Secret Url revealed after Max Login Attempts

Hi, I understand what you mean however that is how the plugin currently works.

In situations like this when using one of the Brute Force features like rename the login page, I would suggest people to install a membership plugin to manage the members.

In regards to your request about expanding on the error message, the plugin developers will investigate further your request.

Regards

Hi, @mbrsolution
The big problem is revealing the secret or custom url.
Please, fix that!

I am not sure if this can be changed. However the plugin developers will investigate further your request.

Thank you

Hi @livingflame,
Can you please provide more info regarding your issue?

Where exactly is the secret URL being revealed?
If a person is trying to log in, don’t they already know the secret login page otherwise how are they trying to log in anyway?

• This reply was modified 8 years, 2 months ago by wpsolutions.

Hi!
My friend, you know, the plugin has the option to change: /wp-login for: /yourcustomlogin , but, when login attempts fails, after 10 attempts, or whatever, your custom login is revealed! Please, check that.

A solution: encrypting /yourcustomlogin for: /000889 for example. Or: a pseudo customlogin

The think is, that your custom login name need to be SECRET!

Other thing… /wp-admin needs Custom login too. If you can… add this option in the next update.

Hi,
You appear to be referring to the “rename login” feature. This feature on its own does not have a limit on login attempts.

You still haven’t explained where the hidden login page link is revealed. Which page and what steps do I need to do to reproduce this?

• This reply was modified 8 years, 2 months ago by wpsolutions.

My friend, when your max login attempts finish (f. ex. 5 attempts, etc.), you are redirect to: yoursite.com/yourcustomloginname

PLEASE, TRY or CHECK!

• This reply was modified 8 years, 2 months ago by livingflame.

@wpsolutions

A Solution.

Well, I unchecked > Enable Rename Login Page Feature, in Brute Force options.

And, I used this code in .htaccess.

RewriteRule ^your-custom-login-name$ https://your-domain.com/wp-login.php [NC,L,R]

With this code, your custom login name is not revealed when your login attempts fails.

So, please, Update this Option.

@azunyann
@wpsolutions

RewriteRule ^your-custom-login-name$ https://your-domain.com/wp-login.php [NC,L,R]

Unfortunately, this rule is not useful.

If someone posts: /wp-login.php in the address bar,
the access window is automatically displayed.

The solution:

That you update the Plugin so that it does NOT show the custom url (brute force / rename login page), after failed login attempts.

@mbrsolution

Help with that! Is for Security!

@wpsolutions

Remember this topic! The secret name to protect wp-login is revealed after attempts.

For example, if your secret login name is: https://www.yoursite.com/BlackCat

I. e. if you config. the plugin for max 5 attempts, the user is redirect to:

https://www.yoursite.com/BlackCat (Ouchhh! your secret wp-login name is revealed)

ERROR: Access from your IP address has blocked…

So, please, check that!

And with WordFence also. Im using All In One … and WordFence. But, you can use Login Protection of both plugins! This create a conflict, for this reason Im using WF login attempts and changing the wp-login with All In O. But does not work, The Secret Login is Revealed!

And. Forget my Passw also. Here the Secret Login Name is Revealed.

• This reply was modified 8 years, 1 month ago by livingflame.
• This reply was modified 8 years, 1 month ago by livingflame.

This is not a bug.
The person trying to log in already knows the secret login page otherwise he would not be in a position of trying to log in.
Am I missing something something here?

Dude, you do not seem to understand me.
If you are Subscribed to a WP page, this page has a basic Login Form in Menu (sometime called MY ACCOUNT. NOT directly > https://www.yourpage.com/wp-login.php). For example this page (working with BuddyPress): seventhqueen.com/demo/sweetdatewp *

Then, when you fail for example 3 login attempts (using AIOWSF or WordFence), you are redirected to:

wwww.yourpage.com/YOUR-SECRET-LOGIN-NAME

And you receive this message:

ERROR: Access from your IP address has been blocked for security reasons. Please contact the administrator.

And it is here when your secret name is revealed. Then, PLEASE, Check it yourself. @wpsolutions

——————————————-
* And for this same page, your Login Captcha does not work. Yes, I have this Theme. seventhqueen.com/demo/sweetdatewp

• This reply was modified 8 years, 1 month ago by livingflame.
• This reply was modified 8 years, 1 month ago by livingflame.
• This reply was modified 8 years, 1 month ago by livingflame.
• This reply was modified 8 years, 1 month ago by livingflame.

Another thing, You do not need to be a Subscriber… Just see the LOGIN button and try to login with any username that you see on the page. You enter a fake passwd, and after some failed attempts, you are redirected to:
yourpage.com/your-secret-login-word
ERROR: Access from your IP address has been blocked…

PLEASE, Check it yourself.

And this problem is also related to the other ===::: Username Exposed

@wpsolutions
@mbrsolution
@chesio

• This reply was modified 8 years, 1 month ago by livingflame.
• This reply was modified 8 years, 1 month ago by livingflame.
• This reply was modified 8 years, 1 month ago by livingflame.