Descripción
This plugin forbids access to https://example.com/wp-login.php and creates new urls, like https://example.com/login or https://example.com/logout.
This is a great way to limit bots trying to brute-force your login (trying to guess your login and password). Of course, the new URLs are easier to remember too.
Also remember: the use of this plugin does NOT exempt you to use a strong password. Moreover, never use «admin» as login, this is the first attempt for bots.
By the way, if you are looking for a complete security solution, take a look at SecuPress: Move Login is included inside.
Multisitio
Yes! The plugin must be activated from your network.
Note 1: this plugin deals only with wp-login.php
, not with wp-signup.php
nor with wp-activate.php
(yet). That means https://example.com/register will still redirect to https://example.com/wp-signup.php. I think this will be the next step though, but no ETA.
Note 2: if users/sites registrations are open, you shouldn’t use this plugin yet. There are some places where the log in address is hard coded and not filterable. A bug ticket is open.
Requerimientos
- As of version 2.4, at least PHP 5.3 is required.
- You will need a FTP access: if the
.htaccess
/web.config
file is not writable (you will need to add the given rules manually), or if something is wrong and you can’t log in anymore (see the FAQ in that case). - Should work on IIS7+ servers but not tested (I guess you should probably save a copy of your
web.config
file before the plugin activation). - For Nginx servers, the rewrite rules are not written automatically of course, but they are provided as information in the plugin settings page.
Capturas
Instalación
- Extract the plugin folder from the downloaded ZIP file.
- Upload the
sf-move-login
folder to your/wp-content/plugins/
directory. - If you have another plugin that makes redirections to https://example.com/wp-login.php (a short-links plugin for example), disable it or remove the redirection, otherwise they will conflict and you’ll be locked out. See the FAQ in case you’re not able to reach the login page (make sure to have a FTP access to your site).
- Activar el plugin desde la página de «plugins».
- Si el plugin no puede escribir el archivo
.htaccess
o el archivoweb.config
, Necesitarás editarlos tú mismo con un acceso ftp, las reglas se proporcionan en la página de configuración del plugin.
FAQ
- Instrucciones de instalación
-
- Extract the plugin folder from the downloaded ZIP file.
- Upload the
sf-move-login
folder to your/wp-content/plugins/
directory. - If you have another plugin that makes redirections to https://example.com/wp-login.php (a short-links plugin for example), disable it or remove the redirection, otherwise they will conflict and you’ll be locked out. See the FAQ in case you’re not able to reach the login page (make sure to have a FTP access to your site).
- Activar el plugin desde la página de «plugins».
- Si el plugin no puede escribir el archivo
.htaccess
o el archivoweb.config
, Necesitarás editarlos tú mismo con un acceso ftp, las reglas se proporcionan en la página de configuración del plugin.
- ¿Puedo establecer mi propia URL?
-
Desde la versión 1.1, sí. Desde la versión 2.0, no es necesario ningún plugin adicional para ello.
- ¿Estoy bloqueado fuera! ¡No puedo acceder a la página de inicio de sesión!
-
You’re screwed! No, I’m kidding, but you need a FTP access to your site. When logged in with your FTP software, open the file
wp-config.php
located at the root of your installation. Simply add this in the file:define( 'SFML_ALLOW_LOGIN_ACCESS', true );
and save the file. This will bypass the plugin and you’ll be able to access https://example.com/wp-login.php. Another plugin may conflict, you’ll need to find which one before removing this new line of code. - ¿Realmente funciona para Multisitio?
-
Yes. Each blog has its own login page (but the customized slugs are the same for each blog though). The plugin must be activated from the network.
Eventually, try the WordPress support forum (best), or check out my blog for more infos, help, or bug reports (sorry folks, it’s in French, but feel free to leave a comment in English).
Reseñas
Colaboradores y desarrolladores
«Move Login» es un software de código abierto. Las siguientes personas han colaborado con este plugin.
Colaboradores«Move Login» está traducido en 2 idiomas. Gracias a los traductores por sus contribuciones.
Traduce «Move Login» a tu idioma.
¿Interesado en el desarrollo?
Revisa el código , echa un vistazo al repositorio SVN o suscríbete al registro de desarrollo por RSS.
Registro de cambios
2.5.3
- 2017/06/05
- New: preview your URLs while typing.
- New: you can leave a field empty to set its default value.
- Improved URL duplicates detection.
- Fixed the «Lost Password» redirection (and others).
