Renamed login slug behaviour

  • Resolved Matt Schofield

    (@mattschofield)


    1 year, 4 months ago

    Hi

    In instances where the default WordPress login slug has been renamed to hide it from brute force attacks (eg. login page renamed to example.com/letmein), and with this Password Protected plugin enabled, some elements of the site are revealed to anyone appending ‘/wp-login.php’ to the domain (eg. example.com/wp-login.php). While page content isn’t displayed (reports a 404), the site styling, banner/header area and its contents such as menu(s) and search feature, and also the footer area, are revealed to the visitor.

    Just reporting the above as not sure if it’s known/by-design behaviour. A 301 redirect on /wp-login.php back to the home url resolves the problem, presenting the visitor with the password protected login screen.

    WordPress 6.2.2
    Password Protected: 2.6.3.1

Viewing 6 replies - 1 through 6 (of 6 total)

  • Hi @mattschofield,

    I hope you are doing well.

    Please share your staging so we can look into it and get back to you.

    Thanks and regards,
    Support Team – WPExperts

    Thread Starter Matt Schofield

    (@mattschofield)

    Sure. Try staging.ribbletrust.org.uk. You’ll see password protect is enabled. And then append /wp-login.php to the url. You’ll see the header area and its contents, and the footer area and its contents, are visible to the visitor. Also, appending /wp-login.php?any_query_you_like has the same result.

    The admin login url for that site has been renamed, hidden from login attempts by bots and randoms. Without a redirect on /wp-login.php or wp-login.php?wildcard, certain contents are revealed to the visitor even with password protect enabled.

    Thanks for looking

    Hi @mattschofield,

    I hope you are doing well.

    Please create a ticket on our technical support channel so that we can connect you directly with our Technical team.

    Looking forward to getting your issue resolved.

    Thanks and regards,
    Support Team – WPExperts

    Thread Starter Matt Schofield

    (@mattschofield)

    Ticket submitted

    Hi @mattschofield,

    I hope you are doing well.

    Thanks our team is looking into this.

    Thanks and regards,
    Support Team – WPExperts

    Hi. Is there a solution for this yet? When we go to our login page (which is changed using iThemes security) it actually shows the admin login form and not your password protect. And also wp-login.php works but it should not.

    Thanks

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Renamed login slug behaviour’ is closed to new replies.