Hidden Login Credentials Exposed

  • Resolved deeveearr

    (@deeveearr)


    6 years, 1 month ago

    Hi,

    This plugin works really well, until you try running a forum software with it.

    Had a bit of a ‘slogfest’ yesterday with the author of WPForo, who insisted that this problem was nothing to do with them, even though up to the time when their new version came out yesterday morning, everything worked fine.

    Anyway, the problem:

    If someone tries to register, or reset a lost password on a forum, the user will receive an email something along the lines of: ‘Reset your password at my-website.com/wp-login.php/some-password-key’ which in my case will expose the hidden password by saying ‘Reset your password at my-website.com/hidden-login-details/some-password-key’, which in effect is telling the user that ‘here are the credentials, you may now try and hack this website’.

    Is there a way to make this plugin keep the hidden login details private when using a forum?

    At present, I’ve rolled back WPForo to yesterday’s version, which worked fine, but this goes against WordPress best practices.

    Any help on this issue would be much appreciated.

Viewing 1 replies (of 1 total)
  • mthomas80

    (@mthomas80)

    6 years ago

    I’m having the same issue only without a forum. We can still see people are discovering the login URL some how and attempting to brute force.

Viewing 1 replies (of 1 total)

The topic ‘Hidden Login Credentials Exposed’ is closed to new replies.