WP-Login Tweak to Stop Unauthorized Access and Keep Hackers Out

Redirect bug fix…

// The page access PIN
define('eePIN', 'xxxxx'); // Set to whatever your heart desires.

// The Redirect URL
define ('eeAWAY', 'https://elementengage.com/welcome-hackers/'); // Same same, but you can leave it like this.

if(@$_POST['log'] OR (@$_GET['action'] == 'logout' AND check_admin_referer('log-out'))) { // Login or Logout
	// Proceed normally

} elseif(@$_GET['loggedout']) {  // Logged out	

	header('Location: https://' . $_SERVER['HTTP_HOST']);
	exit;

} else {

	// This PIN must be passed in order to access this page
	$thePIN = @$_GET['eePIN'];
	if($thePIN != eePIN) {
		header('Location: ' . eeAWAY);
		exit;
	}
}

The biggest problem is you are editing core files, not the best approach. If you want to invoke such code, either hook an appropriate action or at least edit wp-config.php and check the $_SERVER request for wp-login.php before executing your PIN check.

Your site is still “pounded”, perhaps the server load is reduced some. As long as your password is secure, this is mostly security by obscurity IMO. Of some use for those that want to use it.

Agreed, the integration could be better, you have to re-add the snippet each time WP updates. For now, concept thinking…

UPDATE – Added POST Referrer Check

// WordPress Tweak - Stop Unauthorized Access to Keep Hackers Out
// Author: [email protected] - rev 12.15.15
// 1) Add this snippet to the top of the WordPress wp-login.php file, right after the bootstrap line.
// 2) Create a PIN and update the constant
// 3) Pass the PIN thru the login URL in order to access the page: /wp-login.php?eePIN=xxxx
// ... Otherwise you get redirect away and never see the login form. So long bad guys...

// The page access PIN
define('eePIN', 'xxxx'); // Set to whatever your heart desires.

// The Redirect URL
define ('eeAWAY', 'https://elementengage.com/welcome-hackers/'); // Same same, but you can leave it like this.

if(@$_POST['log'] OR (@$_GET['action'] == 'logout' AND check_admin_referer('log-out'))) { // Login or Logout

	// Check the form was submitted from here.
	if(!strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])) {

		header('Location: ' . eeAWAY);
		exit;
	}

} elseif(@$_GET['loggedout']) {  // Logged out	

	header('Location: https://' . $_SERVER['HTTP_HOST']);
	exit;

} else {

	// This PIN must be passed in order to access this page
	$thePIN = @$_GET['eePIN'];
	if($thePIN != eePIN) {
		header('Location: ' . eeAWAY);
		exit;
	}
}

If you hope to share your efforts with the community, your idea will not get much traction as long as it requires altering core files. Especially if similar effect can be had via a very simple plugin. Such a plugin could hook something like ‘login_init’ where the URL parameter is checked and a redirect occurs if everything is not as it should be.

If yet another plugin rubs you the wrong way, you could at least put the relevant code where it will not get lost during an update. Something similar placed in wp-config.php will be safe from updates. The only change is the code would need to also check the request string in $_SERVER to be sure it’s for wp-login.php and not something else.