Rename wp-login.php - Version 1.6

Version Description

Fixed the login link when site_url() home_url().
Added a mirror on GitHub.

Release Info

Developer	avryl
Plugin	Rename wp-login.php
Version	1.6
Comparing to
See all releases

Code changes from version 1.5 to 1.6

Files changed (5) hide show

index.php +3 -1
readme.md +102 -0
readme.txt +27 -15
rename-wp-login.php +10 -5
wp-login.php +10 -10

index.php CHANGED Viewed

	@@ -1 +1,3 @@
1	- <?php ~~// Silence is golden.~~


1	+ <?php
2	+
3	+ // Silence is golden.

readme.md ADDED Viewed

	@@ -0,0 +1,102 @@


1	+ # Rename wp-login.php
2	+
3	+ Contributors: avryl
4	+ Tags: rename, login, wp-login, wp-login.php, brute force, attacks
5	+ Requires at least: 3.6
6	+ Tested up to: 3.6.1
7	+ Stable tag: 1.6
8	+ License: GPLv2 or later
9	+ License URI: http://www.gnu.org/licenses/gpl-2.0.html
10	+
11	+ Change wp-login.php to whatever you want. It can also prevent a lot of brute force attacks.
12	+
13	+ ## Description
14	+
15	+ With this plugin you can change wp-login.php to anything you want. The default is example.com/login/, and you can change this under Settings › Permalinks › Login.
16	+ Please bookmark or remember your login url, accessing wp-login.php or wp-admin will return a 404 not found status.
17	+
18	+ ### Compatibility
19	+
20	+ Works perfectly on WordPress 3.6 or higher. The registration form, lost password form, login widget and expired sessions will keep working.
21	+
22	+ Compatible with plugins like:
23	+
24	+ * BuddyPress,
25	+ * Limit Login Attempts,
26	+ * User Switching,
27	+ * and any other plugin that hooks into the standard login form.
28	+
29	+ It does’t work with plugins that hardcoded wp-login.php, obviously.
30	+ You also must have pretty, or almost pretty, permalinks enabled.
31	+
32	+ If you’re using a page caching plugin like W3 Total Cache or WP Super Cache, add the word you renamed wp-login.php to (e.g. login) to the list of pages not to cache.
33	+
34	+ * For W3 Total Cache go to Performance › Page Cache › Advanced › Never cache the following pages, add your new login page on a new line and save all settings.
35	+ * For WP Super Cache go to Settings › WP Super Cache › Advanced › Accepted Filenames & Rejected URIs, add your new login page on a new line and save.
36	+
37	+ This plugin is not yet tested on installs that force SSL or use the multisite feature. I would appreciate any help with testing this.
38	+
39	+ ### Benefits
40	+
41	+ Not only does it allow you to further customise your login page, it also prevents brute force attacks that are targeted specifically to wp-login.php. wp-login.php, and wp-admin if not logged in, will return a 404 not found status.
42	+
43	+ While you could use this plugin to prevent a lot of brute force attacks, it does not mean you don’t need a strong password. Read [this codex article](http://codex.wordpress.org/Brute_Force_Attacks) for more information on how to protect your website.
44	+
45	+ If you want to keep your login url secret, you should make sure there aren’t any links pointing to it on your website.
46	+
47	+ ### GitHub
48	+
49	+ This plugin has a [mirror](https://github.com/avryl/rename-wp-login) on GitHub.
50	+
51	+ ## Installation
52	+
53	+ 1. Go to Plugins › Add New.
54	+ 2. Search for Rename wp-login.php.
55	+ 3. Look for this plugin, download and activate it.
56	+ 4. The page will redirect you to the settings. Rename wp-login.php in the section Login.
57	+ 5. You can change this option any time you want, just go back to Settings › Permalinks › Login.
58	+
59	+ ## Frequently Asked Questions
60	+
61	+ ### I forgot my login url!
62	+
63	+ Either go to your MySQL database and look for the value of `rwl_page` in the options table, or remove the `rename-wp-login` folder from your `plugins` folder, log in through wp-login.php and reinstall the plugin.
64	+
65	+ ## Changelog
66	+
67	+ ### 1.6
68	+
69	+ * Fixed the login link when `site_url()` ≠ `home_url()`.
70	+ * Added a [mirror](https://github.com/avryl/rename-wp-login) on GitHub.
71	+
72	+ ### 1.5
73	+
74	+ * Made [User Switching](http://wordpress.org/plugins/user-switching/) compatible.
75	+
76	+ ### 1.4
77	+
78	+ * Faster page load.
79	+ * Fixed 404 error for permalink structures with a prefixed path. “Almost pretty” permalinks work now too.
80	+ * Code clean-up.
81	+
82	+ ### 1.3
83	+
84	+ * Prevents the plugin from working when there is no permalink structure.
85	+
86	+ ### 1.2
87	+
88	+ * Fixed status code custom login page.
89	+
90	+ ### 1.1
91	+
92	+ * Blocked access to wp-admin to prevent a redirect the the new login page.
93	+
94	+ ### 1.0
95	+
96	+ * Initial version.
97	+
98	+ ## Upgrade Notice
99	+
100	+ ### 1.6
101	+
102	+ Always immediately update this plugin please!

