Security Flaw Found

Resolved DB
(@destructiveburn)

8 years, 6 months ago
First things first. I have Hide My WP PRO 3.0 and http://hidemywp.co/contact/ is broken when you submit:
This hidemywp.co page can’t be found
No webpage was found for the web address: http://hidemywp.co/contact/

Back to the issue.
I was doing a bit of digging in the Inspect element and I found out that if you type in admin you can still find Custom admin URL easy. No JS scripts have changed. If you dig hard enough you can copy the whole URL to admin-ajax.php and it will send you directly to the admin login. So adding a costume URL makes that completely pointless. So the only real protection you have is Brute Force Protection and I’m sure if someone was smart enough they can get past that. It should also have the ability to manually black IP addresses.

I RECOMMEND ADDING Google Authentication.

ATM I’m using 2FAS Light – Google Authenticator as backup.
https://wordpress.org/plugins/2fas-light/
Please fix this Flaw. I found that in 3 secs flat.

Also a lot of WP still shows. Most are gone but a lot is still left.
- This topic was modified 8 years, 6 months ago by DB.

Viewing 3 replies - 1 through 3 (of 3 total)

Plugin Author John Darrel
(@johndarrel)

8 years, 6 months ago

Hi,

Yeah, seems that the last update of the cache plugin didn’t work well with the js minify. Thank you for letting us know about this issue.

If you change and hide the admin path you will not be able to access the old admin path and you can do the same for the ajax.
In the Advanced section, you can choose to hide the old paths and you will not be able to access them anymore.
Note! All the restrictions are for visitors and not for admin user. If you want to test a path you should enter in incognito mode.

If you still find wp- paths it is because some plugins are adding them and if we remove them by default it will break your website functionality. You are free to remove all wp- if you add wp- in Advanced > Remove text by matching

Regarding Brute Force Protection we will take your request and do some upgrades to the next versions.

Best,
John

Thread Starter DB
(@destructiveburn)

8 years, 6 months ago

Ok. Yeah it would be nice to block IP addresses manually.
Actually Brute Force Protection say’s on the right:
Features
Limit the number of allowed login attempts using normal login form
Math problem verification while logging in
Manually block/unblock IP addresses
Manually whitelist trusted IP addresses
Option to inform user about remaining attempts on login page
Custom message to show to blocked users

So
It say’s Manually block/unblock IP addresses and that option is no were to be found.
Please add Two-factor authentication with an alert that someone is trying to access the admin login.

So you can’t jumble URL link paths from JS? like all the other paths? That sucks. Because Ultimate Member shows the Costume admin path and so does others.

Plugin Author John Darrel
(@johndarrel)

8 years, 6 months ago

We will check and see the features we can add for Brute Force and add them in the next versions of the plugin.

As the plugin specifies, we change the common paths of the WordPress so that the hacker bots will not be able to access them. We also change the Themes style.css because this is the first thing bots are looking for to identify the themes with flaws.

For css and js minify you can use W3 Total Cache and WP-Rocket which are good plugins and they change the css and js file names.

Best,
John

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Security Flaw Found’ is closed to new replies.

Tags