Alternate WordPress login URL Revealed

The bot that found this secret login URL was the BomboraBot and the breach occurred within seconds of creating the new wp-login URL.

What tool did you use to see the bot visiting your new login page?
Log files, any JS based tracker, a certain plugin?

What plugin do you use for hiding the login page?

WP STAGING does not reveal any information about the existence of a staging site or where this staging site can be found, so I need more information on how you watched the bot visiting the new login URL to find an explanation for this.

Please let me know if there is a security issue with the use of the WP Staging plugin to create a cloned staging site.

If we are aware of one we would already have it fixed.

I used the Wordfence Security plugin to monitor live traffic and the BomboraBot has been to the site several times probing the new login page. I used the Defender plugin to mask the usual WordPress login URL and create the new login URL. It happens to be the same hidden URL for logins that I’ve set up on every other website I’ve developed, including two live sites and one other testing site. No bot has ever successfully discovered the new login URL. It is not easily guessed and I don’t believe the new login URL could be reached without it being let out by a security breach. Perhaps WP Staging is incompatible with one of these two security plugins.

I have noticed that WP Staging does not work with Defender’s 2-factor authentication settings, so that may indicate an incompatibility.

As default wp staging disables the permalinks on the staging site. To make your “hide login” work you have to activate the post name permalinks after creating the staging site.

Please read this https://wp-staging.com/docs/activate-permalinks-staging-site/

Please let me know if it works.

Hi Rene,

I actually activated the post name permalinks before trying to set up the “hide login” URL. Still no reason why the alternate wp-login site could be found by the bot. I’ve inactivated the Defender Security plugin for the WP Staging site, which is not ideal. I’ll have to use another route to setting up a hidden login URL.

Thanks,
Greg

I also just noticed that the WP Staging plugin is incompatible with the WordPress Under Construction plugin. Instead of showing visitors who are not logged in the under construction page, it shows the wp-login page. That’s convenient for any malicious bots! I had to shut that plugin down also. It’s not really a dev site now.

I am trying to reproduce it, Greg.

Besides that:

A staging site should already be a hidden site. Thus renaming the login URL is not necessary anymore.

Take this one: example.com/myhidden-stagingsite/wp-admin

This URL is not public, so it should have the same effect as renaming the default admin login on the live site like example.com/my-hidden-wp-admin

I don’t know the defender plugin nor how it works. A separate connection to the staging site could be required to show accurate traffic data. Maybe it’s showing data sources from the live site on the staging site.

It’s very unlikely that a bot can visit your new staging within seconds if the URL has not been made public.

I will have a look at it and think about this more.

Rene,

Thanks for your quick replies. Maybe I did something wrong right from the beginning, because bots started crawling the staging site (https://mysite.com/dev2) as soon as it was established. At that time, bots were going to //mysite.com/dev2/wp-login/ before I got a chance to set up the hidden wp-login URL. So from the start, the staging site was discovered as a folder within my main site. Not sure how this may have happened.

Thanks,
Greg