Change sign-on URLs for security purposes

March 14, 20232 Views

For security reasons, it should be possible to rename login.php to something different, and change other access shortcuts (eg: wp-admin) to point to the new URL.

Is there a documented best practice for this? If not, what would the most correct methodology be?

I appreciate that this is not security per se, just obfuscation, but I’m considering this to be just another layer of protection: not a replacement of other security tactics such as failed attempt lockdown limiting and stricted password enforcement.

Creative approaches welcome.

Post Views: 2

2 comments

Well, considering rewrite and redirect like in comments –

choose what fits you best .

HOOK wp_login_url();
//this function generate the login url address

Example:

add_filter( 'login_url', 'another_login_url', 10, 2);
function another_login_url( $force_reauth, $redirect ){
    $login_url = 'your_chosen_login_url';

    if ( !empty($redirect) )
        $login_url = add_query_arg( 'redirect_to', urlencode( $redirect ), $login_url );

    if ( $force_reauth )
        $login_url = add_query_arg( 'reauth', '1', $login_url ) ;

    return $login_url ;
}

Redirect action

add_action( 'login_redirect', 'mysite_login_redirect');
function mysite_login_redirect(){
    return 'your_url';
}

.htaccess rewrite URL

RewriteRule ^login$ http://site.com/wp-login.php [NC,L]

.htaccess redirect rule

RewriteRule ^login$ http://site.com/wp-login.php [NC,L,R]

Personally I prefer the rewrite function

add_rewrite_rule()

add_action( 'init', 'k99_login_rewrite' );
function k99_login_rewrite() {
    add_rewrite_rule( 'login/?$', 'wp-login.php', 'top' );
}

NOTE : some of those methods can change according to wp version, but in the latest versions all should work.
THere are also other methods, if you find none of those suitable for you ..

Anonymous says:

March 14, 2023 at 11:40 pm
The challenge of course is not “breaking” or “hacking” core to do this.

Riffing off of krembo99’s filter idea, I wonder whether the following wouldn’t be a high-level approach to the solution from a plugin perspective:
1. copy wp-login.php to a new file in the root WP directory.
2. Use the 'login_url' filter to point to this new file
3. Use the 'admin_url' filter to point to a new “pseudo-url” for admin
4. Set up the 'login_init' action to either just exit, or put up some default error screen, maybe redirect to the 404 page.
5. Edit the file you copied in step 1 and remove the do_action( 'login_init' ) line (or replace it with a custom action of your own).
I haven’t tested this – it’s just a theory. The biggest challenge left is – when you upgrade WP – does it delete any files that it doesn’t expect in the root? If so, the plugin will also have to check to see if WP has been upgraded and if so, re-install the alternative login file. And of course, we’d want it to be done by copying the newly-upgraded wp-login.php, so it would have to run a regexp search-and-replace on the do_action( 'login_init' ) line.
Log in to Reply

Leave a Reply Cancel reply

2 comments

Social Network

Related posts

Leave a Reply Cancel reply

2 comments

Social Network