[wp-trac] [WordPress Trac] #13118: wp-login.php and wp-admin folder location/name choice during the installation

WordPress Trac wp-trac at lists.automattic.com
Mon Jul 19 03:33:58 UTC 2010 

#13118: wp-login.php and wp-admin folder location/name choice during the
installation
-----------------------------------------------------+----------------------
 Reporter:  MSNexus                                  |        Owner:  dd32    
     Type:  feature request                          |       Status:  reopened
 Priority:  normal                                   |    Milestone:          
Component:  Administration                           |      Version:  2.9.2   
 Severity:  normal                                   |   Resolution:          
 Keywords:  wp-login,wp-admin,wordpress,secure,more  |  
-----------------------------------------------------+----------------------
Changes (by gazouteast):

  * status:  closed => reopened
  * resolution:  wontfix =>


Comment:

 I have been asking for a long time for a simple triple define in wp-
 config.php to set the names and paths of the three main wordpress wp-*
 folders.

 This is a basic and foundation level security measure to delay / divert
 hackers.

 The entire code base should be pointing to those three paths via
 constants, and the paths for those constants should be definable.  If set
 during install rather than in wp-config, the true paths could be saved in
 the database as MD5 hashes, making it even tighter.

 Security by obfuscation is not a house of cards, it is an additional
 layer.  There is nothing to stop (and it would be recommended to do so)
 having dummy folders retained with the original wp-* names, password
 protected from cPanel / Plesk etc as a frustration to hackers, who might
 then focus on cracking to get into empty folders while ignoring the real
 and obfuscated locations.  During which time, server logs would tip the
 hosting service or site admins that something was happening.

 I think it is disingenuous of WordPress to shun this measure, when even
 scripts like osCommerce have had it for seven or eight years already - see
 also discussions on Mark Jaquith's blog post regarding hosts need to get
 with the WordPress hosting requirements, and the many angst comments about
 flawed WordPress security coding.

 You're missing a real opportunity to tighten ship here guys, and with the
 most minimum of effort.

 Gaz

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/13118#comment:3>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list