The WPS Hide Login WordPress plugin recently patched a vulnerability that exposes users secret login page. The vulnerability allows a malicious hacker to defeat the purpose of the plugin (of hiding the login page), which can exposes the site to an attack for unlocking the password and login.
Essentially, the vulnerability completely defeats the intended purpose of the plugin itself, which is to hide the WordPress login page.
WPS Hide Login
The WPS Hide Login security plugin defeats hacker attempts to gain access to a WordPress site by hiding the administrator login page and making the wp-admin directory inaccessible.
WPS Hide Login is used by over one million websites to add a deeper layer of security.
Defeating hackers and hacker bots that attack the default login page of a WordPress site doesn’t actually need a plugin. An easier way to accomplish the same thing is to install WordPress into a directory folder with a random name.
What happens is tha the login page hacker bots will seek out the normal login page but it doesn’t exist at the expected URL location.
Instead of existing at /wp-login.php the login page is effectively hidden at /random-file-name/wp-login.php.
Login bots always assume that the WordPress login page is at the default location, so they never go looking for it at a different location.
The WPS Hide Login WordPress plugin is useful for sites that have already installed WordPress in the root, i.e. example.com/.
Report of Vulnerability
The vulnerability was publicly reported on the plugin’s support page.
A user of the plugin reported that if the main home page was redirected then adding a specific file name to the URL that redirects will expose the URL of the hidden login page.
This is how they explained it:
“For example with the following domain: sub.domain.com if domain.com redirects to sub.domain.com there is the following bypass:
Entering the URL domain.com and add /wp-admin/options.php then it redirects to sub.domain.com/changedloginurl and you see the login-url and could log in.”
Security Site Published a Proof of Concept
WPScan, a WordPress security organization published a proof of concept. A proof of concept is an explanation that shows that a vulnerability is real.
The security researchers published:
“The plugin has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.
Proof of Concept
curl –referer “something” -sIXGET https://example.com/wp-admin/options.php
HTTP/2 302 ”
The United States government National Vulnerability Database rated the vulnerability as a high level exploit, giving it a score of 7.5 on a scale of 1 to 10, with a score of 10 representing the highest threat level.
WPS Hide Login Vulnerability Patched
The publishers of the WPS Hide Login plugin updated the plugin by patching the vulnerability.
The patch is contained in version 1.9.1.
According to the WPS Login Changelog:
“1.9.1
Fix : by-pass security issue allowing an unauthenticated user to get login page by setting a random referer string via curl request.page by setting a random referer string via curl request.”
Users of the affected plugin may wish to consider updating to the latest version, 1.9.1, in order to effectively hide their login page.
Citations
US Government National Vulnerability Database
WPScan Report of WPS Hide Login Vulnerability
WPS Hide Login < 1.9.1 – Protection Bypass with Referer-Header
