[wp-trac] [WordPress Trac] #48182: wp-admin accessible from sub-directory on multisite
WordPress Trac
noreply at wordpress.org
Mon Sep 30 12:59:18 UTC 2019
#48182: wp-admin accessible from sub-directory on multisite
-----------------------------+-----------------------------
Reporter: ridinhighspeeds | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version: 5.2.3
Severity: normal | Keywords:
Focuses: multisite |
-----------------------------+-----------------------------
Using the latest version of WordPress. Noticed in our web logs that /wp-
login.php is accessible from sub-directories within a multisite.
Example or 1 site in our multisite - Normal URL:
https://www.bridgestreettire.com/wp-login.php
Unfortunately wp-login.php is accessible via any sub-directory i.e.
bridgestreettire.com/***/wp-login.pho where *** can be replaced with any
text.
Example, all of these work:
https://www.bridgestreettire.com/welcome/wp-login.php
https://www.bridgestreettire.com/admin/wp-login.php
https://www.bridgestreettire.com/test/wp-login.php
https://www.bridgestreettire.com/home/wp-login.php
To protect our websites, we locked down wp-login.php to our IP address, so
you may see an error if you try to pull up any of those url's.
This goes the same for all other domains in our Wordpress multisite. I
assume the .htaccess file needs to be tweaked to only allow access to wp-
login.php from the parent domain, and not a sub-directory. I assume sub-
directory is allowed for those who use multisite in a sub-directory mode?
We are on CentOs 7 with cPanel and LiteSpeed Web Server.
Thanks
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48182>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list