Wp-login.php is still accessible on Nginx Server

  • Resolved powersurge

    (@powersurge)


    4 years, 8 months ago

    Hi, I have purchased the Pro version and installed it on my WordPress site running in Nginx and have ‘Block default wp-login.php’ and ‘Use mere rewrite for Block Default’ both set to yes, but when I logout and try to access the site at mydomain.com/wp-login.php, I am prompted with the login screen. Here is my nginx.conf:

    # For more information on configuration, see:
    # * Official English Documentation: https://nginx.org/en/docs/
    # * Official Russian Documentation: https://nginx.org/ru/docs/

    user nginx;
    worker_processes auto;
    error_log /var/log/nginx/error.log;
    pid /run/nginx.pid;

    # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
    include /usr/share/nginx/modules/*.conf;

    events {
    worker_connections 1024;
    }

    http {
    log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
    ‘$status $body_bytes_sent “$http_referer” ‘
    ‘”$http_user_agent” “$http_x_forwarded_for”‘;

    access_log /var/log/nginx/access.log main;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # set client body size to 2M #
    client_max_body_size 512M;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See https://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    root /usr/share/nginx/html;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
    }

    error_page 404 /404.html;
    location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
    }

    # Settings for a TLS enabled server.
    #
    # server {
    # listen 443 ssl http2 default_server;
    # listen [::]:443 ssl http2 default_server;
    # server_name _;
    # root /usr/share/nginx/html;
    #
    # ssl_certificate “/etc/pki/nginx/server.crt”;
    # ssl_certificate_key “/etc/pki/nginx/private/server.key”;
    # ssl_session_cache shared:SSL:1m;
    # ssl_session_timeout 10m;
    # ssl_ciphers HIGH:!aNULL:!MD5;
    # ssl_prefer_server_ciphers on;
    #
    # # Load configuration files for the default server block.
    # include /etc/nginx/default.d/*.conf;
    #
    # location / {
    # }
    #
    # error_page 404 /404.html;
    # location = /40x.html {
    # }
    #
    # error_page 500 502 503 504 /50x.html;
    # location = /50x.html {
    # }
    # }

    server_names_hash_bucket_size 128;
    server {
    server_name mydomain.com https://www.mydomain.com;
    listen X.X.X.X;
    root /home/mydomain/public_html;
    index index.html index.htm index.php;
    access_log /var/log/virtualmin/mydomain.com_access_log;
    error_log /var/log/virtualmin/mydomain.com_error_log;
    fastcgi_param GATEWAY_INTERFACE CGI/1.1;
    fastcgi_param SERVER_SOFTWARE nginx;
    fastcgi_param QUERY_STRING $query_string;
    fastcgi_param REQUEST_METHOD $request_method;
    fastcgi_param CONTENT_TYPE $content_type;
    fastcgi_param CONTENT_LENGTH $content_length;
    fastcgi_param SCRIPT_FILENAME /home/mydomain/public_html$fastcgi_script_name;
    fastcgi_param SCRIPT_NAME $fastcgi_script_name;
    fastcgi_param REQUEST_URI $request_uri;
    fastcgi_param DOCUMENT_URI $document_uri;
    fastcgi_param DOCUMENT_ROOT /home/mydomain/public_html;
    fastcgi_param SERVER_PROTOCOL $server_protocol;
    fastcgi_param REMOTE_ADDR $remote_addr;
    fastcgi_param REMOTE_PORT $remote_port;
    fastcgi_param SERVER_ADDR $server_addr;
    fastcgi_param SERVER_PORT $server_port;
    fastcgi_param SERVER_NAME $server_name;
    fastcgi_param HTTPS $https;
    location ~ \.php$ {
    try_files $uri =404;
    fastcgi_pass localhost:8000;
    }
    location / {
    try_files $uri $uri/ /index.php?$args;
    }
    listen X.X.X.X:443 default_server ssl;
    ssl_certificate /home/mydomain/ssl.combined;
    ssl_certificate_key /home/mydomain/ssl.key;
    rewrite ^/c945b634b0f6d9feed0010b354f4fd14/rewrite_test /wp-content/plugins/wp-hide-security-enhancer-pro/include/rewrite-confirm.php last;
    rewrite ^/6w56tlw9ba2tqi1p.php(.*) /wp-login.php$1 last;
    rewrite_log off;
    rewrite ^/wp-login.php(.+) /index.php?wph-throw-404 last;
    rewrite ^/6w56tlw9ba2tqi1p/$ /wp-admin/index.php last;
    rewrite ^/6w56tlw9ba2tqi1p(.*) /wp-admin$1 last;
    rewrite ^/wp-admin(.+) /index.php?wph-throw-404 last;
    }
    }

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Contributor Maya

    (@tdgu)

    Hi,
    For fast support for the PRO, please always use the contact form on plugin website.

