WORDPRESS_LOGIN_FORM

[[WORDPRESS_LOGIN_FORM:(modified wordpress login handler url)|(redirect url)]]

In order to prevent brute force attacks on the wordpress login form from succeeding, this shortcode  function is to used to create a stashed login form in any node where hackers cant easily find it. This helps increase security.

Example:

First using your hosting control panel file manager or ftp program rename wp-login.php to wp-login-stashed.php or preferably any other name you can think of. wp-login.php would be in the root of your wordpress installation. This will now harden your site against one of the most common attacks because your login form is not where hackers expect it to be.

The below shortcode creates a login form which posts inputs to the url http://www.yoursite.com/wp-login-stashed.php and then redirects to  the url http://www.yoursite.com/wp-admin/ upon successful login. Unsuccessful login should result in 404  or 500 error.

[[WORDPRESS_LOGIN_FORM:http://www.yoursite.com/wp-login-stashed.php|http://www.yoursite.com/wp-admin/]]

BE SURE TO REMEMBER THE ADDRESS OF THIS NODE BECAUSE IT IS YOUR NEW LOG IN FORM!!!

If you forget then the only other way you will be able to log back in will be to rename the wp-login-stashed.php back to its original wp-login using your file manager or ftp program.  wp-login-stashed.php will not work directly otherwise which is a very good thing.

Notes:

WordPress updates will create a new wp-login.php file each time. Be aware that immediately after this happens you will need to resecure the form by renaming it or deleting it if the other one still works.  You can skip this step if you have a deny or rewrite directive in your .htaccess file for preventing the execution of any new wp-login.php files which may be lurking after an update. Your host support is usually happy to enter this code into your existing .htaccess file for you for free because it helps their security overall in a shared environment.

RewriteRule ^/?wp-login\.php$ - [F,L]

This shortcode may also be used for creating special login forms which redirect to anywhere you want including your own custom nodes. You may use the wordpress dashboard to manage your users and their permissions for integrated nodes.

Has not been tested with limited login attempts or loginizer.  Will not work with captcha plugin activated for login form.

See ADMIN_SECURITY.

 

Leave a Reply