[wp-trac] [WordPress Trac] #48182: wp-admin accessible from sub-directory on multisite
WordPress Trac
noreply at wordpress.org
Tue Oct 1 21:55:36 UTC 2019
#48182: wp-admin accessible from sub-directory on multisite
--------------------------------+------------------------
Reporter: ridinhighspeeds | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Networks and Sites | Version: 5.2.3
Severity: normal | Resolution: duplicate
Keywords: | Focuses: multisite
--------------------------------+------------------------
Changes (by SergeyBiryukov):
* status: new => closed
* resolution: => duplicate
* component: Administration => Networks and Sites
* milestone: Awaiting Review =>
Old description:
> Using the latest version of WordPress. Noticed in our web logs that /wp-
> login.php is accessible from sub-directories within a multisite.
>
> Example or 1 site in our multisite - Normal URL:
> https://www.bridgestreettire.com/wp-login.php
> Unfortunately wp-login.php is accessible via any sub-directory i.e.
> bridgestreettire.com/***/wp-login.pho where *** can be replaced with any
> text.
> Example, all of these work:
> https://www.bridgestreettire.com/welcome/wp-login.php
> https://www.bridgestreettire.com/admin/wp-login.php
> https://www.bridgestreettire.com/test/wp-login.php
> https://www.bridgestreettire.com/home/wp-login.php
> To protect our websites, we locked down wp-login.php to our IP address,
> so you may see an error if you try to pull up any of those url's.
>
> This goes the same for all other domains in our Wordpress multisite. I
> assume the .htaccess file needs to be tweaked to only allow access to wp-
> login.php from the parent domain, and not a sub-directory. I assume sub-
> directory is allowed for those who use multisite in a sub-directory mode?
>
> We are on CentOs 7 with cPanel and LiteSpeed Web Server.
>
> Thanks
New description:
Using the latest version of WordPress. Noticed in our web logs that /wp-
login.php is accessible from sub-directories within a multisite.
Example or 1 site in our multisite - Normal URL:
https://www.bridgestreettire.com/wp-login.php
Unfortunately wp-login.php is accessible via any sub-directory i.e.
bridgestreettire.com/***/wp-login.pho where *** can be replaced with any
text.
Example, all of these work:
https://www.bridgestreettire.com/welcome/wp-login.php
https://www.bridgestreettire.com/admin/wp-login.php
https://www.bridgestreettire.com/test/wp-login.php
https://www.bridgestreettire.com/home/wp-login.php
To protect our websites, we locked down wp-login.php to our IP address, so
you may see an error if you try to pull up any of those url's.
This goes the same for all other domains in our WordPress multisite. I
assume the .htaccess file needs to be tweaked to only allow access to wp-
login.php from the parent domain, and not a sub-directory. I assume sub-
directory is allowed for those who use multisite in a sub-directory mode?
We are on CentOs 7 with cPanel and LiteSpeed Web Server.
Thanks
--
Comment:
Hi @ridinhighspeeds, welcome to WordPress Trac!
Thanks for the report, we're already tracking this issue in #17376.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48182#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list