WordPress Security Plugin Exposes +1 Million Websites – Search Engine Journal

WPS Hide Login WordPress Plugin exposed the location of the hidden login page, defeating the purpose of the plugin
The WPS Hide Login WordPress plugin recently patched a vulnerability that exposes users secret login page. The vulnerability allows a malicious hacker to defeat the purpose of the plugin (of hiding the login page), which can exposes the site to an attack for unlocking the password and login.
Essentially, the vulnerability completely defeats the intended purpose of the plugin itself, which is to hide the WordPress login page.
The WPS Hide Login security plugin defeats hacker attempts to gain access to a WordPress site by hiding the administrator login page and making the wp-admin directory inaccessible.
WPS Hide Login is used by over one million websites to add a deeper layer of security.
Defeating hackers and hacker bots that attack the default login page of a WordPress site doesn’t actually need a plugin. An easier way to accomplish the same thing is to install WordPress into a directory folder with a random name.
What happens is tha the login page hacker bots will seek out the normal login page but it doesn’t exist at the expected URL location.
Instead of existing at /wp-login.php the login page is effectively hidden at /random-file-name/wp-login.php.
Login bots always assume that the WordPress login page is at the default location, so they never go looking for it at a different location.
The WPS Hide Login WordPress plugin is useful for sites that have already installed WordPress in the root, i.e.
The vulnerability was publicly reported on the plugin’s support page.
A user of the plugin reported that if the main home page was redirected then adding a specific file name to the URL that redirects will expose the URL of the hidden login page.
This is how they explained it:
“For example with the following domain: if redirects to there is the following bypass:
Entering the URL and add /wp-admin/options.php then it redirects to and you see the login-url and could log in.”
WPScan, a WordPress security organization published a proof of concept. A proof of concept is an explanation that shows that a vulnerability is real.
The security researchers published:
“The plugin has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.
Proof of Concept
curl –referer “something” -sIXGET
HTTP/2 302 ”
The United States government National Vulnerability Database rated the vulnerability as a high level exploit, giving it a score of 7.5 on a scale of 1 to 10, with a score of 10 representing the highest threat level.
The publishers of the WPS Hide Login plugin updated the plugin by patching the vulnerability.
The patch is contained in version 1.9.1.
According to the WPS Login Changelog:
Fix : by-pass security issue allowing an unauthenticated user to get login page by setting a random referer string via curl request.
page by setting a random referer string via curl request.”
Users of the affected plugin may wish to consider updating to the latest version, 1.9.1, in order to effectively hide their login page.
CVE-2021-24917 Detail
WPS Hide Login < 1.9.1 – Protection Bypass with Referer-Header
WPS Hide Login Changelog
Get our daily newsletter from SEJ’s Founder Loren Baker about the latest news in the industry!
Roger Montti is a search marketer with over 20 years experience. I offer site audits, phone consultations and content and … [Read full bio]
Subscribe to our daily newsletter to get the latest industry news.
Subscribe to our daily newsletter to get the latest industry news.


Leave a Reply

Your email address will not be published. Required fields are marked *