[wp-hackers] Could this be done via plugin?

Claude Needham gxxaxx at gmail.com
Mon Oct 31 17:12:47 UTC 2011


Patrick,

Forgive my hacker-ish method of replying to your question.
I am mucho new to the wp core. But I am capable of running a few experiments.

auth_redirect() is the main function that handles the stuff you want
to deal with.
It checks authentication then redirects to the login if necessary.

This function is found in wp-includes/pluggable.php

This is a pluggable function. I put together a fast plug in and found
that I could easily redirect to bananas.php

What ramifications would this have?
How does this relate to the setup process?
What kind of admin page would be required to manage the name of the
wp-login.php?
What goes on during (after) wp upgrade?

Proving that "something" is possible is easy. Finding an elegant and
well thought out solution that anticipates the multitude of issues
that could come from this is not so easy. Hats off to the guys and
gals that code at that level.

If you want to hack a quirky solution together for your own website
that might work okay. You'll have to tweak it after each wp upgrade.
(copying the new wp-login.php into bananas.php, and checking code in
auth_redirect to make sure your plugin is up to date.)

If you want a plugin that can be added to the repository, I think
you'd have quite a bit of work ahead of you.

However, I did notice that the function wp_login_url has a filter.
Maybe life will turn out to be as simple as writing a filter into the
theme. But then again, you have the same admin issues to deal with
when a wp upgrade comes along.

Regards,
Claude Needham


On Mon, Oct 31, 2011 at 6:53 AM, Patrick Laverty
<patrick_laverty at brown.edu> wrote:
> If your WP install uses authentication other than the wp-login page,
> I'd love to be able to hide the wp-login.php file.  I've tried
> renaming it but it seems that the core code requires that name for the
> admin login to still work.  I don't want to hack code, so the first
> thought is to create a plugin that would let me change wp-login to
> "bananas.php" or something.  Especially after seeing a 3 minute demo
> of WPScan, I'd love to make it harder for anyone to scan my
> installation and possibly get the admin account.  My thought is if
> they don't find wp-login.php, they'll get bored quickly and go on to
> one of the other millions of installs that have it.
>
> It just seemed that the filename wp-login.php was so interwoven in
> core code that there was no easy way to change the filename.
>
> If it can't be done by a plugin, is this something the core team would
> consider making into a variable and letting the admin set the name of
> the login page?
>
> Thanks.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list