Hide wp core login url in custom login form page ?

This support ticket is created 6 years, 4 months ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Sun	Mon	Tue	Wed	Thu	Fri	Sat
-	9:00 – 13:00	9:00 – 13:00	9:00 – 13:00	9:00 – 13:00	9:00 – 13:00	-
-	14:00 – 18:00	14:00 – 18:00	14:00 – 18:00	14:00 – 18:00	14:00 – 18:00	-

Supporter timezone: Asia/Hong_Kong (GMT+08:00)

Tagged: Views plugin

This topic contains 5 replies, has 3 voices.

Last updated by Akhil 6 years, 4 months ago.

Assisted by: Luo Yang.

Author

Posts

August 13, 2018 at 4:47 am #1081048

Akhil

Hi,

the toolset short code which is wp login form shortcode is revealing the wp core admin login url.
is that anyway to INTERCEPT and hide the action ?

i have two option to hide the url,
1. webarx suit which i am using
2. WPS Hide Login plugin,

for both case the url is revealeed in the login form [if you look at the codes]

example :
<form name="loginform" id="loginform" action="site.com/new-admin-url/" method="post">
</form>

This pose a security threat , pls advice what are my options, thanks.

August 13, 2018 at 8:21 am #1081123

Luo Yang

Hello,

I assume we are talking about the shortcode [wpv-login-form], see our document:

https://toolset.com/documentation/user-guides/views-shortcodes/#wpv-login-form

There isn't such a built-in feature to "INTERCEPT and hide the action attribute", if you agree, we can take it as a feature request, our developers will evaluate it.

August 13, 2018 at 8:24 am #1081125

Akhil

Hi ,

ok. but is this commomn as its revealing the actual hidden admin page .
there is some script online but its not working.

August 17, 2018 at 6:11 am #1085454

Beda

1. This pose a security threat , pls advice what are my options, thanks.

Please read this:
https://codex.wordpress.org/Hardening_WordPress

Obscuring an admin URL, or changing it, is not increasing security.
Strong passwords and usernames do.

This is not a security threat. WordPress itself shows natively (and does not let you change it natively) the admin and login path.

2. Our Login ShortCode is mimicking the WordPress Login Form

You can set success, redirect and failure URL's.

3. Yes, you need to POST your login details and pass it to an action that then logs you in (validation etc)

That's done with WordPress, same as the native login screen as well reveals that URL:
hidden link

That is pretty much how forms work, if they have no action that does (something) with that data, nothing will be working.

I will re-assign this thread to Luo to finalize in case you have more questions, as this cannot and should not be changed, it is not a security threat.
If any, when you'd change the WordPress login action file, and call your custom file, you can do that, but we do not assist such custom code as required to create a new login logic.

Please apologize in case I misunderstood something

August 17, 2018 at 6:20 am #1085457

Akhil

Thanks, ill read through and see what i could do.

btw i think there is a bug in toolset form : https://toolset.com/forums/topic/email-and-password-field-validation-always-prompt/

can you confirm pls. i went ahead and use gravity form but i realize that i need toolset form adding custom post type that created by toolset.

thanks

August 17, 2018 at 6:21 am #1085458

Akhil

closing , thanks.