Hat tip to @norcross for this login page security code. I can’t claim any credit for this, but it deserves to be shared. I’ve recommended using a login monitoring plugin before. On WP Engine, Limit Login Attempts is a mandatory plugin. I’ve had a client having problems recently where someone on their IP address is attempting and failing to log in. This is creating a lockout for her valid attempts.
The natural solution is to block the login screen. Unfortunately, in this case, blocking the IP address in the .htaccess file won’t help any because that is my client’s IP address. Like usual, I posed the situation to my Twitter crowd and got an elegant solution in minutes from @norcross – seriously, if you’re not following Andrew Norcross, you are missing out.
Place the following code in your theme’s (or child theme’s) functions.php file and find/replace each “question” and each “answer” with your own words. It’s safe to assume that this will block 99.999999999% of attempts to access your login page since bots don’t look for such addresses and it adds an additional wall to break through. If you’ve got excellent hosting with proper permissions and firewalls, this locks your dashboard down – hard. To read more about the various types of hosting, check out my page on hosting.
/*
* Check the URL of the WordPress login
* page for a specific query string
*
* assumes login string is
* http://www.your-site.com/wp-login.php?question=answer
*/
add_action( 'login_init', 'login_stringcheck' );
function login_stringcheck() {
// set the location a failed attempt goes to
$redirect = 'http://www.google.com/';
// missing query string all together
if (!isset ($_GET['question']) )
wp_redirect( esc_url_raw ($redirect), 302 );
// incorrect value for query string
if ($_GET['question'] !== 'answer' )
wp_redirect( esc_url_raw ($redirect), 302 );
}
Brad Smith says
Tried to view your login screen but redirected to Google. So how do you get to your login screen?
Jesse Petersen says
That’s a joke, right? Good one.
Read what the code does, including the commented lines.
WordPress Tribe says
Brilliant plugin Jesse (I’m using the Stealth Login Page plugin) and a great way to add yet another layer of protection to the login form for a WordPress site. Now if they can by some miracle find it they still have to contend with Limit Login Attempts.
Jesse Petersen says
Precisely. I’m so glad you’re finding it useful. Would you mind giving it a rating on the repository? http://wordpress.org/support/view/plugin-reviews/stealth-login-page
Plume says
Using your plugin and it’s great for login redirect. It will add some extra protection, etc. But is there a way to make the logout return to the home page, instead of the redirect link? As in, when I logout meself.
Also, is it okay to use sites other than Google for the redirect? I’m guessing it is. That the site doesn’t matter . . .
Thanks in advance.
Jesse Petersen says
So, if you’re using my plugin http://wordpress.org/extend/plugins/stealth-login-page/ or this code, you see that’s a field or an option to fill in. Try it and see – it’s an option. Forget this code and just use the plugin and direct support questions there, please. http://wordpress.org/support/plugin/stealth-login-page
Plume says
Thanks for the quick response. I tried it again and am still being redirected when I log out. Saw someone else with the issue and you suggested it was a timeout thing. I logged out too quickly for that to be it. Will post it to the support page.