Bug in plugin. Login address easily revealed by hackers!

[Enterius]

There must be a hole in the plugin, because for some time now hackers discover my login address even if I change it to not dictionary string (e.g. "A7jkj4hT6"). Today I changed it again and it took someone 20 minutes to find it and try to login (failed luckily) :) By the way the plugin removes any special characters from address and only letters and numbers are working. But that is not a big problem :) So please investigate if you can. I like your plugin very much but there was no update for a long time. If you need some more details please let me know, I'll see what I can provide. Best regards.

[digitallagoon]

maybe you should provide here the apache/php log for that time window (20 minutes or maybe 30 minutes around the login address quest). The queries made to your website could be interesting too (these appears on the logs).

[Enterius]

I'm affraid it's too late for that and old logs are not on my server any more. And because there was no response from you for a long time I changed the plugin to WP Cerber and now there are no problems with revealing admin url. So for me the problem is solved. But thanks anyway for response. For your information I did a little research and the problem is with the method you use to change login url and the admin-ajax inclusion in frontend javascript, which is very common on WordPress sites. Your plugin is not really creating a custom login endpoint but is instead simply using the web server's rewrite rules to rename the wp-admin directory. That is not the proper way to achieve a custom login page url and that is why it is not safe or really hidden. So you might consider some improvements :) Best regards