikely to be necessary in most scenarios if the login url is being obfuscated.

wp-customize and the encoded wp-login.php must be fairly easy to block in htaccess – though this mod prides itself on being non-htaccess based, so a redirect to 404 on path hook would do the job.

Thinking out loud.

Please correct me if I’m wrong but the OP and others appear to be misunderstanding what this plugin does.

It is meant to allow you, the site owner, to alter the admin and login paths from something guessable (like /wp-login.php) TO something unguessable.

It is not designed to block someone who already knows the paths; whether by URL encoding or not.

• This reply was modified 7 years, 6 months ago by willberforce.