Home Forums WordPress Plugins Hide My WP Login url reveiled after try to acces wp-login.php

This topic is: not resolved
Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • October 13, 2015 at 9:06 pm #5074
    Ar
    Active
    Post count: 12

    I have a few licenses and something weird is happening

    Someone is using some scripts to try to hack my site and after trying to get acces through wp-login.php they get redirected to homepage (we did that settings) but in the browser instantly the “hidden”url gets reveiled!!

    http://ourwebsite.com/?by_user=64.26.250.443&ref_url=%2Fwp-login.php&isercretlogin=doublecheck827

    October 13, 2015 at 9:09 pm #5075
    Ar
    Active
    Post count: 12

    As the attacks are ongoing now we need asap support please

    October 13, 2015 at 9:11 pm #5076
    Ar
    Active
    Post count: 12

    The hacker only has to change the “&” to “?” in the url and they can access the login form

    October 13, 2015 at 9:14 pm #5077
    Ar
    Active
    Post count: 12

    As i see other users are also mention this :

    in forum Hide My WP

    DuncanMac
    Member
    OK – here is the situation:
    Hide Login Page checked
    Login Query set
    Admin Login Key set
    All are set correctly.

    try wp-login.php without the query params – get 404 page (this is goodness)
    However, the TITLE of the 404 page contains all the query information needed (this is SEVERE BADNESS). Also, when you hover over the tab in the browser, the title is displayed, showing the query params.

    This is not good for security – the title should not contain the query params.

    October 13, 2015 at 11:33 pm #5079
    Ar
    Active
    Post count: 12

    After looking everywhere for a solution i found a fix , for anyone under attack and reading this and (like me) has no time to wait for support to wake up:

    1) install 404 page plugin (safe link) this plugin.

    2) After that assign this to a specific page you want as a 404 page by visiting settings-> 404 page

    Hit save (even when the page is showing there!)

    3) Go to HMWP settings and set 404 page to ” Use default 404 page from theme” option. (Dont change wp-login.php now, first hit save)

    Hit save

    4) IMPORTANT: after step 1, 2 and 3 now you can (must) rename the wp-login.php in HMWP settings (in order HMWP to rewrite htaccess rules)

    Hit save

    5) test your site http://www.siteadress.com/wp-login.php and check if this get redirected the right way. Check if the the query params are not send now. So the “hidden” login stays “hidden”

    @HMWP support : recreate the custom 404 page function like the handler of the 404 plugin does and this is solved.

    This also seems to solve conflicts with Ithemes security plugin which also works perfect now

    • This reply was modified 9 years, 3 months ago by Ar.
    • This reply was modified 9 years, 3 months ago by Ar.
    October 14, 2015 at 8:28 am #5098
    Suman M.
    Post count: 12478

    Hi Ar, good to know that you have managed to solve it. We’ll look into 404 page plugin too. I would like to know, does your theme have 404.php file?

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.