Hide backend works, but what about WooCommerce customer login page?

Follow. I have the same question.

Yes, same question here. Even in all kind of custom login, the plugin is detecting all of them and apply every single security policy to all forms, IP bans as a example: So imagine that a customer is trying to login in his woocommerce account and get baned (depends on your settings) for 10 minutes or whatever. These policies should be only for login/register wordpress form.

:S

Is there any reply from the developers concerning this issue?

It has been more than two weeks that I posted this question, but so far no one from the development team has replied.

It is a security issue that I raised here, a faulty concept if you will.

If there is an alternative login-page, like the customer login-page from WooCommerce, then all the security measures involving “Hide backend” becomes nil and void. Because it is possible to login as administrator on the customer login-page which is not hidden behind a cryptic login-link.

Can you please share your opinion regarding this issue? Are you aware of it?

According to the FAQ :

= Where can I get help if something goes wrong? =
* Official support for this plugin is available for iThemes Security Pro customers. Our team of experts is ready to help.

Free support may be available with the help of the community in the www.remarpro.com support forums (Note: this is community-provided support. iThemes does not monitor the www.remarpro.com support forums).

That last sentence isn’t entirely true. Occasionally iThemes does respond in this forum. Especially after a plugin update…

That said the Hide Backend module is considered security by obscurity. It doesn’t really strengthen the security of your site, like strong passwords or two-factor authentication do. Personally I only find it usefull for preventing automated brute force attacks which might slow down the site.
Just sharing my thoughts.

To prevent any confusion, I’m not iThemes.

Thank you for your thoughts.

I do understand the concept which you mention but I think it’s worthwhile to consider the scenario which I describe. It’s like a backdoor that circumvents the core concept of “Hide backend”.

Is it possible to prevent the login of certain user roles, including admin, on the customer login page of for example WooCommerce, while not messing around with the default WordPress login which has been hidden with iThemes Security?

What comes to my mind is to use certain keywords in admin- or shop manager user-names and redirect or block login-attempts which try to gain access through the customer login page, using credentials that contain those keywords.

Would this mess around with the default WordPress login-procedure?