Rename wp-login.php - Version 1.1

Version Description

Blocked access to wp-admin/ to prevent a redirect the the new login page.

Release Info

Developer	avryl
Plugin	Rename wp-login.php
Version	1.1
Comparing to
See all releases

Code changes from version 1.0 to 1.1

Files changed (3) hide show

readme.txt +40 -17
rename-wp-login.php +34 -15
wp-login.php +11 -1

readme.txt CHANGED Viewed

@@ -1,42 +1,65 @@
             === Plugin Name ===
             Contributors: avryl
             Tags: rename, login, wp-login, wp-login.php, brute force, attacks
-            -
            Requires at least: 3.5
             Tested up to: 3.6
             Stable tag: trunk
             License: GPLv2 or later
             License URI: http://www.gnu.org/licenses/gpl-2.0.html
-            -
            Rename wp-login, and block it to prevent brute force attacks.
             == Description ==
-            -
            This plugin renames `wp-login.php` to whatever you want. The default is `login` if no such page already exists. Otherwise it will append a number, e.g. `login-1`. You can change this option under ‘Settings’ › ‘Permalinks’ › ‘Login’.
-            -
            What are the benefits? Not only does it allow you to further customise your login page, it also prevents brute force attacks that are targeted specifically to the standard `wp-login.php`. `wp-login.php` will be blocked and returns a 404 status.
-            -
            If you’re using a page caching plugin like **W3 Total Cache** or **WP Super Cache**, add the word you rename `wp-login.php` to (e.g. `login`) to the list of pages not to cache. For W3 Total Cache go to ‘Performance’ › ‘Page Cache’ › ‘Advanced’ › ‘Never cache the following pages’, add your new login page on a new line and save all settings. For WP Super Cache go to ‘Settings’ › ‘WP Super Cache’ › ‘Advanced’ › ‘Accepted Filenames & Rejected URIs’, add your new login page on a new line and save.
-            -
            This plugin works with plugins that customise or hook into the standard login screen. It’s not yet tested on installs that force SSL or use the multisite feature.
             == Installation ==
-            -
            1. Go to ‘Plugins’ › ‘Add New’.
-            -
            2. Search for ‘Rename wp-login’.
 . Look for this plugin, download and activate it.
-            -
            4. The page will redirect you to the settings. Rename `wp-login.php` in the section ‘Login’.
-            -
            5. You can change this option any time you want, just go back to ‘Settings’ › ‘Permalinks’ › ‘Login’.
-            -
            == Screenshots ==
-            -
            1. This screen shot description corresponds to screenshot-1.(png|jpg|jpeg|gif). Note that the screenshot is taken from
-            -
            the /assets directory or the directory that contains the stable readme.txt (tags or trunk). Screenshots in the /assets
-            -
            directory take precedence. For example, `/assets/screenshot-1.png` would win over `/tags/4.3/screenshot-1.png`
-            -
            (or jpg, jpeg, gif).
-            -
            == Changelog ==
             = 1.0 =
             * Initial version.
-            -
            == Upgrade Notice ==


1	=== Plugin Name ===
2	Contributors: avryl
3	Tags: rename, login, wp-login, wp-login.php, brute force, attacks
4	+ Requires at least: 3.6
5	Tested up to: 3.6
6	Stable tag: trunk
7	License: GPLv2 or later
8	License URI: http://www.gnu.org/licenses/gpl-2.0.html
9
10	+ Change wp-login.php to whatever you want. It can also prevent a lot of brute force attacks.
11
12	== Description ==
13
14	+ = What it does =
15
16	+ This plugin renames wp-login.php to whatever you want. The default is example.com/login/ if no such page already exists. Otherwise it will append a number, e.g. login-1.
17	+ You can change this under ‘Settings’ › ‘Permalinks’ › ‘Login’.
18	+ Please remember what you changed your login page to, accessing wp-login.php or wp-admin/ will not work and will return a 404 not found status.
19
20	+ = Compatibility =
21
22	+ Works with BuddyPress, Limit Login Attempts and most other plugins that customise the login page.
23	+ This plugin doesn't break the registration form, lost password form, expired sessions or any of wp-login.php’s functionality. Plugins that hook into the standard login form will keep working.
24	+ It doesn’t break `wp_login_form()`, so login forms in widgets will work too.
25	+
26	+ While it might work with earlier versions of WordPress, you should always update WordPress to the latest version.
27	+
28	+ If you’re using a page caching plugin like W3 Total Cache or WP Super Cache, add the word you renamed wp-login.php to (e.g. login) to the list of pages not to cache.
29	+
30	+ * For W3 Total Cache go to Performance › Page Cache › Advanced › Never cache the following pages, add your new login page on a new line and save all settings.
31	+ * For WP Super Cache go to Settings › WP Super Cache › Advanced › Accepted Filenames & Rejected URIs, add your new login page on a new line and save.
32	+
33	+ This plugin is not yet tested on installs that force SSL or use the multisite feature. I appreciate any help with testing this.
34	+
35	+ = Benefits =
36	+
37	+ Not only does it allow you to further customise your login page, it also prevents brute force attacks that are targeted specifically to wp-login.php. wp-login.php will return a 404 not found status code and wp-admin as well if you’re not logged in as it would otherwise reveal the location of your new login page.
38	+
39	+ I made this plugin primarily because a client’s host blocked wp-login.php with an annoying Captcha. On some bigger websites Limit Login Atttempts also showed us that a lot of bots were trying to gain access through wp-login.php.
40	+
41	+ While you could use this plugin to prevent a lot of brute force attacks, it does not mean you don't need a strong password. Read [this codex article](http://codex.wordpress.org/Brute_Force_Attacks) for more information on how to protect your website.
42
43	== Installation ==
44
45	+ 1. Go to Plugins › Add New.
46	+ 2. Search for Rename wp-login.
47	3. Look for this plugin, download and activate it.
48	+ 4. The page will redirect you to the settings. Rename wp-login.php in the section Login.
49	+ 5. You can change this option any time you want, just go back to Settings › Permalinks › Login.
50
51	+ == Changelog ==
52
53	+ = 1.1 =



