[wp-trac] [WordPress Trac] #24673: provide mainline supported rename of wp-login

WordPress Trac noreply at wordpress.org
Tue Apr 1 02:07:29 UTC 2014


#24673: provide mainline supported rename of wp-login
--------------------------+-----------------------
 Reporter:  jorhett       |       Owner:
     Type:  defect (bug)  |      Status:  reopened
 Priority:  normal        |   Milestone:
Component:  Security      |     Version:  3.5.2
 Severity:  critical      |  Resolution:
 Keywords:                |     Focuses:
--------------------------+-----------------------
Changes (by jorhett):

 * status:  closed => reopened
 * resolution:  wontfix =>


Comment:

 Nobody suggested what you just said. This isn't a binary problem space.
 Your accusation is a false dilemma proving only that you don't understand
 the problem space.

 1. Why does every site need to use wp-admin? Is there some clear value in
 having every WP site use the exact same login url?  Sure, it can be a
 default -- but forcing it on everyone means that it breaks many sites with
 their own well-designed layout.

 So if we don't put it at wp-admin (or wp-login for the obvious other case)
 then how will they know to find it?  They can plunge the ocean hoping to
 find their way to the admin page... which requires too much resources.

 2. Why is the user login and the admin login the same? Allow them to be
 distinct. You must provide an obvious user login page. You can limit the
 admin login page to those who know where it is.

 3. Why not allow a 3rd mechanism? User, password and something else
 depending on the plugins available. You allow plugins to control
 user/password, but don't allow true freedom for alternative security
 mechanisms. I could easily use hard/soft tokens for auth for any admins to
 my personal sites. We have the technology...

 This is why there are bots to break into Wordpress, and not bots to break
 into other CMS. You claim they'll easily find their way to an unknown page
 with no links to it. I call fooey, because if there was then there would
 be botnets for Drupal, Joomla, etc. There aren't for exactly this reason.

 Stop with the false dilemma, and acknowledge the 70+ K botnet of wordpress
 nodes used for criminal activity.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/24673#comment:14>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list