How it works with Nginx ?

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Contributor wpsolutions

    (@wpsolutions)

    The “rename login page” feature does not use any .htaccess rules – it works purely via PHP. Therefore irrespective of whether you are using Nginx or Apache type server, this feature should work.

    If you are having issues with the rename login feature then I suggest that you try to see if there is a plugin/theme conflict. Try some tests by deactivating all plugins except aiowps to see if there is any conflict. Similarly (if needed) try reverting your theme to a standard theme (eg, twentysixteen).

    I use Nginx as well, and also have a problem with the rename login feature. It does work, creating a hidden login and invalidating the standard one, however, bots are finding the hidden url quickly.

    aiowps does show the login url in .htaccess, in the #AIOWPS_LOGIN_WHITELIST section, so I thought that was how they found it. But I made .htaccess chmod 440, so it should not be visible. In nginx.conf, we also made .htaccess inaccessible.

    I also have Captcha enabled, so I don’t know how they’re getting around that either. But they are definitely attempting to login, and are getting temporarily blocked from too many login attempts.

    How can bots find this hidden login? Any ideas?

    Plugin Contributor wpsolutions

    (@wpsolutions)

    The bots are not finding the hidden url. What they are doing is targeting your xmlrpc.php file.
    Normally I would tell you to activate the pingback protection firewall feature but since you are on nginx that won’t work.
    If you know the correct conversion code you can manually insert the equivalent nginx code for the following apache directives:

    <Files xmlrpc.php>
order deny,allow
deny from all
</Files>

    Which is the fist thing I do on every new WordPress site. I find that feature disturbing, it should be optional. The WordPress core settings ‘system’ could use a round or two on the dev coaster.

    I have a hidden login url on a Nginx system too, and I just added these to the .conf file for my site, and it seems to be working. Bots are not finding the login.

    location /xmlrpc.php {
    deny all;
    }
    location /wp-login.php {
    deny all;
    }

    You should add this too:

    location /wp-config.php {
    deny all;
    }

    Plugin Contributor mbrsolution

    (@mbrsolution)

    @jamminjames thank you for sharing. Is your solution still working?

    Yup! ??

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Thank you ??

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘How it works with Nginx ?’ is closed to new replies.