With the latest version of the Patchstack plugin, we have re-introduced WordPress login page protection - a feature to block access to the standard login page.
About security through obscurity
Recently we removed the ability to "hide" the wp-login.php and /wp-admin/ (which redirects to the login page) pages due to the fact that the real login page can be exposed in many other ways, especially in combination with other plugins that may re-introduce bypasses to allow regular users to login.
What does security through obscurity (STO) mean?
Security through obscurity (STO) is a process of implementing security within a system by enforcing secrecy and confidentiality of the system's internal design architecture. Security through obscurity aims to secure a system by deliberately hiding or concealing its security flaws. (Source)
We've always tried to avoid security through obscurity and do our best to not give the users a false feeling of security.
For that reason, we have recommended using the captcha challenge on the login page, rate-limiting, and 2FA for privileged accounts (you can enable those options in Patchstack under Hardening options) as a better way to solve this issue.
Brute-force attacks against accounts are mostly only successful when the passwords are weak. Therefore, the very first step is to enforce strong passwords (read how).
Introducing a better way to solve the problem
We have listened to the feedback of our customers and decided to completely rework the /wp-admin/ protection option and add it back in a slightly different way.
With the new approach - access to wp-login.php is completely blocked (not hidden). The only way to access the login page is to access a secret page/link after which the IP address will be whitelisted for 10 minutes. You will be then allowed to access the wp-login.php page to log in.
This approach solves many issues with the previously known methods. It's also more fail-safe than existing solutions that can easily conflict with other plugins. For more ways how to secure your website, read about the top 4 reasons why WordPress websites get hacked and how to avoid it.
The full list of changes in the new plugin version
- Added: The login rename feature has been added back and adjusted so it works differently under the hood.
- Added: Option for us to get some debug information from the site, when needed and requested.
- Fixed: PHP error when the plugin would be activated through the CLI.
- Fixed: Logs synchronization issue on some environments.
- Fixed: A prefix has been added to all AJAX actions in order to avoid potential collision with other plugins with the same AJAX action name.
- Fixed: Custom .htaccess rules should not be sanitized to avoid breaking the .htaccess file. If invalid .htaccess rules are provided, it will reset it back to its previous state.
- Fixed: Upon fresh install of the Patchstack plugin, the last synchronization identifier will now be reset.