The WPS Hide Login WordPress plugin recently patched a vulnerability that exposes users secret login page. The vulnerability allows a malicious hacker to defeat the purpose of the plugin (of hiding the login page), which can exposes the site to an attack for unlocking the password and login.
Essentially, the vulnerability completely defeats the intended purpose of the plugin itself, which is to hide the WordPress login page.
WPS Hide Login
The WPS Hide Login security plugin defeats hacker attempts to gain access to a WordPress site by hiding the administrator login page and making the wp-admin directory inaccessible.
WPS Hide Login is used by over one million websites to add a deeper layer of security.
Defeating hackers and hacker bots that attack the default login page of a WordPress site doesn’t actually need a plugin. An easier way to accomplish the same thing is to install WordPress into a directory folder with a random name.
What happens is tha the login page hacker bots will seek out the normal login page but it doesn’t exist at the expected URL location.
Instead of existing at /wp-login.php the login page is effectively hidden at /random-file-name/wp-login.php.
Login bots always assume that the WordPress login page is at the default location, so they never go looking for it at a different location.
The WPS Hide Login WordPress plugin is useful for sites that have already installed WordPress in the root, i.e. example.com/.
Report of Vulnerability
The vulnerability was publicly reported on the plugin’s support page.