[wp-trac] [WordPress Trac] #24673: provide mainline supported rename of wp-login
WordPress Trac
noreply at wordpress.org
Tue Apr 1 06:28:37 UTC 2014
#24673: provide mainline supported rename of wp-login
--------------------------+-----------------------
Reporter: jorhett | Owner:
Type: defect (bug) | Status: reopened
Priority: normal | Milestone:
Component: Security | Version: 3.5.2
Severity: critical | Resolution:
Keywords: close | Focuses:
--------------------------+-----------------------
Comment (by avryl):
1. I made this plugin primarily because I wanted a custom login url and,
secondly, because one small hosting company in Belgium decided to block
wp-login.php with a Captcha (I'm sure there are others). I have zero
experience with security, and the reasons I made this plugin have more to
with aesthetics than security.
2. While this plugin *should* make it impossible to get to the login page
without "a second password" (because that's what it really is, how simple
it may be), there are some other APIs that could be attacked instead, such
as xmlrpc.php. Renaming things like that would just cripple your WordPress
install. And if you don't need it, you can simply turn it off as an
administrator. As nacin said, a lot more public API are going to be
introduced.
3. Giving the user the option to rename wp-login.php without and easy
option to reset it a bad idea and leads to a bad user experience. You
don't want people locked out of their website and make them dig in a MySQL
database.
4. What's bothering you most about these attacks? Loosing server
resources/bandwidth? Or security?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24673#comment:22>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list