readme.txt CHANGED Viewed

	@@ -3,8 +3,8 @@
3	Contributors: avryl
4	Tags: rename, login, wp-login, wp-login.php, brute force, attacks
5	Requires at least: 3.6
6	- Tested up to: 3.6
7	- Stable tag: 1.5
8	License: GPLv2 or later
9	License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
	@@ -12,19 +12,22 @@ Change wp-login.php to whatever you want. It can also prevent a lot of brute for
12
13	== Description ==
14
15	- = ~~What~~ it ~~does~~ =
16	-
17	- This plugin renames wp-login.php to whatever you want. The default is example.com/login/ if no such page already exists. Otherwise it will append a number, e.g. login-1.
18	- You can change this under Settings › Permalinks › Login.
19	- Please remember what you changed your login page to, accessing wp-login.php or wp-admin will not work and will return a 404 not found status.
20
21	= Compatibility =
22
23	- Works ~~with~~ BuddyPress, Limit ~~Login~~ Attempts ~~and~~ ~~most~~ ~~other~~ ~~plugins~~ ~~that~~ ~~customise~~ ~~the~~ login ~~page~~.
24	- ~~This plugin doesn’t break the registration form, lost password form, expired sessions or any of wp-login.php’s functionality. Plugins that hook into the standard login form will keep working.~~
25	- It ~~doesn’t~~ ~~break~~ ~~`wp_login_form()`, so the login widget will work too.~~





26
27	- ~~While~~ it ~~might~~ work with ~~earlier~~ ~~versions~~ of ~~WordPress~~, ~~you should always update WordPress to the latest version~~.

28
29	If you’re using a page caching plugin like W3 Total Cache or WP Super Cache, add the word you renamed wp-login.php to (e.g. login) to the list of pages not to cache.
30
	@@ -35,12 +38,16 @@ This plugin is not yet tested on installs that force SSL or use the **mu
35
36	= Benefits =
37
38	- Not only does it allow you to further customise your login page, it also prevents brute force attacks that are targeted specifically to wp-login.php. wp-login.php ~~will return a 404 not found status code~~, and wp-admin ~~as well~~ if ~~you’re~~ not logged in, as it ~~would~~ ~~otherwise~~ ~~reveal~~ ~~the~~ ~~location of your new login page~~.
39	-
40	- I made this plugin primarily because a client’s host blocked wp-login.php with an annoying Captcha. On some bigger websites Limit Login Atttempts also showed us that a lot of bots were trying to gain access through wp-login.php.
41
42	While you could use this plugin to prevent a lot of brute force attacks, it does not mean you don’t need a strong password. Read [this codex article](http://codex.wordpress.org/Brute_Force_Attacks) for more information on how to protect your website.
43






44	== Installation ==
45
46	1. Go to Plugins › Add New.
	@@ -57,6 +64,11 @@ Either go to your MySQL database and look for the value of `rwl_page` in the opt
57
58	== Changelog ==
59





60	= 1.5 =
61
62	* Made [User Switching](http://wordpress.org/plugins/user-switching/) compatible.
	@@ -85,6 +97,6 @@ Either go to your MySQL database and look for the value of `rwl_page` in the opt
85
86	== Upgrade Notice ==
87
88	- = 1.5 =
89
90	Always immediately update this plugin please!


