[wp-trac] [WordPress Trac] #24673: provide mainline supported rename of wp-login
WordPress Trac
noreply at wordpress.org
Tue Jul 2 13:59:55 UTC 2013
#24673: provide mainline supported rename of wp-login
--------------------------+------------------------------
Reporter: jorhett | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 3.5.2
Severity: critical | Resolution:
Keywords: |
--------------------------+------------------------------
Comment (by jorhett):
How about the login link on the home page of the site, just like most
sites today? That is hardly a password...
In fact, this is the core of my argument. There are a few plugins out
there that hide the login page. That works well for sites with a few
admins, who can bookmark the new login page. But sites where user login is
encouraged need an easy public, visible login page. Themes need the
ability to get the login url through a function call.
The botnet code isn't doing something complex like evaluating the HTML of
each site to find the login URL. For highly customized sites that would be
very difficult to determine. The botnet code is super simple, because
Every Wordpress Site Is The Same. Just being able to move the login
url(s) around would shut the botnet down considerably. You can easily do
this, without making it trivial to determine externally.
(yes, trivial for a human but it isn't a human attacking here. If we can
make him use 10,000 humans trying to find URLs all day long, then we have
succeeded in stopping his attack)
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24673#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list