[Resuelto] login shortcode reveal itheme hide login url , security loophole ?

[Autor]

Mensajes

[Akhil]

Hi Beda ,

i just notice the login shortcode is revealing the ithemese security hide login url.

<form name="loginform" id="loginform" action="enlace oculto" method="post">

is this from toolset or ithemes ?

ps: Have highlighted this to the ithemes waiting for answer as well.

[Akhil]

i was hoping this script will hide it but its doesnt

<script type="text/javascript">
document.getElementById('myloginform').action = 'enlace oculto';
</script>

[Christian Cox]

I believe it is added by the security plugin. See here: https://wordpress.org/support/topic/hide-beckend-itsec-hb-token/

According to the 6.3.0 changelog:

Important: The way that Hide Backend functions changes in this release. Previously, if your Hide Backend Login Slug was wplogin, going to example.com/wplogin would result in the URL remaining example.com/wplogin. The new implementation of this feature results in a redirect to a URL that looks as follows: example.com/wp-login.php?itsec-hb-token=wplogin. While this may not be desireable for some users, this change was necessary to fix longstanding compatibility issues with other plugins. Once you access the login page using the Login Slug page, a cookie is set with an expiration time of one hour. As long as the cookie remains, you can access example.com/wp-login.php without having to access the Hide Backend Login Slug first. If you wish to confirm that Hide Backend is working properly on your site, opening up a private browsing window is a quick way to test without having to log out and clear cookies.

[Akhil]

Thank You , i decided to uninstall this plugin as i have other premium service for security.