3	Contributors: avryl
4	Tags: rename, login, wp-login, wp-login.php, brute force, attacks
5	Requires at least: 3.6
6	+ Tested up to: 3.6.1
7	+ Stable tag: 1.6
8	License: GPLv2 or later
9	License URI: http://www.gnu.org/licenses/gpl-2.0.html
10

12
13	== Description ==
14
15	+ With this plugin you can change wp-login.php to anything you want. The default is example.com/login/, and you can change this under Settings › Permalinks › Login.
16	+ Please bookmark or remember your login url, accessing wp-login.php or wp-admin will return a 404 not found status.



17
18	= Compatibility =
19
20	+ Works perfectly on WordPress 3.6 or higher. The registration form, lost password form, login widget and expired sessions will keep working.
21	+
22	+ Compatible with plugins like:
23	+
24	+ * BuddyPress,
25	+ * Limit Login Attempts,
26	+ * User Switching,
27	+ * and any other plugin that hooks into the standard login form.
28
29	+ It does’t work with plugins that hardcoded wp-login.php, obviously.
30	+ You also must have pretty, or almost pretty, permalinks enabled.
31
32	If you’re using a page caching plugin like W3 Total Cache or WP Super Cache, add the word you renamed wp-login.php to (e.g. login) to the list of pages not to cache.
33

38
39	= Benefits =
40
41	+ Not only does it allow you to further customise your login page, it also prevents brute force attacks that are targeted specifically to wp-login.php. wp-login.php, and wp-admin if not logged in, will return a 404 not found status.


42
43	While you could use this plugin to prevent a lot of brute force attacks, it does not mean you don’t need a strong password. Read [this codex article](http://codex.wordpress.org/Brute_Force_Attacks) for more information on how to protect your website.
44
45	+ If you want to keep your login url secret, you should make sure there aren’t any links pointing to it on your website.
46	+
47	+ = GitHub =
48	+
49	+ This plugin has a [mirror](https://github.com/avryl/rename-wp-login) on GitHub.
50	+
51	== Installation ==
52
53	1. Go to Plugins › Add New.

64
65	== Changelog ==
66
67	+ = 1.6 =
68	+
69	+ * Fixed the login link when `site_url()` ≠ `home_url()`.
70	+ * Added a [mirror](https://github.com/avryl/rename-wp-login) on GitHub.
71	+
72	= 1.5 =
73
74	* Made [User Switching](http://wordpress.org/plugins/user-switching/) compatible.

97
98	== Upgrade Notice ==
99
100	+ = 1.6 =
101
102	Always immediately update this plugin please!

rename-wp-login.php CHANGED Viewed

	@@ -6,7 +6,7 @@ Plugin URI: http://wordpress.org/plugins/rename-wp-login/
6	Description: Change wp-login.php to whatever you want. It can also prevent a lot of brute force attacks.
7	Author: avryl
8	Author URI: http://profiles.wordpress.org/avryl/
9	- Version: 1.5
10	Text Domain: rename-wp-login
11	License: GPLv2 or later
12	License URI: http://www.gnu.org/licenses/gpl-2.0.html
	@@ -51,6 +51,7 @@ function rwl_admin_init() {
51	}
52
53	update_option( 'rwl_admin', isset( $_POST['rwl_admin'] ) ? $_POST['rwl_admin'] : '0' );

