[wp-hackers] Could this be done via plugin?

Marcus Pope Marcus.Pope at springbox.com
Mon Oct 31 19:00:47 UTC 2011 

To successfully do this you need to take the following into account:

 - add a filter on site_url & network_site_url that changes the "wp-login.php" to point to the page you want.
    One caveat is this will not work for activating accounts on multi-site installations for the network site (ie the default main site.) because the wp-login.php url is hardcoded in the link on line 90 of wp-activate.php

 - In your custom login page be sure to manage the 'redirect_to' post parameter so that you redirect to the appropriate login url.  You should also add a filter on 'login_redirect' to handle any other redirects to the wp-login.php page.

 - I would also add an 'init' filter with priority 1 that checks is_admin() == true and is_user_logged_in() == false, at which point you should manually redirect to your custom login page and maintain your own redirect_to field (use a different key name.)

 - If you want to create accounts you'll need to hash your passwords in the database - I chose to sync the user accounts from our ldap server into the wp_users tables.  See here for hashing details: wp-includes/class-phpass.php

 - Finally you'll want to generate a valid session after you have accepted the credentials for login.  Because you are still using the wordpress login architecture, you don't have to do much magic here, just make sure the above is in place and redirect to the same form target as the real login page and use the same form variables.

After that you should be able to safely delete the wp-login.php page, or add an .htaccess rule that blocks direct navigation to it.

I did this process with a plugin that allowed user logins via an LDAP server instead of the wordpress core.  But it's not publicly available so I can't just send you the source code.  This is possible with a plugin, though with multi-site it does get a bit more challenging because of the hard-coding of the url.  There is still a huge hack to get around that but it's more in-depth than the above.

Hope that helps,
- Marcus Pope

-----Original Message-----
From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Claude Needham
Sent: Monday, October 31, 2011 12:13 PM
To: wp-hackers at lists.automattic.com
Subject: Re: [wp-hackers] Could this be done via plugin?

Patrick,

Forgive my hacker-ish method of replying to your question.
I am mucho new to the wp core. But I am capable of running a few experiments.

auth_redirect() is the main function that handles the stuff you want to deal with.
It checks authentication then redirects to the login if necessary.

This function is found in wp-includes/pluggable.php

This is a pluggable function. I put together a fast plug in and found that I could easily redirect to bananas.php

What ramifications would this have?
How does this relate to the setup process?
What kind of admin page would be required to manage the name of the wp-login.php?
What goes on during (after) wp upgrade?

Proving that "something" is possible is easy. Finding an elegant and well thought out solution that anticipates the multitude of issues that could come from this is not so easy. Hats off to the guys and gals that code at that level.

If you want to hack a quirky solution together for your own website that might work okay. You'll have to tweak it after each wp upgrade.
(copying the new wp-login.php into bananas.php, and checking code in auth_redirect to make sure your plugin is up to date.)

If you want a plugin that can be added to the repository, I think you'd have quite a bit of work ahead of you.

However, I did notice that the function wp_login_url has a filter.
Maybe life will turn out to be as simple as writing a filter into the theme. But then again, you have the same admin issues to deal with when a wp upgrade comes along.

Regards,
Claude Needham


On Mon, Oct 31, 2011 at 6:53 AM, Patrick Laverty <patrick_laverty at brown.edu> wrote:
> If your WP install uses authentication other than the wp-login page, 
> I'd love to be able to hide the wp-login.php file.  I've tried 
> renaming it but it seems that the core code requires that name for the 
> admin login to still work.  I don't want to hack code, so the first 
> thought is to create a plugin that would let me change wp-login to 
> "bananas.php" or something.  Especially after seeing a 3 minute demo 
> of WPScan, I'd love to make it harder for anyone to scan my 
> installation and possibly get the admin account.  My thought is if 
> they don't find wp-login.php, they'll get bored quickly and go on to 
> one of the other millions of installs that have it.
>
> It just seemed that the filename wp-login.php was so interwoven in 
> core code that there was no easy way to change the filename.
>
> If it can't be done by a plugin, is this something the core team would 
> consider making into a variable and letting the admin set the name of 
> the login page?
>
> Thanks.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list