When using a custom login page and redirecting the default one to 404, the latter can still be accessed via wp-login.php?action=login, which defeats the purpose of this security mechanism. Same goes for wp-login.php?action=lostpassword.
Another issue is that the custom login form lets an attacker know if a certain username/email exists on the website. This should be improved by displaying a more generic error message like “Wrong username or password”. Also, the lost password link should be removed from the error message.
On the other hand, the custom lost password form works well. You can set a generic success message like “If the email exists, you will receive a link for resetting your password”, which is displayed after each submission, whether the email exists or not.
I am aware that this is a WordPress problem, but it would be great if Bricks could address it.
@Matej just tested this and it works great! It now fixes the age-old WP security problem by not letting one know whether a certain username/email exists on the site, which is awesome!
However, a random value for the action parameter still opens the default login page, eg. wp-login.php?action=foobar. If this can be fixed as well, this will be a rock-solid WP auth security solution.
@charaf I can confirm the wp-login.php?action=foobar issue has been resolved. However, the /wp-login.php/ still hasn’t. Given that you cannot replicate it, could it be that it is webserver specific? I’m using LiteSpeed.
@aljazbz Yes, that could be webserver-specific. If you’re able to replicate it with all plugins disabled, it would be great if you could share temporary admin access to the site to help@bricksbuilder.io with a link to this forum thread so we can investigate further.
Thank you for sharing access! I have just applied a patch to your site. Let me know if it’s working as expected on your end as well. If it’s all good the fix should also be included in our next release