w3all Login Widget
Posted: Sun Sep 13, 2020 11:55 am
Good morning (my time and a great day to you!
I make a quick observation today that I notice to some may be alarming (??) But maybe not. Here is what I observe.
1. I install WordPress and then integrate phpBB3 with your wonderful plugin and then I embed using the iFrame.
2. I secure my website further by changing the name of my plugins folder due to many hackers gaining access through the plugins folder.
3. I make sure my Display name does not match my login name, however for integration purposes, email and usernames match for WordPress and phpBB3
4. I chose to disable regular access to the wordpress login methods such as /wp-admin/, /admin/, and /login/. This is possible via the WordPress Security suite that we used to secure our integration and wordpress as pointed out to do here https://www.axew3.com/w3/forum/?coding= ... BocD9mPTI=
Now here is what I observed when I disabled standard login access and changed the link to a "secret" link. Lets say I called my secret login link /pinkfloyd
If I choose to enable the w3all Login Widget and hover over the word "Login", It exposes my secret login Link. Now this is not really a big deal at all if one secures their WordPress as you have pointed out in the link that I shared in this post in point #4. And you even stated in the post not to go overboard and set to many settings in the security as it is not needed. I completely agree with you. But .... I must test anyhow because that is what I do. I test.
So if someone DOES care and they DO alter their login link, they can not ever use the w3all login widget under any circumstances ever or their "Secret" login link will be revealed to all. I do not believe this is a w3all issue at all. I firmly believe this is a WP Security issue that needs resolved ASAP. They are the ones who offer the "Secret Link" setting and it leaks the secret link if you use the login widget provided by WP as well.
As pointed out, this is not your plugins fault. I just wanted to point it out to you and make it known so maybe in your secure your install thread that I linked to, you can make a mention if you so desire. I feel as though some might see your widget give up the secret and blame you and in all reality, it is in fact not your plugins fault at all. It is WP Security fault. I call that a security leak.
Have a safe and wonderful day/evening and may you enjoy many wonderful cups of delicious coffee!
I make a quick observation today that I notice to some may be alarming (??) But maybe not. Here is what I observe.
1. I install WordPress and then integrate phpBB3 with your wonderful plugin and then I embed using the iFrame.
2. I secure my website further by changing the name of my plugins folder due to many hackers gaining access through the plugins folder.
3. I make sure my Display name does not match my login name, however for integration purposes, email and usernames match for WordPress and phpBB3
4. I chose to disable regular access to the wordpress login methods such as /wp-admin/, /admin/, and /login/. This is possible via the WordPress Security suite that we used to secure our integration and wordpress as pointed out to do here https://www.axew3.com/w3/forum/?coding= ... BocD9mPTI=
Now here is what I observed when I disabled standard login access and changed the link to a "secret" link. Lets say I called my secret login link /pinkfloyd
If I choose to enable the w3all Login Widget and hover over the word "Login", It exposes my secret login Link. Now this is not really a big deal at all if one secures their WordPress as you have pointed out in the link that I shared in this post in point #4. And you even stated in the post not to go overboard and set to many settings in the security as it is not needed. I completely agree with you. But .... I must test anyhow because that is what I do. I test.
So if someone DOES care and they DO alter their login link, they can not ever use the w3all login widget under any circumstances ever or their "Secret" login link will be revealed to all. I do not believe this is a w3all issue at all. I firmly believe this is a WP Security issue that needs resolved ASAP. They are the ones who offer the "Secret Link" setting and it leaks the secret link if you use the login widget provided by WP as well.
As pointed out, this is not your plugins fault. I just wanted to point it out to you and make it known so maybe in your secure your install thread that I linked to, you can make a mention if you so desire. I feel as though some might see your widget give up the secret and blame you and in all reality, it is in fact not your plugins fault at all. It is WP Security fault. I call that a security leak.
Have a safe and wonderful day/evening and may you enjoy many wonderful cups of delicious coffee!