[wp-trac] [WordPress Trac] #24673: provide mainline supported rename of wp-login

WordPress Trac noreply at wordpress.org
Tue Jul 2 13:59:55 UTC 2013


#24673: provide mainline supported rename of wp-login
--------------------------+------------------------------
 Reporter:  jorhett       |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Security      |     Version:  3.5.2
 Severity:  critical      |  Resolution:
 Keywords:                |
--------------------------+------------------------------

Comment (by jorhett):

 How about the login link on the home page of the site, just like most
 sites today?  That is hardly a password...

 In fact, this is the core of my argument. There are a few plugins out
 there that hide the login page. That works well for sites with a few
 admins, who can bookmark the new login page. But sites where user login is
 encouraged need an easy public, visible login page. Themes need the
 ability to get the login url through a function call.

 The botnet code isn't doing something complex like evaluating the HTML of
 each site to find the login URL. For highly customized sites that would be
 very difficult to determine. The botnet code is super simple, because
 Every Wordpress Site Is The Same.  Just being able to move the login
 url(s) around would shut the botnet down considerably.  You can easily do
 this, without making it trivial to determine externally.
 (yes, trivial for a human but it isn't a human attacking here. If we can
 make him use 10,000 humans trying to find URLs all day long, then we have
 succeeded in stopping his attack)

--
Ticket URL: <http://core.trac.wordpress.org/ticket/24673#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list