Breakdance Builder reveals “secret” ADMIN path in the html source

  • Resolved Unreal_NFS

    (@unrealnfs)


    1 year, 6 months ago

    <script>document.addEventListener(‘DOMContentLoaded’, function(){ if (!window.BreakdanceFrontend) { window.BreakdanceFrontend = {} }

    window.BreakdanceFrontend.data = {“homeUrl”:”https:\/\/domain.com”,”ajaxUrl”:”https:\/\/domain.com\/wp-admin\/admin-ajax.php“,”elementsPluginUrl”:”https:\/\/domain.com\/wp-content\/plugins\/breakdance\/subplugins\/breakdance-elements\/“,”BASE_BREAKPOINT_ID”:”breakpoint_base”,”breakpoints”:[{“id”:”breakpoint_base”,”label”:”Desktop”,”defaultPreviewWidth”:”100%”},{“id”:”breakpoint_tablet_landscape”,”label”:”Tablet Landscape”,”defaultPreviewWidth”:1024,”maxWidth”:1119},{“id”:”breakpoint_tablet_portrait”,”label”:”Tablet Portrait”,”defaultPreviewWidth”:768,”maxWidth”:1023},{“id”:”breakpoint_phone_landscape”,”label”:”Phone Landscape”,”defaultPreviewWidth”:480,”maxWidth”:767},{“id”:”breakpoint_phone_portrait”,”label”:”Phone Portrait”,”defaultPreviewWidth”:400,”maxWidth”:479}],”subscriptionMode”:”pro”} }) </script>

    ————————————————————————–

    Please note the above-pasted script — it contains “wp-admin” and also “wp-content” path displayed. Even if we update these paths in the HideMyWPGhost, the secret wp-admin path and also the newly set wp-content path display here, destroying the secrecy the HideMyWPGhost plugin provides.

    This script is put up in the footer area of each page! Even Bricks Theme uses similar script on each page to load the page’s content.

    Please help.

    Thanks bunch.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Support Peter

    (@petersquirrly)

    Hi @unrealnfs ,

    The wp-admin and wp-content paths are actually not a secret path. All WordPress sites have these paths, and are well known.

    However, I can’t see the secret wp-admin path you are mentioning. Would you mind letting us know which one it is?

    What’s important is that the wp-admin & wp-content paths are hidden. You can test this out by using the URL domain.com/wp-admin and see if it works. If yes, go to Change Paths > Admin Security and hide it.

    Besides this, you can test it out by going to Security Check and see if any tasks are failed. If so, make sure to complete them to ensure that your website is secure.

    Thread Starter Unreal_NFS

    (@unrealnfs)

    Of course, wp-admin and wp-content paths are not by any means secret — everyone who knows WordPress should know them already, and no surprise I know it too.

    As we know already, HideMyWPGhost plugin allows us to make new paths/folder names for plugins, themes, wp-content, etc. and these new paths will be visible in the HTML source. Nothing wrong here — as its purpose is to hide(make the famous well-known WP folders a secret though the new paths are still revealed in the HTML source) the general WordPress folders on your site.

    But, wp-admin’s new path becoming publicly visible is something that’s not supposed to happen — it is supposed to remain hidden —- so, that is why I meant the new path to wp-admin a secret. No wonder, the Ghost mode hides the default name of wp-admin path too.

    Now that’s cleared, I would like to divert your entire attention to the wp-admin path only.

    In the above already embedded-code we can see that not-supposed-to-be-revealed detail is output in the HTML source — I am not speaking about wp-content — I am speaking about the wp-admin path.

    CODE: https:\/\/domain.com”,”ajaxUrl”:”https:\/\/domain.com\/wp-admin\/admin-ajax.php

    In this example, the default wp-admin is used, but if at all it is changed to anything else using HideMyWPGhost — that is displayed too by the Breakdance builder, which is otherwise supposed to be a secret!

    Eg., https:\/\/domain.com”,”ajaxUrl”:”https:\/\/domain.com\/Ghost-admin\/admin-ajax.php

    Also, please note — admin-ajax.php file is also revealed — this again is something HideMyWPGhost allows to change. But what’s the point if those are revealed in the HTML source code??

