wp-login.php redirection for ordinary users
-
Hello
Thanks for this plugin, but I have a problem that I’ll explain steps by steps for better understanding what I’m talking about:1- After installing and activating I go to settings and select “Require Approval” = “yes”; “Require Login” = “yes”; “Show Registration Link” = “yes”.
2- Then I go to “add new page” I put some title and then from the dropdown button of Site Reviews I select “submit a review” adding some title as well.
3- Then I open the page from another browser and private windows to see the page as an ordinary user (visitor) and I find the text and link: “You must be logged in to submit a review.”
4- This link redirect users to the wp-login.php or wp-admin dashboard instead to redirecting users to /my-account page from woocommerce or a custom /login page created by others plugins.
I hope you understand that this is a serious lack of security and worst than that is that even installing plugins that hides (changing the name of) wp-login.php from hackers, the link generated from your plugin will redirect visitors to this hidden link.
I tested in my website and even in a fresh new wordpress site and the problem was exactly the same. I think you should add a field on your plugin setting page where users can choose where they want to redirect they visitors when clicking that link.
I’ll really appreciate your help with this issue!
Thanks for your time,
-
Site Reviews uses the wp_login_url and wp_registration_url WordPress functions to get the login and registration URL.
This is what these functions are designed to do, and these URLs are part of the default WordPress installation.
Changing the WordPress URLs is not something that is provided by WordPress by default, it is something that people use security plugins for. Woocommerce does not change these URLs for security, but rather for convenience.
If you are using a plugin to change the login and registration URLs, then (if they are made correctly), they will use the login_url and register_url hooks to override the output of the wp_login_url and wp_registration_url functions. This is why WordPress provides those filter hooks.
If the plugin does not make use of those filter hooks to change the default login and registrations URLs, then it may not be as secure as you think it is.
Lastly, obfuscating login/registration URLs is not a foolproof way to protect your site, “security through obscurity” is always bad security! I say this also from experience.
Instead, you probably should want to focus on using a two-factor authentication plugin, and a security plugin which throttles login attempts, and (optionally) limits the login page to a specific IP address.
Again, if your plugin does not do so, you can use the login_url and register_url filter hooks yourself to override the output of the wp_login_url and wp_registration_url functions.
Your suggestion to add a setting to choose where to redirect someone to login is still a good one though! I’ll add it to the roadmap.
Screenshot taken from the WordPress Handbook for the “login_url” hook (as provided above) https://developer.ww.wp.xz.cn/reference/hooks/login_url/
Using that example, and assuming that your login page is:
https://yourwebsite.com/my-account/function custom_wordpress_login_url($login_url, $redirect, $force_reauth) { $login_url = home_url('/my-account/'); if (!empty($redirect)) { $login_url = add_query_arg('redirect_to', urlencode($redirect), $login_url); } if ($force_reauth) { $login_url = add_query_arg('reauth', '1', $login_url); } return $login_url; } add_filter('login_url', 'custom_wordpress_login_url', 10, 3);And the result:
The topic ‘wp-login.php redirection for ordinary users’ is closed to new replies.
