Blocking /wp-login.php and setting a custom URL for admin (back end) login

Hi!

I had many issues when forcing https on my back end, so Michael Bissett (WPMU staff) had to set the plugin Lockdown WP Admin in a way that it wouldn't do anything -seems like this plugin was causing my https problems. That being said, I'm now trying to figure out a way to have /wp-login.php returning a page not found error and to set up a custom slug for the admin (back end) login, which was precisely what Lockdown WP Admin was doing, but, obviously, I want to do so and still be able to have https on my back end.

Thanks.

  • Wheel of Commerce

    Hi, Michelle! Thanks for answering.

    Now this is really weird: I've tested it again and I'm now able to use Lockdown WP Admin with https, as long as the admin login slug isn't /super-admin. I've noticed another curious thing as well: /wp-admin and /wp-login.php can be blocked with the plugin, and they do redirect to a 404 error page, but these pages are in http, not https. Not sure if this is an issue of some sorts, or if it's an indication that https isn't actually being forced on all of my site.

    I took a look into this plugin you mentioned, but as it seems its objective is to override several slugs, including the ones for registration and regular login, I thought it was best to not mess with it before talking to one of you guys, given the fact that my whole https issue was caused by this sort of thing in the first place.

    Right now I have both plugins installed, but neither are active, so you can dig in and test things if you think it's necessary.

    Thanks again. :slight_smile:

  • Wheel of Commerce

    Oh, the issue isn't actually the slug, as I can set it to anything if one of the ones I try gives me an issue. What I'm really wondering about is the abscence of the https on the 404 pages. Like I've said: "/wp-admin and /wp-login.php can be blocked with the plugin, and they do redirect to a 404 error page, but these pages are in http, not https. Not sure if this is an issue of some sorts, or if it's an indication that https isn't actually being forced on all of my site.". So, is this an issue?

    Thanks again. :slight_smile:

  • Wheel of Commerce

    Jude told me he was going to update this thread with a code for a mu plugin that redirects /wp-admin and /wp-login.php to a 404 page, I guess he forgot or something. Anyway, the first code he gave me is below, it was returning me an error:

    <?php
    
    /*
    Plugin Name: Admin Redirect
    Description: Code to force non admin users to redirect out of wp-admin
    Author: WPMU DEV
    */
    
    add_action( 'admin_init', 'redirect_non_admin_users' );
    
    function redirect_non_admin_users() {
        if ( ! current_user_can( 'manage_options' ) && '/wp-admin/admin-ajax.php' != $_SERVER['PHP_SELF'] ) {
        wp_redirect( home_url() );
    exit;
    }
    }

    Thanks.

  • Wheel of Commerce

    Now /wp-admin redirects to the home page and /wp-login.php is still being displayed. /login is back to normal though.

    Maybe it's easier to use a plugin for that? I've tried Lockdown WP Admin, but it presents similar problems to the code you gave me for the mu plugin. I also came accross the following plugin, but I don't think it can achieve exactly what I'm trying to here:
    https://wordpress.org/plugins/hidden-wp-admin/

    Thanks once more. :slight_smile:

  • Wheel of Commerce

    Hi, man, and thanks again. :slight_smile:

    Now it's back to the way it was before: /wp-admin is in fact redirecting to a 404 page, even though after updating the page a few times, it redirects to /login with the 404 message displaying -the same occurs to my regular login page at /login. /wp-login.php is showing with https on it.

    I then talked to Jose during a live chat and he told me to use the following code:

    <?php
    /*
    Plugin Name: Admin Redirect
    Description: Code to force non admin users to redirect out of wp-admin
    Author: WPMU DEV
    */
    
    add_action( 'wp', 'force_404' );
    
    function force_404() {
    
    if ( $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"] == 'http://wheelofcommerce.com/wp-login.php'
    || $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"] == 'http://wheelofcommerce.com/wp-register.php'
    || $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"] == 'http://wheelofcommerce.com/wp-admin.php'
    || $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"] == 'https://wheelofcommerce.com/wp-login.php'
    || $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"] == 'https://wheelofcommerce.com/wp-register.php'
    || $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"] == 'https://wheelofcommerce.com/wp-admin.php' ){
    
    // The redirect codebase
    status_header( 404 );
    nocache_headers();
    include( get_query_template( '404' ) );
    die();
    }
    }

    Which also didn't work: now /wp-admin redirects to /login (which is fine), but /wp-login.php is still being displayed. Not sure if it's worth mentioning, but Michelle told me /login is taking its data from index.php -she said she had no idea why. /login is generated by the plugin Theme My Login.

    Thanks once more.

  • Jose

    Hi Gabriel,

    I modified the mu-plugin in your site and it is working as you need.
    This is how the plugin looks now:

    add_action( 'init', 'force_404', 1 );
    
    function force_404() {
        $requested_uri = $_SERVER["REQUEST_URI"];
    
        if (  strpos( $requested_uri, '/wp-login.php') !== false ) {
            // The redirect codebase
            status_header( 404 );
            nocache_headers();
            include( get_query_template( '404' ) );
            die();
        }
    
        if (  strpos( $requested_uri, '/wp-login.php') !== false || strpos( $requested_uri, '/wp-register.php') !== false ) {
            // The redirect codebase
            status_header( 404 );
            nocache_headers();
            include( get_query_template( '404' ) );
            die();
        }
    
        if (  strpos( $requested_uri, '/wp-admin') !== false && !is_super_admin() ) {
            // The redirect codebase
            status_header( 404 );
            nocache_headers();
            include( get_query_template( '404' ) );
            die();
        }
    }

    You should note that /wp-admin is blocked for everyone except superadmins. Otherwise, you don't have a way to manage your network.