54	}
55
56	if ( get_option( 'rwl_redirect' ) == '1' ) {
	@@ -65,7 +66,7 @@ function rwl_admin_init() {
65
66	function rwl_page() {
67
68	- echo '<code>' . ~~site_url~~() . '/</code> <input id="rwl-page-input" type="text" name="rwl_page" value="' . get_option( 'rwl_page' ) . '" /> <code>/</code>';
69
70	}
71
	@@ -83,9 +84,10 @@ function rwl_admin_notices() {
83
84	} elseif ( $_GET['settings-updated'] == true ) {
85
86	- echo '<div class="updated"><p>Your login page is now here: <a href="' . ~~site_url~~() . '/' . get_option( 'rwl_page' ) . '/">' . ~~site_url~~() . '/<strong>' . get_option( 'rwl_page' ) . '</strong>/</a>. Bookmark this page!</p></div>';
87
88	}

89	}
90
91	function rwl_plugin_action_links( $links ) {
	@@ -149,6 +151,7 @@ function rwl_init() {
149	exit;
150
151	}

152	}
153
154	}
	@@ -191,6 +194,7 @@ function rwl_filter_logout_url( $login_url, $redirect = '' ) {
191	$logout_url = wp_nonce_url( $logout_url, 'log-out' );
192
193	return $logout_url;

194	}
195
196	function rwl_filter_register_url( $register_url ) {
	@@ -209,11 +213,12 @@ function rwl_filter_lostpassword_url( $lostpassword_url, $redirect = '' ) {
209	$lostpassword_url = add_query_arg( $args, rwl_login_url() );
210
211	return $lostpassword_url;

212	}
213
214	function rwl_login_url() {
215
216	- return ~~site_url~~() . '/' . get_option( 'rwl_page' ) . '/';
217
218	}
219
	@@ -221,7 +226,7 @@ function rwl_404() {
221
222	global $wp_query;
223
224	- status_header(404);
225
226	$wp_query->set_404();
227


6	Description: Change wp-login.php to whatever you want. It can also prevent a lot of brute force attacks.
7	Author: avryl
8	Author URI: http://profiles.wordpress.org/avryl/
9	+ Version: 1.6
10	Text Domain: rename-wp-login
11	License: GPLv2 or later
12	License URI: http://www.gnu.org/licenses/gpl-2.0.html

51	}
52
53	update_option( 'rwl_admin', isset( $_POST['rwl_admin'] ) ? $_POST['rwl_admin'] : '0' );
54	+
55	}
56
57	if ( get_option( 'rwl_redirect' ) == '1' ) {

66
67	function rwl_page() {
68
69	+ echo '<code>' . home_url() . '/</code> <input id="rwl-page-input" type="text" name="rwl_page" value="' . get_option( 'rwl_page' ) . '" /> <code>/</code>';
70
71	}
72

84
85	} elseif ( $_GET['settings-updated'] == true ) {
86
87	+ echo '<div class="updated"><p>Your login page is now here: <a href="' . home_url() . '/' . get_option( 'rwl_page' ) . '/">' . home_url() . '/<strong>' . get_option( 'rwl_page' ) . '</strong>/</a>. Bookmark this page!</p></div>';
88
89	}
90	+
91	}
92
93	function rwl_plugin_action_links( $links ) {

151	exit;
152
153	}
154	+
155	}
156
157	}

194	$logout_url = wp_nonce_url( $logout_url, 'log-out' );
195
196	return $logout_url;
197	+
198	}
199
200	function rwl_filter_register_url( $register_url ) {

213	$lostpassword_url = add_query_arg( $args, rwl_login_url() );
214
215	return $lostpassword_url;
216	+
217	}
218
219	function rwl_login_url() {
220
221	+ return home_url() . '/' . get_option( 'rwl_page' ) . '/';
222
223	}
224

