wp-login.php is effectively renamed, but wp-login is still accessible

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Ella

    (@ellatrix)

    wp-login.php should return a 404 page with this plugin. Is that what you mean by being accessible? Does it give you a 404? Thanks for the feedback!

    Thread Starter HerveRenault

    (@herverenault)

    Hi Janneke, I really mean wp-login without .php extension.
    It gives me a 200 with actual login form.
    Maybe that’s because my Apache is configured with MultiViews on.

    Plugin Author Ella

    (@ellatrix)

    Interesting. I could replace

    strpos( $_SERVER['REQUEST_URI'], 'wp-login.php' )

    with

    strpos( $_SERVER['REQUEST_URI'], 'wp-login' )

    Do you think that would solve your problem? Not entirely sure what MultiViews does.

    Thread Starter HerveRenault

    (@herverenault)

    Yes, it does the trick.

    With MultiViews on, when you access wp-login (without .php) Apache tries to find a “wp-login” file with any extension (could be wp-login.html, wp-login.jpg, whatever) so it ends up with wp-login.php but request URI is just “wp-login”.

    Plugin Author Ella

    (@ellatrix)

    Alright, I’ll change this for you with the next version.

    Plugin Author Ella

    (@ellatrix)

    Resolved in version 1.8.

    Thread Starter HerveRenault

    (@herverenault)

    It works. Thanks !

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘wp-login.php is effectively renamed, but wp-login is still accessible’ is closed to new replies.