Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#51386 closed defect (bug) (duplicate)

Customized login address is visible in the comments section

Reported by: ahmad70043's profile ahmad70043 Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.5.1
Component: General Keywords: needs-privacy-review
Focuses: Cc:

Description

Hello
Since the WordPress admin login page is www.yourdomain.com/wp-admin by default and can be a gateway for hackers, one of the tasks to keep the website secure is to change the admin login address.
But I noticed that if we have defined in the conversations settings that the guest user must first register on the site to post a comment, in the comments section (blog and post) there will be a link for the guest user to enter, which the user can click on. This link enters the page with the login address of the LoginPress admin.
In this case, changing the address of the login page to WordPress admin is useless, because the hacker will easily find out the address by clicking on the link in the comments section.

Thanks - Ahmad Darfashi

Change History (1)

#1 in reply to: ↑ description @SergeyBiryukov
4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from assigned to closed
  • Summary changed from Report a bug to Customized login address is visible in the comments section

Hi there, welcome to WordPress Trac! Thanks for the ticket.

Just noting this has come up multiple times before, please see the previous discussions in #7194, #13118, #15289, #21924, #24673, #38444, #38800, #44552.

To summarize, the wp-login.php or wp-admin URLs are not intended to be customizable, as that's just security through obscurity and doesn't really help with anything, so there are currently no plans to implement this in core.

To improve website security, I would suggest following these general recommendations instead:

  • Have strong password (at least 24 characters long, with numbers and special characters).
  • Don't give Administrator or Editor access to people you don't completely trust.
  • Download plugins and themes from official resources only.
  • Keep WordPress, plugins, and themes updated to the latest stable version.
Note: See TracTickets for help on using tickets.