[wp-trac] [WordPress Trac] #24673: provide mainline supported rename of wp-login
WordPress Trac
noreply at wordpress.org
Tue Jul 2 05:52:09 UTC 2013
#24673: provide mainline supported rename of wp-login
--------------------------+-----------------------------
Reporter: jorhett | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 3.5.2
Severity: critical | Keywords:
--------------------------+-----------------------------
In general I mock people who do security through obscurity, but I think in
this case it might help a great deal. It's not that Wordpress needs
obscurity, so much as Every Wordpress Is The Same and we've made the
attacker's job way, way too easy.
We are in our 4th month of ongoing and escalating botnet attacks. The
botnet provider keeps learning with each new evolution, and we're seeing a
new evolution each week.
One thing a botnet can't do is deal with dynamic information. If Wordpress
were to provide a mainline, supported mechanism for a unique login URL,
this would stop the botnet flat. Obviously this would require that you
can't issue a remote query to get the login URL. But if it was just text
on the screen, he couldn't very well alter his botnet to parse the text
and figure it out. Or maybe he could, but it wouldn't work nearly so
often.
I believe this is a problem best solved at the source. In a small, simple
code fix that doesn't require every wordpress site to install large
complex plugins to achieve.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24673>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list