226
227	global $wp_query;
228
229	+ status_header( 404 );
230
231	$wp_query->set_404();
232

wp-login.php CHANGED Viewed

	@@ -248,7 +248,7 @@ function retrieve_password() {
248	$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
249	$message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
250	$message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
251	- $message .= '<' . ~~site_url~~() . '/' . get_option('rwl_page') . '/' . "?action=rp&key=$key&login=" . rawurlencode($user_login) . ">\r\n";
252
253	if ( is_multisite() )
254	$blogname = $GLOBALS['current_site']->site_name;
	@@ -421,7 +421,7 @@ case 'logout' :
421	check_admin_referer('log-out');
422	wp_logout();
423
424	- $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : ~~site_url~~() . '/' . get_option('rwl_page') . '/' . '?loggedout=true';
425	wp_safe_redirect( $redirect_to );
426	exit();
427
	@@ -433,7 +433,7 @@ case 'retrievepassword' :
433	if ( $http_post ) {
434	$errors = retrieve_password();
435	if ( !is_wp_error($errors) ) {
436	- $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : ~~site_url~~() . '/' . get_option('rwl_page') . '/' . '?checkemail=confirm';
437	wp_safe_redirect( $redirect_to );
438	exit();
439	}
	@@ -449,7 +449,7 @@ case 'retrievepassword' :
449
450	?>
451
452	- <form name="lostpasswordform" id="lostpasswordform" action="<?php echo ~~site_url~~() . '/' . get_option('rwl_page') . '/' . '?action=lostpassword'; ?>" method="post">
453	<p>
454	<label for="user_login" ><?php _e('Username or E-mail:') ?><br />
455	<input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr($user_login); ?>" size="20" /></label>
	@@ -475,7 +475,7 @@ case 'rp' :
475	$user = check_password_reset_key($_GET['key'], $_GET['login']);
476
477	if ( is_wp_error($user) ) {
478	- wp_redirect( ~~site_url~~() . '/' . get_option('rwl_page') . '/' . '?action=lostpassword&error=invalidkey' );
479	exit;
480	}
481
	@@ -499,7 +499,7 @@ case 'rp' :
499	login_header(__('Reset Password'), '<p class="message reset-pass">' . __('Enter your new password below.') . '</p>', $errors );
500
501	?>
502	- <form name="resetpassform" id="resetpassform" action="<?php echo ~~site_url~~() . '/' . get_option('rwl_page') . '/' . '?action=resetpass&key=' . urlencode( $_GET['key'] ) . '&login=' . urlencode( $_GET['login'] ); ?>" method="post" autocomplete="off">
503	<input type="hidden" id="user_login" value="<?php echo esc_attr( $_GET['login'] ); ?>" autocomplete="off" />
504
505	<p>
	@@ -537,7 +537,7 @@ case 'register' :
537	}
538
539	if ( !get_option('users_can_register') ) {
540	- wp_redirect( ~~site_url~~() . '/' . get_option('rwl_page') . '/' . '?registration=disabled' );
541	exit();
542	}
543
	@@ -548,7 +548,7 @@ case 'register' :
548	$user_email = $_POST['user_email'];
549	$errors = register_new_user($user_login, $user_email);
550	if ( !is_wp_error($errors) ) {
551	- $redirect_to = !empty( $_POST['redirect_to'] ) ? $_POST['redirect_to'] : ~~site_url~~() . '/' . get_option('rwl_page') . '/' . '?checkemail=registered';
552	wp_safe_redirect( $redirect_to );
553	exit();
554	}
	@@ -558,7 +558,7 @@ case 'register' :
558	login_header(__('Registration Form'), '<p class="message register">' . __('Register For This Site') . '</p>', $errors);
559	?>
560
561	- <form name="registerform" id="registerform" action="<?php echo ~~site_url~~() . '/' . get_option('rwl_page') . '/' . '?action=register'; ?>" method="post">
562	<p>
563	<label for="user_login"><?php _e('Username') ?><br />
564	<input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr(wp_unslash($user_login)); ?>" size="20" /></label>
	@@ -692,7 +692,7 @@ default:
692	$rememberme = ! empty( $_POST['rememberme'] );
693	?>
694
695	- <form name="loginform" id="loginform" action="<?php echo ~~site_url~~() . '/' . get_option('rwl_page') . '/'; ?>" method="post">
696	<p>
697	<label for="user_login"><?php _e('Username') ?><br />
698	<input type="text" name="log" id="user_login" class="input" value="<?php echo esc_attr($user_login); ?>" size="20" /></label>


