WordPress.org

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #24673, comment 22


Ignore:
Timestamp:
04/01/2014 06:30:56 AM (7 years ago)
Author:
iseulde
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #24673, comment 22

    initial v1  
    111. I made this plugin primarily because I wanted a custom login url and, secondly, because one small hosting company in Belgium decided to block wp-login.php with a Captcha (I'm sure there are others). I have zero experience with security, and the reasons I made this plugin have more to with aesthetics than security.
    22
    3 2. While this plugin *should* make it impossible to get to the login page without "a second password" (because that's what it really is, how simple it may be), there are some other APIs that could be attacked instead, such as xmlrpc.php. Renaming things like that would just cripple your WordPress install. And if you don't need it, you can simply turn it off as an administrator. As nacin said, a lot more public API are going to be introduced.
     32. While this plugin *should* make it impossible to get to the login page without "a second password" (because that's what it really is, how simple it may be), there are some other APIs that could be attacked instead, such as xmlrpc.php. Renaming things like that would just cripple your WordPress install. And if you don't need it, you can simply turn it off as an administrator. As nacin said, a lot more public APIs are going to be introduced.
    44
    553. Giving the user the option to rename wp-login.php without and easy option to reset it a bad idea and leads to a bad user experience. You don't want people locked out of their website and make them dig in a MySQL database.