Lockdown WP Admin

Descripción

This plugin will hide WordPress Admin (/wp-admin/) when a user isn’t logged in. If a user isn’t logged in and they attempt to access WP Admin directly, they will be unable to and it will return a 404. It can also rename the login URL.

Also, you can add HTTP authentication directly from WP Admin and add custom username/password combinations for the HTTP auth or use the WordPress credentials.

This doesn’t touch any .htaccess files or change the WordPress core files. All the CSS/Images under /wp-admin/ are still accessible, just not the .php ones.

If you enable HTTP authentication, it will add HTTP authentication to the PHP files in /wp-admin/.

To contribute to the development, check out the GitHub Repository.

Instalación

  1. Upload /lockdown-wp-admin/ to the /wp-content/plugins/ directory
  2. Activar el plugin a través del menú ‘Plugins’ en WordPress
  3. Navigate to the “Lockdown WP” menu

Preguntas frecuentes

How can we add files to the white list to hide from the public eye? We want to have AJAX and use a custom file, but we can’t because it hides it from the public.

You can add a file using the ‘no_check_files’ filter. Use this:
function add_my_cool_filter($data)
{
// You have to accept the $data argument or else it will cause a system meltdown ;)
$data[] = 'my-file-name.php'; // JUST the file name.
return $data;
}
add_filter('no_check_files', 'add_my_cool_filter');

Simple.

How can I get back in if Lockdown WP Admin locked me out?

You can create a .txt file named ‘disable_auth.txt’ in your wp-content/plugins/lockdown-wp-admin/ folder (The file location would be /wp-content/plugins/lockdown-wp-admin/disable_auth.txt). We don’t care about the content but that will disable the HTTP Auth and whatever was locking you out of your site.

Reseñas

EXCELLENT !

Très bon plugin
Facile à personnaliser, et très agrable.
Beau travail.
Je recommande.

Fonctionne parfaitement avec un plugin que j’utilise pour personnaliser l’interface de connexion utilisateur.

EN :
Very good plugin
Easy to customize, and very nice.
Good work.
I recommend.
Works perfectly with a plugin I use to customize the user login interface.

Works exactly as expected.

Great plugin…running on a subdirectory installation on Wamp server (@ localhost) and its working on a network wordpress install with custom theme without issue.
Also installed on a production server on a standalone wordpress site…absolutely brilliant.

Very happy

Only suggestion that i will add for others who decide to use this plugin…some users may rather redirect back to home page instead of 404.

I dont know what would happen in the event of a real need for a 404 page when using the following (thats for others to provide insight into).

If you like the idea of redirecting unwanted logins back to homepage do the following;

Go to www directory in cpanel file manager (or ftp)

Then locate…wordpress/wp-content/themes/<your active theme> 404.php

use the following code instead of default

<?php
header(“HTTP/1.1 301 Moved Permanently”);
header(“Location: “.get_bloginfo(‘url’));
exit();
?>

any attempts to login to wp-admin with above code and this plugin will simply now redirect back to home page all the time.

It owuld be nice if the plugin had a little more functionality so this could be only the outcome of an attempt to log in rather than any 404 error.

Perhaps and idea for a premium version of this plugin.

Nice plugin, but needs to deal with Wordpres redirects

Love the plugin and it’s a great start. I use it along with some other methods to simply make it more difficult to reach the login page. though it’s slightly security theatre it does get the potential lazy web hackers out of the picture. And the plugin works pretty well.

I’d suggest adding functionality to stop WordPress from forwarding other URLs to the back end, but blocking the wp_redirect_admin_locations function in canonical.php.

There you will see:

add_action(
  'template_redirect',
  function() {
    $requ = untrailingslashit($_SERVER['REQUEST_URI']);
    if (site_url('login','relative') === untrailingslashit( $_SERVER['REQUEST_URI'] )){
      remove_action( 'template_redirect', 'wp_redirect_admin_locations', 1000 );
    }
  }
);

This means that if someone uses /admin it immediately forwards to the page regardless of if there’s a custom url. admin does the same. Forwards to wp-admin. At least here, when using the plugin you get the “page not found” error. That should happen when people try “login” as well.

Cheers.

does the job

all good, works fine, does the job.
One star is taken for /login is not hidden.

Muito bom

Cumpre direitinho o que promete e mantei a segurança para personalizar a segurança do site.

Leer todas las 50 reseñas

Colaboradores y desarrolladores

“Lockdown WP Admin” es un software de código abierto. Las siguientes personas han colaborado con este plugin.

Colaboradores

Registro de cambios

1.0

  • Version inicial

1.0.1

  • Fixed a link to a broken file

1.1

  • Fixed a bug on activating the plugin network wide, we disabled network wide activation.
  • Cleaned up the plugin and prevented a double loop of the HTTP check, unnecessary.

1.2

  • Cleaned up more code.
  • Security fixes that will prevent somebody from possibly hijacking your website. (Props Jon Cave)

1.3.1

  • Added the ability to change the login URL entirely. It will disable /wp-login.php and give it whatever you want to make it.

1.4

  • Fixed a bug with user’s with a index.php base
  • Added stats for us to collect about about URL setup and server configuration for our users. This will let us make the plugin even better.
  • Fixed bug for having private user management in WP Admin

1.4.2

  • Bug fixes
  • Added admin-ajax.php to the files that we permit to be access in wp-admin.

1.6

  • Added way to get back into WP-ADMIN if locked out (See the FAQ)

1.7

  • Removed the stats that were collected to that we could understand the issues that users were having with the plugin.

1.8

  • Finally discovered why so many users had HTTP authentication errors. Fixed it to support almost 80% of hosts out there.
  • If you still have problems, shoot me an email.

1.9

A very late update, sorry! Worked to fix many issues with the admin bar and the “get_current_screen()” error. If you still see issues, please contact me!

2.0

  • Provided a system dump to help in debugging issues that may arise.
  • Fixes a issues on the 404 page under 3.5.1 (get_current_screen())
  • Cleanup, cleanup!

2.0.1

2.0.2

  • Query string detection bug fix by James Bonham
  • Issues with WordPress in a sub-directory

2.1

  • Unit Testing! Unit Testing ensure more reliable code going forward
  • Support for WordPress 3.6
  • General Cleaning

2.2

  • Fixing issues with other plugins
  • Support tested for 3.9
  • Large code structure changes. If you are extending the Lockdown_Manager at all, you should basically check the class anew since it was separated into Admin and Application services.

2.3

  • Fixing issues with latests WordPress Version
  • Cleaning of code, enhancements.
  • Localizing all the strings.