'
Preventing public access to WP-Login.php and other admin functions
Wordpress Development

Preventing public access to WP-Login.php and other admin functions

author
1 minute, 49 seconds Read

Is wp -login.php the only problem, or are there other “manager” rls at the top level that really should not be exposed to the public?

wp-login.php Is not a “administrator -url”, especially since users who are not managers can exist. Other purposes for the file include:

  • Password reset
  • Show 2fa
  • log

It is very likely that it is also partially used by the OIDC Keycloak implementation that you mentioned.

Also notice that wp-login.php can reduce the user other Places that are not wp-adminAnd is used by many sites to log in to fronts, either directly or as a form handler for a custom login page.

In terms of other URLs:

  • wp-signup.php

    • Handles the user registration and site creation process for multisite installations.

  • wp-activate.php

    • Confirms that the activation key sent in an e -mail after a user signs up for a new site matches the key for that user and then confirms.

  • xmlrpc.php

    • XML-RPC protocol support for WordPress

  • The rest API
    • However, this cannot be blocked because the same URL can be used for frontend versus admin, depending on whether it has been verified, the type of HTTP request and the access level of the user who performs the session.

Note that the complete blocking of these URLs entails a high risk with compatibility problems with plug -ins. E.g. Blocking xmlrpc.php Stops a number of plug -ins from works, especially Jetpack.

What is the point of wp-login.php anyway? Is it considerably different from WP-Admin/index.php?

It is completely different from wp-admin/index.phpAnd there is no overlap between the two. It is possible to use wp-login.php without touching wp-admin.

Is there a WordPress-Mandated way to avoid WP-Login.php? I could delete the file, but it would be restored by an update at some point

That would also activate security warnings on many managed hosts, otherwise no. You can filter the login -Url that prints WordPress on login connections, but which changes the hyperlink, not where the form treatment takes place. It is very likely that if you tried to interfere in this, you would interfere with Keycloak.

#Preventing #public #access #WPLogin.php #admin #functions

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *