[wp-hackers] Could this be done via plugin?

Patrick Laverty patrick_laverty at brown.edu
Mon Oct 31 17:20:11 UTC 2011 

Thanks Claude.

One thing I don't want is a redirect.  I saw the WPScan tool in action
today and one thing that it looks for is wp-login.php.  So my thought
was to change the name of that file.  If something on the server
simply redirects to bananas.php, then that defeats the purpose.

Currently I have an multi-user/multi-blog install that hundreds of
people use, but only I use the wp-login.php.  So I would be fine with
making that login page completely obscure.

Thanks for a response!

Patrick

On Mon, Oct 31, 2011 at 1:12 PM, Claude Needham <gxxaxx at gmail.com> wrote:
> Patrick,
>
> Forgive my hacker-ish method of replying to your question.
> I am mucho new to the wp core. But I am capable of running a few experiments.
>
> auth_redirect() is the main function that handles the stuff you want
> to deal with.
> It checks authentication then redirects to the login if necessary.
>
> This function is found in wp-includes/pluggable.php
>
> This is a pluggable function. I put together a fast plug in and found
> that I could easily redirect to bananas.php
>
> What ramifications would this have?
> How does this relate to the setup process?
> What kind of admin page would be required to manage the name of the
> wp-login.php?
> What goes on during (after) wp upgrade?
>
> Proving that "something" is possible is easy. Finding an elegant and
> well thought out solution that anticipates the multitude of issues
> that could come from this is not so easy. Hats off to the guys and
> gals that code at that level.
>
> If you want to hack a quirky solution together for your own website
> that might work okay. You'll have to tweak it after each wp upgrade.
> (copying the new wp-login.php into bananas.php, and checking code in
> auth_redirect to make sure your plugin is up to date.)
>
> If you want a plugin that can be added to the repository, I think
> you'd have quite a bit of work ahead of you.
>
> However, I did notice that the function wp_login_url has a filter.
> Maybe life will turn out to be as simple as writing a filter into the
> theme. But then again, you have the same admin issues to deal with
> when a wp upgrade comes along.
>
> Regards,
> Claude Needham
>
>
> On Mon, Oct 31, 2011 at 6:53 AM, Patrick Laverty
> <patrick_laverty at brown.edu> wrote:
>> If your WP install uses authentication other than the wp-login page,
>> I'd love to be able to hide the wp-login.php file.  I've tried
>> renaming it but it seems that the core code requires that name for the
>> admin login to still work.  I don't want to hack code, so the first
>> thought is to create a plugin that would let me change wp-login to
>> "bananas.php" or something.  Especially after seeing a 3 minute demo
>> of WPScan, I'd love to make it harder for anyone to scan my
>> installation and possibly get the admin account.  My thought is if
>> they don't find wp-login.php, they'll get bored quickly and go on to
>> one of the other millions of installs that have it.
>>
>> It just seemed that the filename wp-login.php was so interwoven in
>> core code that there was no easy way to change the filename.
>>
>> If it can't be done by a plugin, is this something the core team would
>> consider making into a variable and letting the admin set the name of
>> the login page?
>>
>> Thanks.
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list