- Dev stuff: fixed the filters in
sfml_is_apache()
,sfml_is_iis7()
, andsfml_is_nginx()
. - Nerd stuff: improved the whole plugin code quality by updating the Coding Standard rules and applying new ones. Changed a few things in the class
SFML_Options
.
2.5.2
- 2017/05/25
- New: a new option is available. Instead of redirecting to the a «WordPress» 404 error page, you can choose to directly trigger the 404 error. Pro: the user is not directed, the URL doesn’t change. Con: the user sees the browser error page, it probably is a simple white page (but do we really care?).
- Fixed the blank page that was displaying instead of redirecting the user to the new login URL.
- Dev stuff: you can now add custom options to the two existing radio groups.
- Nerd stuff: in case the plugin has trouble determining your server technology, take a look at
sfml_is_apache()
,sfml_is_iis7()
, andsfml_is_nginx()
: returned values can be filtered with a MU plugin.
2.5.1
- 2017/05/14
- Added missing functions for compatibility with WordPress < 4.4.
2.5
- 2017/05/09
- New: some files from WordPress core were still able to redirect a logged out user to the new login URL. Now Move Login filters every redirection to prevent it.
- Dev stuff: the hook
sfml_wp_admin_error
is now deprecated. Please use the filtersfml_login_redirect_location
instead.
2.4.3
- 26/03/2017
- Fixed an error preventing the plugin uninstallation. My diabolical plan to be on every website has been discovered 👿
- Updated some translations to exclude non-translatable strings and as many HTML tags as possible.
- Use
WP_Filesystem_Direct
to write files.
2.4.2
- 04/02/2017
- Fixed a simple PHP warning.
2.4.1
- 07/01/2017
- Added missing test for PHP version :s
2.4
- 03/01/2017
- Move Login now requires PHP 5.3 at least!
- New: tell cache plugins not to cache the login pages (constant
DONOTCACHEPAGE
). - Improved: nginx support should be fine now.
- I’ve revamped the plugin with what I’ve done on SecuPress (lots of things have changed internally).
2.3
- 04/04/2016
- Probado con WP 4.5.
- Mejoras en la calidad de código.
- Fixed a notice with php7.
- Mark the option «Do nothing, redirect to the new login page» as not recommended.
- If not logged in, deny access to
wp-signup.php
andwp-register.php
(mono-site installations). - Cuando bloquea el acceso, usa un código de error 501 en lugar de 500
- Compatibilidad añadida con los sitios web que no están utilizando el puerto 80 y 443.
2.2.2
- 22/11/2015
- Acceder a través de HTTPS en un sitio que no es https debería funcionar (๑˃̵ᴗ˂̵)و
2.2.1
- 04/10/2015
- The URL used in the password protected posts form (slug
postpass
) is back in the rewrite rules: this URL can be discovered by inspecting the form code, so it must not use the login URL. - Bugfix: the URL used in the password protected posts form and those used to retrieve a password are working fine again.
2.2
- 18/09/2015
- Removed
postpass
,retrievepassword
andrp
from the rewrite rules: they are useless and they can be used to find the login page. - Se ha corregido un error en Multisitio donde se insertaron las reglas de reescritura después de las reglas de WordPress.
- El plugin no mostrará nunca más un mensaje ON EVERY BLOODY UPDATE, sólo si el archivo
.htaccess
/web.config
necesita ser actualizado y no se puede escribir. Bueno, mala suerte… esta vez es el caso. (╯°□°)╯︵ ┻━┻ - El cuadro de código después del formulario de configuración ahora está oculto por defecto y puede mostrarse haciendo clic en un botón.
- Algunas limpiezas de código.
2.1.5
- 26/08/2015
- La compatibilidad con versiones antiguas se está volviendo molesta. Última prueba antes de descartar el soporte para las versiones antiguas de WP.
2.1.4
- 26/08/2015
- Corrección para WP < 3.6:
Call to undefined function wp_is_writable()
.
2.1.3
- 05/08/2015
- Nuevo: preparado para los nuevos encabezamientos de la pantalla de administración en WordPress 4.3 (pero no verá ninguna diferencia).
2.1.2
- 23/07/2015
- Corrección: Añadida URL base en las reglas de reescritura para Nginxx cuando el sitio no está instalado en la raíz del dominio.
- Corrección: aviso php en la página de configuración.
2.1.1
- 08/06/2015
- Corrección: Añadido punto y coma en la reescritura de las reglas de Nginx.
