Directory Privacy with wp-login.php ‘Powered by WordPress’
-
Hi,
Using directory privacy to place password protection on the login page.
However, if you use wp-login.php instead of wp-admin and hit ‘cancel’ a few times you can bypass this, OR I’ve seen cases where www after https can bring you straight to the login page and bypass the password too.
For example ‘wp-login.php’ hit cancel = see login page
For example: https://exampleonlyforforum.com/wp-login.php = blocked BUT TRY https://www.exampleonlyforforum.com/wp-login.php = blocked = see login page.
The login page says ‘powered by wordpress’.
Does anyone know how to password protect the wp-login.php as well, and prevent ‘cancel’ or addition of ‘www’ from bypassing it?
I had heard that the below code can be used to protect the wp-login.php but does anyone know how this works in conjunction with directory privacy?
"ErrorDocument 401 “Unauthorized Access” ErrorDocument 403 “Forbidden” <FilesMatch “wp-login.php”> AuthName “Authorized Only” AuthType Basic AuthUserFile /home/username/.wpadmin Require valid-user </FilesMatch>Lastly, we use the below to allow AJAX even with password protection, does anyone know if the above code could end up blocking the allowance of AJAX?
<files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</files>
-
This seems to have worked. But can cause directory privacy to ask the password protected wp-login.php and wp-admin twice in a row.
For the section home/username/.wpadmin – this must match the location where .htpasswd is saved.
ErrorDocument 401 "Forbidden Access" <Files "wp-login.php"> AuthUserFile /home/username/.wpadmin AuthName "Private Access" AuthType Basic Require valid-user </Files>And yes it appears the above AJAX code does allow ajax to still work even with directory password.
The topic ‘Directory Privacy with wp-login.php ‘Powered by WordPress’’ is closed to new replies.