    Eg., https:\/\/domain.com”,”ajaxUrl”:”https:\/\/domain.com\/Ghost-admin\/admin-ajax.php

    P.S. But, there is a way to hide wp-admin — on the page that it allows to rename admin-ajax.php file, there is an option to hide wp-admin path to it! But, removing wp-admin from the path could sometimes cause issues with other plugins. And, again — it would still display the new admin-ajax.php file name.

    Of course, this is Breakdance builder’s issue and not HideMyWPGhost’s. Still, any solution? Thanks a bunch for your time.

    Note: This script is put up in the footer area of each page! Even Bricks Theme uses similar script on each page to load the page’s content.

    Plugin Support Peter

    (@petersquirrly)

    Thank you for the details!

    wp-admin’s new path becoming publicly visible is something that’s not supposed to happen — it is supposed to remain hidden
    Yes, wp-admin shouldn’t be visible in the source code. Most likely another plugin is blocking the change if other parts of your website are hidden. You can test this out by disabling them one by one and see if wp-admin or other default paths are visible. Another solution would be to ‘force’ hide it using the Text Mapping feature.

    In this example, the default wp-admin is used, but if at all it is changed to anything else using HideMyWPGhost — that is displayed too by the Breakdance builder, which is otherwise supposed to be a secret!
    It’s important to keep in mind that we are not actually hiding them so they can’t be found in the source code, as that would cause a lot of issues. Using redirects, our plugin hides the paths by renaming them to something else. This is the method we are using to increase your website security. If the hackers and bots are not aware of which paths you are using, only if they blind-guess them, they can’t attack those paths.

    removing wp-admin from the path could sometimes cause issues with other plugins.
    Yes, this is possible, if those plugins don’t work with custom fonts. The best solution for that would be to reach out to the plugin author and ask them to make their plugin compatible with custom paths.

    And, again — it would still display the new admin-ajax.php file name.
    If the bots & hackers are not aware that the new path is for admin-ajax, they will be secure, as they can’t attack something they don’t know what it is.

    Thread Starter Unreal_NFS

    (@unrealnfs)

    Thanks for the response!

    Text Mapping — I was thinking of using it but needs to be tested. Will test it soon. Thanks. Maybe the path needs to be put in the source to help the page load using admin-ajax.php. This is what we can find not only in Breakdance builder but also in Bricks Builder too. Anyways, admin-ajax.php is supposed to be used by the admin and work mainly in the admin area — there are even plugins that help us in limiting its access.

    Quote: “This is the method we are using to increase your website security. If the hackers and bots are not aware of which paths you are using, only if they blind-guess them, they can’t attack those paths.” ——- this is what I mean when I keep saying, its a secret. HaHa Maybe, my words couldn’t express it enough. Thanks again for highlighting the reason — hide it from prying eyes.

    Quote: “If the bots & hackers are not aware that the new path is for admin-ajax, they will be secure, as they can’t attack something they don’t know what it is.” —- they would be aware, that is exactly what the Breakdance builder and Bricks Theme are doing by displaying the path in the HTML source.

    https:\/\/domain.com”,”ajaxUrl”:”https:\/\/domain.com\/Ghost-admin\/admin-ajax.php

    ====> Thanks for all the pointers and also suggesting to use “Text Mapping”.

    I consider this conversation to be satisfying! I wrote an email to the Breakdance team raising the issue. It is their issue, to begin with — I hope they will do the needful.

    Thanks again Peter!

    Great day! God Bless!

    Plugin Support Peter

    (@petersquirrly)

    Loved talking to you!

    Have a wonderful rest of your day, and if we can be of any further assistance for you or Breakdance?team to get it sorted out, we are one message away.

    Thread Starter Unreal_NFS

    (@unrealnfs)

    Hi,

    Here is one TIP:

    We can Whitelist the server’s IP – this gave compatibility and nothing broke after this!

    I didn’t try this before.

    After this, we can change the admin-ajax.php file name to anything we want and also hide the wp-admin path. Now, the secret ghost-admin path is not visible in the frontend of the HTML source.

    What a relief?! I thought i should post this solution.

    Thanks.

    Plugin Support Peter

    (@petersquirrly)

    Awesome! Thank you for mentioning this, as it will more than sure help other who bump into the same situation.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Breakdance Builder reveals “secret” ADMIN path in the html source’ is closed to new replies.