[wp-trac] [WordPress Trac] #24673: provide mainline supported rename of wp-login
WordPress Trac
noreply at wordpress.org
Tue Apr 1 01:53:31 UTC 2014
#24673: provide mainline supported rename of wp-login
--------------------------+----------------------
Reporter: jorhett | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Security | Version: 3.5.2
Severity: critical | Resolution: wontfix
Keywords: | Focuses:
--------------------------+----------------------
Comment (by knutsp):
When I navigate to /wp-admin, without being logged in, I expect to be
redirected to the login page. When I enter my credentials I expect them to
be posted to the login handler and be redirected back to wp-admin as a
logged-in user. Do I have to know there is a wp-login.php that handles
this? No.
So if I don't need to know about it, why should an attacker?
This suggestion isn't even obscurity. It's like moving the front door of a
house to some odd place around the corner, and have a sign pointing
visitors to it, all just to try to avoid burglars. They are not that
stupid.
Renaming wp-login.php will for sure avoid a lot of attacks to that
specific site, for a while. If core did that this it would help for a few
weeks, until the scripts get just a little more sophisticated, following a
simple redirect. They don't bother to do that now, because there is no
gain. But they will, and it will happen immediately.
This works like placebo. A lot of people report that it "works". But when
given to all that has the disease it is no cure.
What core could implement is enforcing even stronger passwords and limit
login attempts. Excellent plugins already do that.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24673#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list