Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#27331 closed defect (bug) (duplicate)

WordPress Login Page Security Issue

Reported by: hardeepasrani Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: administration Cc:


I don't know whether it's a bug or there's a reason behind this, but I found it a security issue.

The Issue

If you're logged into your self-hosted WordPress website as an admin or any role, you will still see the login page & you can login again to any account.

I think if a user is already logged in then he should be redirected back to the admin panel (or any other page), but the login page.

Why it's an issue

Just suppose a user is using his WP site (as admin) on a public computer, then he somehow gets to login page (by clicking on the link) & sees that he is already logged out (even when he's logged in) because he can see the login page. So, now he thinks that he's been logged out, but he is still logged in.

So, I think a logged in user should either redirected back to admin panel or he has to fill the login details again to sign in.

What's your thoughts?

Change History (2)

#1 follow-up: @SergeyBiryukov
6 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #14949.

#2 in reply to: ↑ 1 @hardeepasrani
6 years ago

Replying to SergeyBiryukov:

Duplicate of #14949.

Great to know that the community is trying to resolve the issue.

Note: See TracTickets for help on using tickets.