    Can you try to relocate the custom wp-hide rewwrite lines above the location / section. For more details please check with the following article https://www.wp-hide.com/documentation/setup-the-plugin-for-nginx/

    Thanks

    Thread Starter powersurge

    (@powersurge)

    I’m not sure if the contact form is working because I sent a message on there first and wasn’t given any indication of whether it had gone through. I moved the rewrite lines above the location / section and that did the trick so I guess I won’t be entering the rewrite lines trough Virtualmin anymore. I have one last question… Before installing this plugin, I was able to get to the login screen with https://mydomain.com/wp-admin. After installing this plugin, when I try to access https://mydomain.com/new-admin, it redirects to wp-admin and I get a 404 error. Am I missing something? Thank you for your help!

    Thread Starter powersurge

    (@powersurge)

    I should mention that it does redirect properly when the URL ends with a forward slash. So https://mydomain.com/new-admin/ will show the login screen, but https://mydomain.com/new-admin will get a 404 error.

    Plugin Contributor Maya

    (@tdgu)

    That’s weird, we didn’t receive any support request through contact with that topic, can you try again, please?

    Can you send the full list of rewrites the plugin generates?

    Thanks

    Thread Starter powersurge

    (@powersurge)

    I just tried sending a message through the contact form right now and when I click on the submit button, I am taken to the same form with all of the fields still filled in, but no message is shown telling whether the form was successfully submitted.

    Anyway, here is the rewrite list. Thank you for your help!

    # BEGIN WP Hide & Security Enhancer
    rewrite ^/c945b634b0f6d9feed0010b354f4fd14/rewrite_test /wp-content/plugins/wp-hide-security-enhancer-pro/include/rewrite-confirm.php last;
    # END WP Hide & Security Enhancer
    # BEGIN WP Hide & Security Enhancer
    rewrite ^/6w56tlw9ba2tqi1p.php(.*) /wp-login.php$1 last;
    rewrite ^/wp-login.php(.+) /index.php?wph-throw-404 last;
    rewrite ^/6w56tlw9ba2tqi1p/$ /wp-admin/index.php last;
    rewrite ^/6w56tlw9ba2tqi1p(.*) /wp-admin$1 last;
    rewrite ^/wp-admin(.+) /index.php?wph-throw-404 last;
    # END WP Hide & Security Enhancer

    Plugin Contributor Maya

    (@tdgu)

    I still don’t understand why the contact form does not work for you, can you send directly to [email protected]?

    Did you tried the option Use mere rewrite for Block Default within the same tab where customised the wp-login

    Thanks

    Thread Starter powersurge

    (@powersurge)

    Ok, I will try to send an email to that address right now.

    Yes, I tried it with that option enabled and disabled and it made no difference.

    Thread Starter powersurge

    (@powersurge)

    Adding the following line to the rewrite list solved the problem:

    rewrite ^/6w56tlw9ba2tqi1p$ /wp-admin/index.php last;

    So the rewrite list should look like the following:

    # BEGIN WP Hide & Security Enhancer
    rewrite ^/c945b634b0f6d9feed0010b354f4fd14/rewrite_test /wp-content/plugins/wp-hide-security-enhancer-pro/include/rewrite-confirm.php last;
    # END WP Hide & Security Enhancer
    # BEGIN WP Hide & Security Enhancer
    rewrite ^/new-login.php(.*) /wp-login.php$1 last;
    rewrite ^/wp-login.php(.+) /index.php?wph-throw-404 last;
    rewrite ^/new-admin$ /wp-admin/index.php last;
    rewrite ^/new-admin/$ /wp-admin/index.php last;
    rewrite ^/new-admin(.*) /wp-admin$1 last;
    rewrite ^/wp-admin(.+) /index.php?wph-throw-404 last;
    # END WP Hide & Security Enhancer

    • This reply was modified 4 years, 7 months ago by powersurge.
Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Wp-login.php is still accessible on Nginx Server’ is closed to new replies.