2.1
- 01/03/2015
- New: Installations where WordPress has its own directory are now supported. (〜 ̄▽ ̄)〜
- New: For multisite, the log in address in the «new site» welcome email is now filtered. Unfortunately there are some other places where the log in address can’t be changed, regarding the user/site registration messages. A bug ticket is open.
- Improvement: All rewrite rules have been improved. Feedback from Nginx users are welcome (as you may know, I’m a Nginx n00b).
- Improvement: Better handling of
network_site_url()
. - Bugfix: slugs were not stored in
SFML_Options::get_slugs()
before being returned. Trivial perf improvement. - The filter ‘sfml_options’ can’t be used to add options, only to modify existing values.
- Eliminadas algunas global vars no utilizadas.
2.0.2
- 24/02/2015
- Same as below… Fingers crossed. >_>
2.0.1
- 24/02/2015
- Corrige un error fatal para multisitio.
2.0
- 22/02/2015
- La mayor parte del plugin ha sido reescrito.
- New: you don’t need my framework Noop to have a settings page anymore (yes, you can uninstall it if it’s not used elsewhere). ᕙ(⇀‸↼‶)ᕗ The bad news is there are no settings import/export/history anymore (and it won’t come back). Make sure your settings are ok after upgrading.
- New: the plugin disable some WordPress native redirections to administration area and login page. For example, https://example.com/dashboard/ was leading to https://example.com/wp-admin/. This should solve a bunch of bugs.
- New: the rewrite rules for Nginx servers are now provided in the plugin settings page as information. Thank you Milouze.
- Mejora: corrección de errores para los servidores IIS.
- Mejora: mejores traducciones al francés.
- Corrección: fijar una doble barra inclinada en la URL del sitio (utilizado para contraseña olvidada).
1.1.4
- 28/04/2014
- Plugins can now add their own action to Move Login more easily with the filter
sfml_additional_slugs
. Even without doing anything, Move Login handle custom actions added by other plugins, but the url can’t be customizable. Now, these plugins can add a new input field to let users change this new url, and it’s very simple. - Side note: I’ve just released a new version for my framework Noop (1.0.6). Now you can import and export your settings via a file, see the new tab in the «Help» area.
1.1.3
- 01/04/2014
- Solución de error para PHP 5.4.
1.1.2
- 29/03/2014
- Bugfix: don’t block users accessing the script
admin-post.php
. - Cambiado dominio i18n
- Si Noop no está instalado, agregue un enlace en la página «Configuración».
- Se ha añadido un enlace directo para descargar Noop, algunos usuarios pueden no ser capaces de instalar plugins directamente.
- Mejoras en el código y pequeñas correcciones de errores.
1.1.1
- 17/12/2013
- Corrección.
1.1
- 16/12/2013
- Refactorización de código.
- Requires WordPress 3.1 at least.
- New: the URLs can be customized, with a filter or a settings page. The settings page needs another plugin to be installed, it’s a framework I made (Noop). See the Move Login row in your plugins list, there’s a new link.
- New: support for custom actions in the login form (added by other plugins).
- New: choose what to do when someone attempts to access the old login page.
- New: choose what to do when someone attempts to access the administration area.
- Nuevo: permitir enlaces permanentes no se requiere más.
- Todo: provide rewrite rules for Nginx systems.
1.0.1
- 30/09/2013
- Corrección de error muy pequeña: enlace del autor roto -_-‘
1.0
- 20/09/2013
- Primera versión estable.
- New: 1 new action called
sfml_wp_login_error
is now available for thewp-login.php
error message, you can use your ownwp_die()
or redirect to another error page for example.
1.0-RC2
- 12/09/2013
- Corrección: en la activación de multisitios cuando el archivo .htaccess no se puede escribir, se muestra un mensaje equivocado, evitando la activación (¿que estaba borracho?).
- probado en multisitios con subdominio.
- SecuPress se une al proyecto 🙂
1.0-RC1
- 11/09/2013
- Neuvo: soporte Multisitio («network» debe estar activado)
- Mejora: actualizada la función set_url_scheme() para WP 3.6.1 (usado para WP < 3.4).
- Mejora: mejores reglas de reescritura.
- Corrección: Las reglas de reescritura del plugin se eliminan realmente del archivo .htaccess en la desactivación.
0.1.1
- 04/06/2013
- Corrección: aviso php debido a un parámetro perdido.
- Corrección: Filtro network_site_url incorrecto.
0.1
- 03/06/2013
- Primera versión beta pública
- Gracias a juliobox, quién se unió al proyecto 🙂