Login Query & Admin Login Key Viewable in Source Code

[ILLUMINICE]

Hello,

I purchased your plugin today and have been working diligently to understand all of its features. For the most part I’m happy with how it’s working, however, I did notice one serious flaw.

I found that if I view the source of pages on my site that the Login Query and Admin Login Key are clearly visible in the code wherever there is a URL containing wp-login.php. This is occurring on login forms and any function that requires a login. In my case, this occurs on every single page of the site.

Considering that obfuscating the wordpress login URL is a critical security feature, this is a major problem. Anyone can simply view my source code and discover the URL to access our login page. I’ve used other security plugins in the past that offer this same function (to create a custom login URL with a key), and this problem wasn’t present.

….

I’ve also noticed that my custom theme name has a “_main” after it (ex. ThemeName_main), and don’t understand why the _main has to be there.

Additionally I had to enable the “Full Hide” feature to completely eliminate the default theme URL from some of the URLs in the source code. Enabling this feature did seem to fix the problem, though I do not understand exactly what this feature is actually doing (as it wasn’t explained anywhere in the documentation). Speaking of which, the included documentation with this plugin doesn’t cover most of the newer features (about half of the plugin). I found that to be a problem in of itself.

….

My main concern right now is regarding the Admin Login Key being visible in the source code. This makes the feature completely useless, and is a major security threat.

~ Michael

[Suman M.]

Hi, please check this FAQ – https://codecanyon.net/item/hide-my-wp-amazing-security-plugin-for-wordpress/4177158/faqs/15899

“_main” will be used for the parent theme if you have child theme enabled.

We are working on an update and we hope to update the documentation as well in the upcoming versions.

[ILLUMINICE]

Hi Suman,

Thank you for replying to both of my posts…

I had seen this in your FAQ after writing this post. This is just something I don’t agree with fundamentally. If there is a way that URL can be hidden when viewing the source, then it should be. What’s the point of a private URL if anyone can obtain it with a view source? Of course I would understand if there was technically no way to hide this.

The _main is a little awkward, and I’d recommend finding another solution for this. I did notice another plugin similar to yours that uses random numbers for the themes instead of a custom url. Perhaps this solution makes more sense for your plugin as well. I think it would better match how you obfuscate the plugins.

~ Michael

[Suman M.]

If the page has login form visible to public then what’s the point of having secure login URL as visitors can simply login via the login form.

Currently there’s no option to change “_main”. We might include it in the upcoming versions of the plugin.

[ILLUMINICE]

I understand your point, but disagree for this reason…

There is an obvious difference between a custom login form and the default login form used by WordPress. If your intention is to hide the fact you’re using WP, then surely you don’t want someone seeing that default WP login page.

You’re correct that someone could technically try to login to the admin using a custom form, but why allow anyone to access the default WP admin login page?

I’ve never felt comfortable making the WP login page public, and have gone through great efforts in the past to hide it, even using htaccess authentication on it (as a secondary layer of protection).

You and I both know that there’s no way to 100% hide the fact that you’re using WordPress, but still, why allow anyone to access the default login page if you don’t have to. I like the implementation of a URL rewrite for the login, but showing that rewrite URL in a view source does partially defeat it’s purpose IMO.

Anyway, that’s my take on it. By the way, I do think you have an overall great plugin here. Please don’t take my response as a complaint. This is just an answer to your question/logic.

~ Michael

[Author]

Posts