Password reset attempt

  • Resolved semoliner

    (@semoliner)


    9 months ago

    Hi, I received an unexpected password reset email. The originating IP address for the request was a Chinese one. My hidden log-in URL comprises random characters, so there should be no way for a hacker to guess it. Of equal concern is that my username is a longer complex series of characters, even more impossible to guess. Given that the password reset email came to me (as it should) my password was not ultimately reset by the hacker.

    Is there any known issue that would expose these private details? At least the login-in URL is supposed to be obfuscated by this plugin (which is the main reason I installed it). I have no idea how how the username could have been exposed, due to its complex nature and that it’s known only by my password manager program.

    Given that the credentials are now exposed, I could of course change both of them, but there seems little point in doing that, given that there is apparently a security flaw somewhere, which could be utilised by the hacker again?

Viewing 14 replies - 1 through 14 (of 14 total)
  • Plugin Contributor Maya

    (@tdgu)

    Hi,
    Most probably your theme or a plugin on your site is outputting in the HTML code the customized login URL. That is happening if your site has a login form that users can use it to access the dashboard.
    If you can send your site URL i can check from this side.


    Thanks

    Thread Starter semoliner

    (@semoliner)

    Thanks Maya, that would be great. The site is soldonhold.com.au
    The site has no users apart from myself, so there should be no login forms as far as I know, apart from the hidden login stub that I use to login to WP of course.

    I’m seeing exactly the same thing across many websites I’ve developed previously. So far none of them have been compromised but it’s unnerving they’re able to discern the random username for the admin user

    Plugin Contributor Maya

    (@tdgu)

    @semoliner I see the admin url ( ajax URL which also includes the customized admin ) in 3 places on your code:

    e.g. "_ajax_url":"\/wp-admin\/admin-ajax.php"

    That is how the others see your new admin URL.

    @macambulance That should be the same issue on your site. Search your HTML code and see where it outputs that. Further, check on how to remove it without breaking any functionality on your site.
    If can’t find it send the site URL and I’ll check from here.

    Thanks

    I rely on that variable for Ajax posting to fetch content dynamically. As it’s a default URL, would it present a security risk exposing it? I sanitise all input from the Ajax post commands.

    it’s more the custom username rather than admin URL which is unnerving, is it possible to discern the admin username from that Ajax URL?

    Plugin Contributor Maya

    (@tdgu)

    Hi,
    We just updated the plugin ( Version 2.3.5 ) which includes a new feature, can you try the new option at WP Hide > Login / Admin > Admin URL > Disable Admin Url redirect to Login page
    Make sure you customize the admin URL for the option to trigger.

    Thanks

    Thread Starter semoliner

    (@semoliner)

    Hi, okay I updated to the new plugin version but immediately upon setting the new admin url stub, ‘There has been a critical error on this website’ was generated. I then renamed the plugin to fix this. I then completely uninstalled the plugin and downloaded/installed it again, but again the critical error occurred, this time immediately the plugin was activated.

    Plugin Contributor Maya

    (@tdgu)

    Hi,
    Sorry for this, can you copy -> paste the error message you see on your logs regarding the critical error ?

    Thanks

    Thread Starter semoliner

    (@semoliner)

    Hi, okay, hopefully this might help

    [14-Mar-2024 08:15:56 UTC] PHP Deprecated: Return type of Google\Collection::rewind() should either be compatible with Iterator::rewind(): void, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /home/soldonhold/soldonhold.com.au/wp-content/plugins/boldgrid-backup-premium/vendor/google/apiclient/src/Collection.php on line 14
    [14-Mar-2024 08:15:56 UTC] PHP Deprecated: Return type of Google\Collection::count() should either be compatible with Countable::count(): int, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /home/soldonhold/soldonhold.com.au/wp-content/plugins/boldgrid-backup-premium/vendor/google/apiclient/src/Collection.php on line 49
    [14-Mar-2024 08:16:00 UTC] PHP Fatal error: Uncaught Error: Call to undefined function is_user_logged_in() in /home/soldonhold/soldonhold.com.au/wp-content/plugins/wp-hide-security-enhancer/modules/components/admin-login_php.php:161
    Stack trace: 0 /home/soldonhold/soldonhold.com.au/wp-includes/class-wp-hook.php(324): WPH_module_admin_login_php->login_url(‘https://www.sol…’, ”, false) 1 /home/soldonhold/soldonhold.com.au/wp-includes/plugin.php(205): WP_Hook->apply_filters(‘https://www.sol…’, Array) 2 /home/soldonhold/soldonhold.com.au/wp-includes/general-template.php(467): apply_filters(‘login_url’, ‘https://www.sol…’, ”, false) 3 /home/soldonhold/soldonhold.com.au/wp-content/plugins/security-malware-firewall/security-malware-firewall.php(567): wp_login_url() 4 /home/soldonhold/soldonhold.com.au/wp-content/plugins/security-malware-firewall/security-malware-firewall.php(206): spbc_firewall__check() 5 /home/soldonhold/soldonhold.com.au/wp-settings.php(473): include_once(‘/home/soldonhol…’) 6 /home/soldonhold/soldonhold.com.au/wp-config.php(115): require_once(‘/home/soldonhol…’) 7 /home/soldonhold/soldonhold.com.au/wp-load.php(50): require_once(‘/home/soldonhol…’) 8 /home/soldonhold/soldonhold.com.au/wp-blog-header.php(13): require_once(‘/home/soldonhol…’) 9 /home/soldonhold/soldonhold.com.au/index.php(17): require(‘/home/soldonhol…’) 10 {main}

