congma

Thank you for the fix!

-Cong.

Temporarily using the “Lockdown WP Admin” plugin to block unauthenticated access to the admin page altogether.

Hi Jesse,

A new leak found. When an unauthenticated user (presumably malicious attacker) tries to access /wp-admin, he will be redirected to the authentication page /wp-login.php?stealth_q=stealth_a&redirect_to=[wp-admin]&reauth=1 (here stealth_q and stealth_a are again the stealth question and answer, and the bracketed part is actually the percent-encoded full url of the admin page).

Any suggestions about preventing this kind of leak?

Thanks,

Cong.

Thanks for your info Jesse. Now I temporarly worked around this with mod_rewrite kludging. Still hope for a clean solution though.