Thread Starter
gusez
(@gusez)
Hey devs,
Are you unable to answer my questions or unwilling to?
This is the most serious security issue with your plugin: an unrelated 3d party learns about the supposedly secret login page address, and it does so within only a couple of hours. This completely defeats the purpose of your plugin. The best course of action for you is to look into this immediately before the community looses trust in your product.
Thread Starter
gusez
(@gusez)
We changed the login page address again, and now Google bot and Yandex spider came for the new address, within hours. Seriously?
Thread Starter
gusez
(@gusez)
Today, I found records of Bing accessing the secret page.
Hi,
Thank you for your feedback. WPS Hide Login only changes the login URL to reduce automated attacks. It cannot prevent all crawlers or search engines from discovering the URL if it is exposed elsewhere (links, sitemap, etc.).
For stronger security, we recommend blocking indexing via robots.txt, and using a full security plugin.
Best regards
Your feedback is misdirected. We do not link to the login page from anywhere. We do not use site maps: they are zero byte files. It is your plugin that somehow informs the search engines of its address, as soon as we change it, because they immediately request it directly, without it being linked.
What are you referring to as “full security plugin”?
What should be put into robots.txt? Are you suggesting that we put the secret address in that file? Please be specific, as it is not clear what you imply.
Thread Starter
gusez
(@gusez)
Iron, do you have the same problem?
Today, we registered a direct request for the secret login page, from a random consumer ISP in Eastern Europe.
So, this issue is not isolated to search engines only, as we had initially thought. This is anything but surprising, knowing how eagerly they sell the info.
Plugin Support
Benoti
(@benoti)
Hello,
Your issue is not related to WPS HIDE LOGIN.
By default, the WordPress administration login page contains :
<meta name='robots' content='noindex, follow' />
With this, search engines never index login page. WPS HIDE LOGIN only serves to modify the link but does not affect the page’s source code.
Thread Starter
gusez
(@gusez)
Let us try once again, but this time pay attention.
Your plugin renames the login page. Supposedly this is done in order to prevent unrelated 3d parties on the Internet from easily accessing that page. So far so good.
However, those unrelated 3d parties somehow learn of each renamed page names, in a matter of only a couple of hours since it is renamed. This defeats the purpose of your plugin.
At least determine how or why they learn of the new value. What leaks the new value to them? Without knowing that, you and your users are open to the same bruteforcing attacks as w/o your plugin.
Am I making sense?
Plugin Support
Benoti
(@benoti)
Hello,
This is possible if the plugin isn’t up to date or if the login page isn’t the default WordPress login page and doesn’t include the usual noindex meta tag.
In your response, you don’t confirm this point.
I want to emphasize that the login page isn’t modified by the plugin, but only the permalink is generated dynamically when it’s displayed (plus a 404 error if wp-admin is accessed offline).
This could be a conflict with a plugin that re-registers an old API route (which had a security patch).
Please provide me with your site’s URL so we can investigate this behavior, which no other user has reported.
Thread Starter
gusez
(@gusez)
We are on your latest version as of my previous comment’s date.
You likely have/had a tiny handful of users who do not bother to reach out to you due to the push back as in this thread, so it is unsurprising that you are not aware of the issue. We simply added an htaccess rule to constrain the renamed page to the LAN and won’t bother pursuing this topic further, due to the very low probability of anyone wanting to get to the bottom of this. We do not have a need to enter into another extensive back and forth, seeing the energy you put in the push back. [Rolls eyes]
Plugin Support
Benoti
(@benoti)
Hello,
I’m trying to understand the source of the problem, but please, understand that since the admin login pages include the “noindex” meta tag, that WPS Hide Login doesn’t modify the page template and that I can’t reproduce the issue, I have to ask you for your page’s URL so I can investigate further.
If you look at the plugin’s code, you’ll see that this behavior isn’t normally related to WPS Hide Login.
Sorry, please feel free to contact us directly if you’d like us to investigate further with the requested information.