    thrown in /home/soldonhold/soldonhold.com.au/wp-content/plugins/wp-hide-security-enhancer/modules/components/admin-login_php.php on line 161
    [14-Mar-2024 08:16:00 UTC] PHP Notice: Function is_embed was called incorrectly. Conditional query tags do not work before the query is run. Before then, they always return false. Please see Debugging in WordPress for more information. (This message was added in version 3.1.0.) in /home/soldonhold/soldonhold.com.au/wp-includes/functions.php on line 6031
    [14-Mar-2024 08:16:00 UTC] PHP Notice: Function is_search was called incorrectly. Conditional query tags do not work before the query is run. Before then, they always return false. Please see Debugging in WordPress for more information. (This message was added in version 3.1.0.) in /home/soldonhold/soldonhold.com.au/wp-includes/functions.php on line 6031
    [14-Mar-2024 08:16:00 UTC] PHP Fatal error: Uncaught Error: Call to undefined function is_user_logged_in() in /home/soldonhold/soldonhold.com.au/wp-content/plugins/wp-hide-security-enhancer/modules/components/admin-login_php.php:161
    Stack trace: 0 /home/soldonhold/soldonhold.com.au/wp-includes/class-wp-hook.php(324): WPH_module_admin_login_php->login_url(‘https://www.sol…’, ”, false) 1 /home/soldonhold/soldonhold.com.au/wp-includes/plugin.php(205): WP_Hook->apply_filters(‘https://www.sol…’, Array) 2 /home/soldonhold/soldonhold.com.au/wp-includes/general-template.php(467): apply_filters(‘login_url’, ‘https://www.sol…’, ”, false) 3 /home/soldonhold/soldonhold.com.au/wp-content/plugins/security-malware-firewall/security-malware-firewall.php(567): wp_login_url() 4 /home/soldonhold/soldonhold.com.au/wp-content/plugins/security-malware-firewall/security-malware-firewall.php(206): spbc_firewall__check() 5 /home/soldonhold/soldonhold.com.au/wp-settings.php(473): include_once(‘/home/soldonhol…’) 6 /home/soldonhold/soldonhold.com.au/wp-config.php(115): require_once(‘/home/soldonhol…’) 7 /home/soldonhold/soldonhold.com.au/wp-load.php(50): require_once(‘/home/soldonhol…’) 8 /home/soldonhold/soldonhold.com.au/wp-blog-header.php(13): require_once(‘/home/soldonhol…’) 9 /home/soldonhold/soldonhold.com.au/index.php(17): require(‘/home/soldonhol…’) 10 {main}

    thrown in /home/soldonhold/soldonhold.com.au/wp-content/plugins/wp-hide-security-enhancer/modules/components/admin-login_php.php on line 161
    [14-Mar-2024 08:16:00 UTC] PHP Notice: Function is_embed was called incorrectly. Conditional query tags do not work before the query is run. Before then, they always return false. Please see Debugging in WordPress for more information. (This message was added in version 3.1.0.) in /home/soldonhold/soldonhold.com.au/wp-includes/functions.php on line 6031
    [14-Mar-2024 08:16:00 UTC] PHP Notice: Function is_search was called incorrectly. Conditional query tags do not work before the query is run. Before then, they always return false. Please see Debugging in WordPress for more information. (This message was added in version 3.1.0.) in /home/soldonhold/soldonhold.com.au/wp-includes/functions.php on line 6031

    Plugin Contributor Maya

    (@tdgu)

    Hi,
    Can you try the new Version: 2.3.6 which should make a fix to the problem.

    Thanks

    Thread Starter semoliner

    (@semoliner)

    OK thanks it’s no longer crashing. Can you please check again to confirm whether the admin url (ajax URL which also includes the customized admin) is now no longer exposed in the code?

    Hi, was about to post about the same issue and even after enabling that new option (WP Hide > Login / Admin > Admin URL > Disable Admin Url redirect to Login page), I found at least 3 places with the new admin url was exposed. Once by our theme and 2 by different plugins.

    I’ve disabled the plugin for now since it’s not working but it would be great to find out how to fix this issue. Thanks

    @semoliner Checked for you and yours is still exposed also.

    • This reply was modified 8 months, 1 week ago by sunb1.
    • This reply was modified 8 months, 1 week ago by sunb1.
    Plugin Contributor Maya

    (@tdgu)

    @sunb1 You misunderstand the option usage.
    Removing the Ajax URL from the HTML would result in the loss of certain functionalities, making it an undesirable option. This is primarily because the Ajax URL contains the custom admin slug, which, when accessed, triggers WordPress to redirect users to the login URL. Such redirection behavior is often enforced by specific plugins.

    The new option which has been introduced: “Disable Admin URL Redirect to Login Page,” effectively eliminates this redirection behavior. With this option enabled, even if an AJAX URL exists in the frontend HTML, accessing it ( the first part of it, which is the custom admin URL ) would be futile unless the login URL is known (which can also be customized).

    Thanks

    @maya Interesting. Will install again and test it out that way. Thanks

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Password reset attempt’ is closed to new replies.