    Please try to not add new plugins or change code related to redirections. We have gone far beyond our scope with this customizations. For further changes you will need to hire a dev. WP is not designed to work as you are trying, hence it is prone to error and it needs someone focused fulltime to keep it working smoothly.

    Hope this works as you expect now.

    Cheers,
    Jose

  • Wheel of Commerce

    Hi, man! Thank you very much for helping with this, the plugin is working perfectly. I didn't think it would require that much work, as I was told it was something rather simple.

    "WP is not designed to work as you are trying, hence it is prone to error and it needs someone focused fulltime to keep it working smoothly."
    What exactly do you mean by that? Are you referring specifically to this single redirection issue, or to the way I'm building the site as a whole? It got me wondering, since all the issues my site had are now fixed.

    Just to confirm that everything is indeed OK regarding this matter: the code I've found in my site has a couple of extra lines at the end, when comparing to the code you mentioned.

    <?php
    /*
    Plugin Name: Admin Redirect
    Description: Code to force non admin users to redirect out of wp-admin
    Author: WPMU DEV
    */
    
    //add_action( 'wp', 'force_404', 1 );
    add_action( 'init', 'force_404', 1 );
    
    function force_404() {
        $requested_uri = $_SERVER["REQUEST_URI"];
        do_action('debugger_var_dump', $requested_uri, '$requested_uri', 0, 0);
        do_action('debugger_var_dump', strpos( $requested_uri, '/wp-login.php'), 'FOUND?', 0, 0);
    
        if (  strpos( $requested_uri, '/wp-login.php') !== false ) {
    
            do_action('debugger_var_dump', 'REDIRECT', 'REDIRECT', 0, 0);
            // The redirect codebase
            status_header( 404 );
            nocache_headers();
            include( get_query_template( '404' ) );
            die();
        }
    
        if (  strpos( $requested_uri, '/wp-login.php') !== false || strpos( $requested_uri, '/wp-register.php') !== false ) {
    
            do_action('debugger_var_dump', 'REDIRECT', 'REDIRECT', 0, 0);
            // The redirect codebase
            status_header( 404 );
            nocache_headers();
            include( get_query_template( '404' ) );
            die();
        }
    
        if (  strpos( $requested_uri, '/wp-admin') !== false && !is_super_admin() ) {
    
            do_action('debugger_var_dump', 'REDIRECT', 'REDIRECT', 0, 0);
            // The redirect codebase
            status_header( 404 );
            nocache_headers();
            include( get_query_template( '404' ) );
            die();
        }
    
        do_action('debugger_var_dump', 'END', 'END', 0, 0);
    }

    Also: I was using a plugin called Lockdown WP Admin to set a custom slug for the wp admin login page. Instead of using /wp-admin or /wp-login.php, I was using /super-admin. Given the fact that I already have a login page that I can use to login with any type of account (super-admin, subscriber, etc.) at /login, would using this custom admin login page represent any advantage in terms of security? I mean, would it be a security issue if I use /login to login as super-admin? I'm fairly sure it's OK, but I always like to confirm this sort of thing.

    Thanks again.

  • Jose

    Hey Gabriel,

    What exactly do you mean by that? Are you referring specifically to this single redirection issue, or to the way I'm building the site as a whole?

    I'm referring to all the customizations made in order to "hide" wordpress and move some admin features to the front end.
    It is working now, but it may cause conflicts with new plugins in the future. You really need to know what you are doing in order to maintain this customizations. If you don't touch anything it should keep working though, so you are good to go.

    Just to confirm that everything is indeed OK regarding this matter: the code I've found in my site has a couple of extra lines at the end, when comparing to the code you mentioned.

    Those are just some debug lines that I used for development. You can get rid of it. If you leave it there it is ok as well. It won't have any effect.

    I mean, would it be a security issue if I use /login to login as super-admin?

    Yes, it is secure.

    Hope this clarifies things :slight_smile:

    Cheers!
    Jose

  • Wheel of Commerce

    Hi, again!

    Actually, all the front end part is handled through plugins that were created exactly for that, so it's not like I've written a code for it myself. I only had issues with this aspect when trying to adapt pre-existent code to my site, since I'm obviously no coder. Anyway, a lot of big sites that are all in the front end were built using wordpress, some examples being Sony, BBC America, Renault and many, many others, so my take is that there isn't an inherent issue with that. Like you said, "as long as one knows what he's doing". Luckily for me, my guess so far is that the developers of the "front end plugins" I'm using know what they're doing, haha. :slight_smile:

    Thanks for all the help, man.

    • Jose

      Yes, I get what you say. And it is exactly what I meant.

      Sony, BBC America, Renault and many, many others, so my take is that there isn't an inherent issue with that

      They have not one developer but a whole team dedicated to the maintenance of their sites.

      Luckily for me, my guess so far is that the developers of the "front end plugins" I'm using know what they're doing

      Even when the plugin developer does a great job -which is not always the case-, there are always some limitations. For instance, you can find a plugin or custom mu-plugin in a forum that has proven to work as it is expected but you may find that it doesn't work in your site. Both plugins works as expected, but are not compatible because the second plugin relies in a standard url structure. There is where you need someone taking care of adjusting specific code for you.

      In a nutshell, it is something possible to do but it will present constant challenges and will require more work than a standard install -like it already did :slight_smile: -

      Hope everything is running as expected now.

      Cheers!
      Jose

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.