Renamed login page and login whitelist not working

Hi ConjurerGFX can you elaborate a bit more and provide more information please.

Thank you

Hi mbrsolution,

Thank you for your answer. Sure I can.

When I have renamed the login page to for example ‘my-alternative-login’ I have to login using the url ‘www.mywebsite.com/my-alternative-login’. So far so good, this is working nicely.

Then I have input my IP address (for example 1.2.3.4) in the whitelist and I enabled the login whitelist functionality. Next I logout and try to login again in using the URL ‘www.mywebsite.com/my-alternative-login’. This is also working as expected as my IP address is in the whitelist.

Next I try to login from an other location with a different IP address (for example 4.3.2.1). This IP address is not in the login whitelist. Trying to login to ‘www.mywebsite.com/my-alternative-login’ succeeds, I see the login page and can input login credentials. This is not as expected. What I would expect is that I would be blocked (displaying an error message), redirected or such.

Kind regards,
Paul.

Hi Paul, thank you for the extra information. I now know what you mean.

Can you try the following, uncheck the rename login page so it goes back to normal login. Then leave your IP address in the login whitelist option. Now try and login from another location with a different IP address.

I am just trying to work out whether it is a bug or not.

Kind regards

Thank you for your reply.

What I have tested is the following:

Test scenario #1

Situation:
Option rename login page enabled.
Option login whitelist enabled (IP address from another location with different IP address not in the list).

Scenario:
Trying to login from another location with a different IP address on the renamed login page.

Outcome:
Getting the WordPress login screen.

Test scenario #2

Situation:
Option rename login page disabled.
Option login whitelist enabled (IP address from another location with different IP address not in the list).

Scenario:
Trying to login from another location with a different IP address on default login url like so: https://www.mywebsite.com/admin

Outcome:
Getting a non-Wordpress credential login screen with title “Connect to <website>”.

Thank you for the extensive information. I have a question, do you have any other security plugin installed?

I do not have an other security plugin installed. All in one WP security and firewall is all I have installed for security purposes.

I do use the W3 Total Cache plugin. It’s not a security plugin but it does make some changes for rewrites etc.

Hi ConjurerGFX one of the developers will look into this issue for you.

Kind regards

Hi @conjurergfx,
Yes what you’re seeing is expected behaviour given the current way those features are designed.
What’s happening is that the white list feature adds a rule to the .htaccess file which protects the “wp-login.php” file but since you’ve renamed that page to something else that rule is no longer going to stop people from accessing the renamed page.

We will apply some improvements to this feature so that it can detect whether the rename login page feature is active and if so it will write a rule which includes the renamed slug instead of the standard wp-login.php.

In the meantime just use only one of those features or swap the rename login page feature for the cookie based brute force feature which can currently be used together with the white list feature.

@mbrsolution, thank you for your support!

@wpsolutions:
Thank you for your reply. I will disable the whitelist and wait for a fix for this plugin.

King regards,
Paul.