May 1, 2011

Mod-Rewrite on WordPress to hide login, register pages

For those who own WordPress on your own server or shared hosting, this doesn’t include “WordPress.com” as you cannot access your installation folder but that’s way of the scope of this article so we all know the “/wp-login.php” file is the backdoor to your WordPress would allow a attacker to infect your website with malicious stuff such as malware and could get your website blacklisted.

This file is located at the root of your WordPress install:
“http://www.yourdomain.com/wp-login.php” or “http://www.yourdomain.com/blog/wp-login.php”

This file also allows yourself and other users on your website to login to post content not only that but to register and to get a new password if they’ve forgotten their password.

So further more if you wish to disguise this file and replace it with something else other than “wp-login.php”, so it looks like this “/login” and “/register” e.g.:

http://www.yourdomain.com/login — would replace /wp-login.php
http://www.yourdomain.com/register — would replace /wp-login.php?action=register
http://www.yourdomain.com/lostpassword— would replace /wp-login.php?action=lostpassword

There are some plugins that do this like “Stealth Login” and I’ve tried this personally on this website but it didn’t meet my needs so I decided to come up with my own method, using my “.htaccess” file and do a bit of experimenting  and I found a method for this which I’m about to share in a minute.

Again this will not protect you from unauthorized access to your account if your that silly enough to choose a “weak” password — as always when choosing a password always pick a very strong one that has upper-case letters lower-case letters and numbers but that’s again going of scope of this article so here’s my method and along with the code you will need to put into your “.htaccess” file.

Open up your .htaccess file

And you will see the below code already in there (if your using “Pretty” urls):

# BEGIN WordPress

RewriteEngine On
RewriteBase /

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

Now all you need to add is the following lines inbetween :

RewriteRule ^login$ /wp-login.php [L]
RewriteRule ^register$ /wp-login.php?action=register [L]

This will then make “/login” be accessible to allow users to login and yourself and “/register” will allow users to register — again without revealing “wp-login.php” however, when the form is submitted (for register) it will reveal “wp-login.php” so it can process the new registration. At the moment I haven’t found a method round this but I’m still looking at the possibilities of hiding this and still allowing to interact with the core file — which I’ll probably post in another article.

Now once you’ve done that your code in your “.htaccess” file should look like this:

# BEGIN WordPress

RewriteEngine On
RewriteBase /

RewriteRule ^login$ /wp-login.php [L]
RewriteRule ^register$ /wp-login.php?action=register [L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]


# END WordPress

Then just save the file and re-upload it and then test it out by going to: http://www.yoursite.com/blog/login or wherever your WordPress is installed and if it worked then you’ve succeeded it in hiding the core file (for displaying purpose). You can also hide the “lostpassword” one as well by adding this line:

RewriteRule ^

lostpassword

$ /wp-login.php?action=lostpassword [L]

And that will make “/lostpassword” be in place of “wp-login.php?action=lostpassword”.

Themes , Wordpress #
Share: / / /

You might also like

Leave a Reply

Your email address will not be published. Required fields are marked *

Pin It on Pinterest

Share This