Another WordPress plugin vulnerability leaves over a million websites exposed

A new WordPress plugin vulnerability has been discovered that could allow an attacker to access a site administrator’s login page.

The vulnerability exists in the popular WPS Hide Login plugin and was discovered by a user with the nickname thalakus who posted a brief description of the problem on the WordPress.org support forum.

Ironically, this vulnerability defeats the purpose of the plugin which hides the admin login page of a WordPress site and makes the wp-admin directory inaccessible.

As over a million WordPress sites use WPS Hide Login to add a deeper layer of security, users of this plugin should upgrade to the latest version now to prevent any attacker from exploiting this vulnerability.

Hide the administrator login page

While WPS Hide Login and can be used to hide a site’s admin login page, there is actually another way to do this without having to install a separate WordPress plugin as per Search Engine Journal.

As hackers and bots trying to attack a WordPress site’s login page often look in its default location, installing WordPress in a directory folder with a random name can be used to achieve the same result. So instead of hosting the login page on /wp-login.php, you can install it in a directory folder with a random name so that it appears like this instead: / random-file-name /wp-login.php.

Nevertheless, the WordPress WPS Hide Login plugin can be useful for sites where WordPress is already installed in the root directory.

The creator of the plugin, Nicolas Kulka, has now fixed the issue and WPS Hide Login users should upgrade the plugin to version 1.9.1 to secure their sites against any potential attack exploiting this vulnerability.

We’ve also rounded up the best WordPress plugins, the best WordPress hosting, and the best web hosting services.

Via the search engine log

Esther L. Gunn