Opened 6 years ago
Closed 6 years ago
#48182 closed defect (bug) (duplicate)
wp-admin accessible from sub-directory on multisite
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 5.2.3 |
| Component: | Networks and Sites | Keywords: | |
| Focuses: | multisite | Cc: |
Description (last modified by )
Using the latest version of WordPress. Noticed in our web logs that /wp-login.php is accessible from sub-directories within a multisite.
Example or 1 site in our multisite - Normal URL: https://www.bridgestreettire.com/wp-login.php
Unfortunately wp-login.php is accessible via any sub-directory i.e. bridgestreettire.com/*/wp-login.pho where * can be replaced with any text.
Example, all of these work:
https://www.bridgestreettire.com/welcome/wp-login.php
https://www.bridgestreettire.com/admin/wp-login.php
https://www.bridgestreettire.com/test/wp-login.php
https://www.bridgestreettire.com/home/wp-login.php
To protect our websites, we locked down wp-login.php to our IP address, so you may see an error if you try to pull up any of those url's.
This goes the same for all other domains in our WordPress multisite. I assume the .htaccess file needs to be tweaked to only allow access to wp-login.php from the parent domain, and not a sub-directory. I assume sub-directory is allowed for those who use multisite in a sub-directory mode?
We are on CentOs 7 with cPanel and LiteSpeed Web Server.
Thanks
Hi @ridinhighspeeds, welcome to WordPress Trac!
Thanks for the report, we're already tracking this issue in #17376.