248	$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
249	$message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
250	$message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
251	+ $message .= '<' . home_url() . '/' . get_option('rwl_page') . '/' . "?action=rp&key=$key&login=" . rawurlencode($user_login) . ">\r\n";
252
253	if ( is_multisite() )
254	$blogname = $GLOBALS['current_site']->site_name;

421	check_admin_referer('log-out');
422	wp_logout();
423
424	+ $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : home_url() . '/' . get_option('rwl_page') . '/' . '?loggedout=true';
425	wp_safe_redirect( $redirect_to );
426	exit();
427

433	if ( $http_post ) {
434	$errors = retrieve_password();
435	if ( !is_wp_error($errors) ) {
436	+ $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : home_url() . '/' . get_option('rwl_page') . '/' . '?checkemail=confirm';
437	wp_safe_redirect( $redirect_to );
438	exit();
439	}

449
450	?>
451
452	+ <form name="lostpasswordform" id="lostpasswordform" action="<?php echo home_url() . '/' . get_option('rwl_page') . '/' . '?action=lostpassword'; ?>" method="post">
453	<p>
454	<label for="user_login" ><?php _e('Username or E-mail:') ?><br />
455	<input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr($user_login); ?>" size="20" /></label>

475	$user = check_password_reset_key($_GET['key'], $_GET['login']);
476
477	if ( is_wp_error($user) ) {
478	+ wp_redirect( home_url() . '/' . get_option('rwl_page') . '/' . '?action=lostpassword&error=invalidkey' );
479	exit;
480	}
481

499	login_header(__('Reset Password'), '<p class="message reset-pass">' . __('Enter your new password below.') . '</p>', $errors );
500
501	?>
502	+ <form name="resetpassform" id="resetpassform" action="<?php echo home_url() . '/' . get_option('rwl_page') . '/' . '?action=resetpass&key=' . urlencode( $_GET['key'] ) . '&login=' . urlencode( $_GET['login'] ); ?>" method="post" autocomplete="off">
503	<input type="hidden" id="user_login" value="<?php echo esc_attr( $_GET['login'] ); ?>" autocomplete="off" />
504
505	<p>

537	}
538
539	if ( !get_option('users_can_register') ) {
540	+ wp_redirect( home_url() . '/' . get_option('rwl_page') . '/' . '?registration=disabled' );
541	exit();
542	}
543

548	$user_email = $_POST['user_email'];
549	$errors = register_new_user($user_login, $user_email);
550	if ( !is_wp_error($errors) ) {
551	+ $redirect_to = !empty( $_POST['redirect_to'] ) ? $_POST['redirect_to'] : home_url() . '/' . get_option('rwl_page') . '/' . '?checkemail=registered';
552	wp_safe_redirect( $redirect_to );
553	exit();
554	}

558	login_header(__('Registration Form'), '<p class="message register">' . __('Register For This Site') . '</p>', $errors);
559	?>
560
561	+ <form name="registerform" id="registerform" action="<?php echo home_url() . '/' . get_option('rwl_page') . '/' . '?action=register'; ?>" method="post">
562	<p>
563	<label for="user_login"><?php _e('Username') ?><br />
564	<input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr(wp_unslash($user_login)); ?>" size="20" /></label>

692	$rememberme = ! empty( $_POST['rememberme'] );
693	?>
694
695	+ <form name="loginform" id="loginform" action="<?php echo home_url() . '/' . get_option('rwl_page') . '/'; ?>" method="post">
696	<p>
697	<label for="user_login"><?php _e('Username') ?><br />
698	<input type="text" name="log" id="user_login" class="input" value="<?php echo esc_attr($user_login); ?>" size="20" /></label>