54
55	+ * Blocked access to wp-admin/ to prevent a redirect the the new login page.
56
57	= 1.0 =
58	+
59	* Initial version.
60
61	+ == Upgrade Notice ==
62	+
63	+ = 1.1 =
64	+
65	+ * Always immediately update this plugin please!

rename-wp-login.php CHANGED Viewed

	@@ -2,10 +2,10 @@
2	/*
3	Plugin Name: Rename wp-login
4	Plugin URI: http://wordpress.org/plugins/rename-wp-login/
5	- Description: ~~Rename~~ wp-login, ~~and~~ ~~block~~ it to prevent brute force attacks.
6	Author: avryl
7	Author URI: http://profiles.wordpress.org/avryl/
8	- Version: 1.0
9	Text Domain: rename-wp-login
10	License: GPLv2 or later
11	License URI: http://www.gnu.org/licenses/gpl-2.0.html
	@@ -14,15 +14,21 @@ License URI: http://www.gnu.org/licenses/gpl-2.0.html
14	register_uninstall_hook(__FILE__, 'rwl_uninstall');
15	function rwl_uninstall() {
16	delete_option('rwl_page');

17	}
18
19	register_activation_hook(__FILE__, 'rwl_activation');
20	function rwl_activation() {
21	add_option('rwl_redirect', '1');


22	}
23
24	- add_action('~~init~~', '~~rwl_init~~');
25	- function ~~rwl_init~~() {



26	if (!get_option('rwl_page') \|\| get_option('rwl_page') == '') {
27	update_option('rwl_page', wp_unique_post_slug('login', 0, 'publish', 'page', 0));
28	}
	@@ -30,19 +36,24 @@ function rwl_init() {
30
31	add_action('login_init', 'rwl_login_init');
32	function rwl_login_init() {
33	- global $~~wp_query, $~~post;
34	if (!$post) {
35	- ~~status_header~~(~~404~~);
36	- $wp_query->set_404();
37	- if (file_exists(TEMPLATEPATH . '/404.php')) {
38	- require_once(TEMPLATEPATH . '/404.php');
39	- } else {
40	- require_once(TEMPLATEPATH . '/index.php');
41	- }
42	- exit;
43	}
44	}
45












46	add_action('wp', 'rwl_wp');
47	function rwl_wp() {
48	global $wp_query, $post, $wp;
	@@ -67,8 +78,12 @@ add_action('admin_init', 'rwl_admin_init');
67	function rwl_admin_init() {
68	add_settings_section('rename-wp-login-section', 'Login', '__return_false', 'permalink');
69	add_settings_field('rwl-page', '<label for="rwl-page-input">Rename wp-login.php</label>', 'rwl_page', 'permalink', 'rename-wp-login-section');
70	- if (~~!empty($_POST[~~'~~rwl_page~~'])~~) {~~
71	- ~~update_option('rwl_page',~~ ~~wp_unique_post_slug~~($~~_POST~~['~~rwl_page~~'], 0, '~~publish~~', ~~'page', 0));~~




72	}
73	if (get_option('rwl_redirect') == '1') {
74	delete_option('rwl_redirect');
	@@ -80,6 +95,10 @@ function rwl_page() {
80	echo '<code>' . site_url() . '/</code> <input id="rwl-page-input" type="text" name="rwl_page" value="' . get_option('rwl_page') . '" /> <code>/</code>';
81	}
82




83	add_filter('plugin_action_links_' . plugin_basename(__FILE__), 'rwl_plugin_action_links');
84	function rwl_plugin_action_links($links) {
85	array_unshift($links, '<a href="options-permalink.php#rwl-page-input">Settings</a>');


