How to redirect user to 404 page not found error w

2019-07-18 15:46发布

For security reasons I am trying to restrict my wordpress site admin and login panel access to non-admin users by rewriting the link, such that if user types in http://www.mysite.com/wp-login.php or http://www.mysite.com/wp-admin he is redirected to Error 404 page but if he types http://www.mysite.com/blah-login or http://www.mysite.com/blah-admin is redirected to my WP admin or login panel. I have following options to do that.

  1. Rewrite .htaccess file which I am not good at and don't wanna mess up my site's .htaccess file.
  2. Use $wp_rewrite class which I did by writing a small plugin, its code is given below.

    register_activation_hook( __FILE__, 'activate' );
    function activate() {
        rewrite();
        flush_rewrite_rules();
    }
    register_deactivation_hook( __FILE__, 'deactivate' );
    function deactivate() {
        flush_rewrite_rules();
    }
    add_action( 'init', 'rewrite' );
    function rewrite() {
        add_rewrite_rule( 'blah-admin/?$', 'wp-admin', 'top' );
        add_rewrite_rule( 'blah-login/?$', 'wp-login.php', 'top' );
        add_rewrite_rule( 'blah-register/?$', 'wp-register.php', 'top' );
    }
    

    It works perfectly only problem is it does not restrict access to wp-admin, wp-login.php or wp-registe.php (Which is must).

  3. I can write following rule to a new .htaccess file.

    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Wordpress Admin Access Control"
    AuthType Basic
    
    <LIMIT GET>
      order deny,allow
      deny from all
      allow from xxx.xxx.xxx.xxx
    </LIMIT>
    

    and place it under wp-admin folder, it has 2 drawbacks one is it will only restrict access to my wp-admin folder not wp-register.php or wp-login.php and second is I am a DHCP client so allow from xxx.xxx.xxx.xxx will not work for me.

  4. I could use a combination 2nd and third rule but it will definitely not work because I cannot provide an alternative permalink to a overall blocked folder.

  5. As for a last resort I could use wp-modal plugin's permalink rewriting capability, it works like a charm but this plugin is not compatible with my theme.

So is there really a solution to my problem?

2条回答
▲ chillily
2楼-- · 2019-07-18 16:15

I use this snippet to redirect people away from the backend if they're not already logged in. You could modify it to point to your 404:

// BLOCK BACKEND ACCESS FOR NON-ADMINS
add_action( 'init', 'blockusers_init' );
function blockusers_init() {
    // If accessing the admin panel and not an admin
    if ( is_admin() && !current_user_can('level_10') ) {
        // Redirect to the homepage
        wp_redirect( home_url() );
        exit;
    }
}

Just change the URL from the home_url() function to your 404 page under wp_redirect.

查看更多
混吃等死
3楼-- · 2019-07-18 16:17

I assume that you're trying to protect yourself from brute-force attacks? Why not just limit the frequency of allowed login attempts? There is a pretty solid plugin called "Limit Login Attempts" which will track per IP and the use of cookies.

Check it out here: http://wordpress.org/plugins/limit-login-attempts/

Trying to mask the login page is an interesting idea, though. You could just create your own login page somewhere and have it interact with a custom login script that you write. This would allow you 301 redirect the login pages to a 404 page without messing with any core functionality.

You could have a form at something like https://yourwpsite.com/supersecretlogin and then have it POST to a custom handler that uses the wp_signon method. Here's an example of how to log someone in without using wp-admin:

$creds = array();
$creds['user_login'] = $_POST['user'];
$creds['user_password'] = $_POST['password'];
$creds['remember'] = true;
$user = wp_signon( $creds, false );
if ( is_wp_error($user) )
   exit($user->get_error_message());
header('Location: https://yourwpsite.com/wp-admin');

http://codex.wordpress.org/Function_Reference/wp_signon

Hope that helps!

查看更多
登录 后发表回答