Opened 9 years ago
Closed 9 years ago
#34925 closed defect (bug) (fixed)
4.4 wp-login.php: no longer possible to use the login_post scheme
Reported by: | jamescollins | Owned by: | johnbillion |
---|---|---|---|
Milestone: | 4.4.1 | Priority: | normal |
Severity: | normal | Version: | 4.4 |
Component: | Login and Registration | Keywords: | fixed-major |
Focuses: | Cc: |
Description
As of WordPress 4.4, the WordPress login screen uses wp_login_url()
as the form action when logging in.
In WordPress 4.3.1 and older, this was using site_url( 'wp-login.php', 'login_post' )
.
wp_login_url()
assumes the scheme is login
, which means it is no longer possible to filter for the login_post
scheme and override where WordPress's login form submits to.
This change was introduced in [34213] as part of #31495.
I understand the logic behind the above change, but it does seem to be a regression because it means that the login_post
scheme can't be used.
This issue affects WP Engine in particular, as they filter the login_post
URL as part of their brute force login protection.
Attachments (2)
Change History (15)
#3
@
9 years ago
- Keywords has-patch added; needs-patch removed
I added a patch with the partial revert of [34213]. The revert includes any place using the login_post
scheme.
#4
@
9 years ago
I'd like to see @johnbillion's take on the best way to provide back-compat here. I don't think a partial revert is a particularly great solution, especially we're attempting to mildly standardize how login/registration URLs are used in core.
#5
@
9 years ago
- Keywords needs-patch added; has-patch removed
Setting a different target for the login form, while unusual, is certainly something we shouldn't try to prevent.
I think we can probably do something like set_url_scheme( wp_login_url(), 'login_post' )
.
#6
@
9 years ago
- Keywords has-patch added; needs-patch removed
As suggested, 34925.2.patch wraps wp_login_url()
and wp_registration_url()
with set_url_scheme()
where needed.
Note that
set_url_scheme
still checks forlogin_post
andsite_url()
/network_site_url()
are still used a couple of times usinglogin_post
scheme.get_the_password_form()
does so as well.So either we partially revert [34213] or add a scheme parameter to
wp_login_url()
. I prefer the former.