2	/*
3	Plugin Name: Rename wp-login
4	Plugin URI: http://wordpress.org/plugins/rename-wp-login/
5	+ Description: Change wp-login.php to whatever you want. It can also prevent a lot of brute force attacks.
6	Author: avryl
7	Author URI: http://profiles.wordpress.org/avryl/
8	+ Version: 1.1
9	Text Domain: rename-wp-login
10	License: GPLv2 or later
11	License URI: http://www.gnu.org/licenses/gpl-2.0.html

14	register_uninstall_hook(__FILE__, 'rwl_uninstall');
15	function rwl_uninstall() {
16	delete_option('rwl_page');
17	+ delete_option('rwl_admin');
18	}
19
20	register_activation_hook(__FILE__, 'rwl_activation');
21	function rwl_activation() {
22	add_option('rwl_redirect', '1');
23	+ add_option('rwl_admin', '0');
24	+ add_option('rwl_page', wp_unique_post_slug('login', 0, 'publish', 'page', 0));
25	}
26
27	+ add_action('wp_loaded', 'rwl_wp_loaded');
28	+ function rwl_wp_loaded() {
29	+ if (is_admin() && !is_user_logged_in() && !defined('DOING_AJAX') && get_option('rwl_admin') != '1') {
30	+ rwl_return_404();
31	+ }
32	if (!get_option('rwl_page') \|\| get_option('rwl_page') == '') {
33	update_option('rwl_page', wp_unique_post_slug('login', 0, 'publish', 'page', 0));
34	}

36
37	add_action('login_init', 'rwl_login_init');
38	function rwl_login_init() {
39	+ global $post;
40	if (!$post) {
41	+ rwl_return_404();







42	}
43	}
44
45	+ function rwl_return_404() {
46	+ global $wp_query;
47	+ status_header(404);
48	+ $wp_query->set_404();
49	+ if (file_exists(TEMPLATEPATH . '/404.php')) {
50	+ require_once(TEMPLATEPATH . '/404.php');
51	+ } else {
52	+ require_once(TEMPLATEPATH . '/index.php');
53	+ }
54	+ exit;
55	+ }
56	+
57	add_action('wp', 'rwl_wp');
58	function rwl_wp() {
59	global $wp_query, $post, $wp;

78	function rwl_admin_init() {
79	add_settings_section('rename-wp-login-section', 'Login', '__return_false', 'permalink');
80	add_settings_field('rwl-page', '<label for="rwl-page-input">Rename wp-login.php</label>', 'rwl_page', 'permalink', 'rename-wp-login-section');
81	+ add_settings_field('rwl-admin', '<label for="rwl-admin-input">Redirect wp-admin/ to new login page (not recommended)</label>', 'rwl_admin', 'permalink', 'rename-wp-login-section');
82	+ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
83	+ if (!empty($_POST['rwl_page'])) {
84	+ update_option('rwl_page', wp_unique_post_slug($_POST['rwl_page'], 0, 'publish', 'page', 0));
85	+ }
86	+ update_option('rwl_admin', isset($_POST['rwl_admin']) ? $_POST['rwl_admin'] : '0');
87	}
88	if (get_option('rwl_redirect') == '1') {
89	delete_option('rwl_redirect');

95	echo '<code>' . site_url() . '/</code> <input id="rwl-page-input" type="text" name="rwl_page" value="' . get_option('rwl_page') . '" /> <code>/</code>';
96	}
97
98	+ function rwl_admin() {
99	+ echo '<input id="rwl-admin-input" type="checkbox" name="rwl_admin" value="1" ' . checked(get_option('rwl_admin'), true, false) . ' />';
100	+ }
101	+
102	add_filter('plugin_action_links_' . plugin_basename(__FILE__), 'rwl_plugin_action_links');
103	function rwl_plugin_action_links($links) {
104	array_unshift($links, '<a href="options-permalink.php#rwl-page-input">Settings</a>');

wp-login.php CHANGED Viewed

	@@ -1,4 +1,14 @@
1	<?php










2
3	// Redirect to https login if forced to use SSL
4	if ( force_ssl_admin() && ! is_ssl() ) {
	@@ -738,7 +748,7 @@ d.select();
738	}, 200);
739	}
740
741	- <?php ~~$error = '';~~ if ( !$error ) { ?>
742	wp_attempt_focus();
743	<?php } ?>
744	if(typeof wpOnload=='function')wpOnload();


1	<?php
2	+ /**
3	+ * WordPress User Page
4	+ *
5	+ * Handles authentication, registering, resetting passwords, forgot password,
6	+ * and other user handling.
7	+ *
8	+ * @package WordPress
9	+ */
10	+
11	+ global $error, $interim_login, $current_site, $action;
12
13	// Redirect to https login if forced to use SSL
14	if ( force_ssl_admin() && ! is_ssl() ) {

748	}, 200);
749	}
750
751	+ <?php if ( !$error ) { ?>
752	wp_attempt_focus();
753	<?php } ?>
754	if(typeof wpOnload=='function')wpOnload();