v 5.2.1: /wp-login/ remains accessible after rename of login page

Hi @fgruen

AIOS plugin will show 404 error if /wp-login/ try access and renamed login page enabled. It might be another plugin or theme page which might be loading the login page.

https://snipboard.io/Rh9p2P.jpg

Can you please cross check you do not have any /wp-login/ named page and /or if possible try deactivate one by one other plugins and cross check which plugin makes that /wp-login/ url to load.

Regards

I have already tried that. Even if all plugins except AIOS are disabled, the behavior remains the same. The issue also occurs on different sites that use different compositions of plugins. All of them usiing different (standard WordPress)themes. And no, there is no other wordpress page called wp-login.

• This reply was modified 1 year, 7 months ago by fogger.

Ok,

Can you please send me the list of plugins installed there? As it is not AIOS plugin functionality to show the login if wp-login requested in browser url.

Regards

For example, in one case (where I just tried disabling all plugins), these are installed:

• All In One WP Security (of course ?? )
• Conditionally display featured image on singular pages and posts
• Enable Media Replace
• Imagify
• Jetpack (just for the Custom Content Type ?Portfolio“, all other services like firewall login etc disabled. It’s also the only site with Jetpack where the problem occurs).
• Popup Maker
• Query Monitor
• Redirection (with only two redirects to renamed posts)
• Spectra
• Statify
• Statify – Extended Evaluation
• UpdraftPlus – Backup/Restore
• WP-Optimize – Clean, Compress, Cache
• Yoast Duplicate Post
• Yoast SEO (the free version without redirect function)

Unfortunately, my last answer is not published, it says:

Your post is being held for moderation by our automated system and will be manually reviewed by a volunteer as soon as possible.

No action is needed on your part at this time, and you do not need to resubmit your message.

Here is another try:

For example, in one case (where I just tried disabling all plugins), these are installed:

• All In One WP Security (of course ?? )
• Conditionally display featured image on singular pages and posts
• Enable Media Replace
• Imagify
• Jetpack (just for the Custom Content Type ?Portfolio“, all other services like firewall login etc disabled. It’s also the only site with Jetpack where the problem occurs).
• Popup Maker
• Query Monitor
• Redirection (with only two redirects to renamed posts)
• Spectra
• Statify
• Statify – Extended Evaluation
• UpdraftPlus – Backup/Restore
• WP-Optimize – Clean, Compress, Cache
• Yoast Duplicate Post
• Yoast SEO (the free version without redirect function)

If you want to see for yourself: This site uses the default Twenty Twenty-Three theme and currently has only two plugins enabled

• All In One WP Security
• Coming Soon Page, Maintenance Mode, Landing Pages & WordPress Website Builder by SeedProd

The login page has been renamed and can now be reached in parallel at [deleted]

• This reply was modified 1 year, 7 months ago by fogger.

Hi @fgruen

Ok, can you please cross check theme functions.php do not have any code to redirect /wp-login/ url to login page like below using filter.

Because if you have all plugin deactivated including jetpack and redirects + wp-optimize ( cache ) and still it shows as working it might be some thing from theme or custom code. but It is not the AIOS plugin.

If possible check by disabling AIOS plugin also and let me know.

add_filter('login_url', 'wp-login', PHP_INT_MAX );

Regards

Hi @fgruen

Ok, please share such login url etc using https://pastebin.com/ with expiration after read. If you can remove those urls some how ( by editing last topic ) please do that also.

• This reply was modified 1 year, 7 months ago by hjogiupdraftplus.

Sorry, I’m not a programmer and this topic kept me busy for several hours last night.

As I said, the problem occurs with half a dozen websites, all using different WordPress default themes. And no, I have not put any corresponding custom code in functions.php. Certainly not on all sites. I would know.

If I disable or reset AIOS completely, the renaming is gone and only wp-login works. But that’s the expected behavior, right?

Hi @fgruen

No, /wp-login/ loads the login page is not general behaviour. /wp-login.php url loads the login page.

If deactivating the AIOS plugin still /wp-login/ loads the login page it is some thing implemented either in .htaccess or code, If possible ask the developer who developed site he might can say.

Regards

I don’t have a developer, because I only use the standard tools, also concerning e.g. themes. And with the mentioned site there are no adjustments in the code in Twenty Twenty Three either. The .haccess looks like this:

# BEGIN WordPress
# Die Anweisungen (Zeilen) zwischen ?BEGIN WordPress“ und ?END WordPress“ sind
# dynamisch generiert und sollten nur über WordPress-Filter ge?ndert werden.
# Alle ?nderungen an den Anweisungen zwischen diesen Markierungen werden überschrieben.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Since I’m not really familiar with Pastebin, is there another way to securely exchange credentials?

I tried it anyway:

Link: https://pastebin.com/7hqnJC1D

PW: nmzA2XwBDW

Hi @fgruen

It is against www.remarpro.com policy to share credentials of your site to us. Please do not do that.

Regards

ok. I have deleted the pastebin again. What do we do now?