Rewrite-Change Your WordPress Login URL via HAProxy Load Balancer

For those who use HAProxy Load Balancer with Wordpress server configuration there is a simple way to change the site’s login address, an easy solution to increase site/blog security!

WordPress default login URL is /wp-login.php or /wp-admin/ and it’ll redirect you to wp-login.php if not yet logged in.

Suppose we want to change the login address of the site as follows:

/wp-login.php

to

/mysecretlogin/

and starting from the premise of what we know,

wordpress default login url => /wp-login.php
new secret login => /mysecretlogin/
referer when we access the admin page after login => /mysecretlogin/
the parameter when we want to logout away from the site => action=logout
the parameter when we were logged off, and redirected to the login page => loggedout=true
The prefix of cookies in wordpress when we are logged in => wordpress_logged_in_

here is a functional code, tested on the HAProxy V2.1 version:

frontend http_front_ssl
     bind *:443 ssl crt /etc/ssl/robertvicol.com/robertvicol.pem
     mode http
...
    acl restricted_login path_beg,url_dec -i /wp-login.php
    acl secret_referer hdr_dir(referer) -i /mysecretlogin/
    acl logged_out urlp(loggedout) true
    acl action_logout urlp(action) logout
    http-request silent-drop if restricted_login !secret_referer !action_logout !logged_out
    http-request redirect code 301 location / if logged_out

    acl restricted_admin path_beg,url_dec -i /wp-admin/
    acl has_wp_logged_in hdr_sub(cookie) -i wordpress_logged_in_
    http-request silent-drop if restricted_admin !has_wp_logged_in

    acl secret_login path_beg -i /mysecretlogin/
    http-request set-path /wp-login.php if secret_login
...
default_backend http_back

the important part is between dots (…), the rest of the configuration depends from server to server, each has its own settings.

I chose the “silent-drop” option to reject access, because the effect is more discouraging than the “deny” option that highlights the intention. It is better that the action seems to be a connection problem, rather than a blocking or error message!

In the future I will come back with a personal haproxy.cfg variant that I use in HAProxy as a Load Balancer and Failover (High-Availability) in combination with Varnish as a cache server!

Note:

The code does not protect against DDoS attacks, but on this aspect I will come back with another occasion.

Happy codding dear friends !

On the same topic:

Cum poti schimba adresa de login din WordPress folosind HAProxy Load Balancer Pentru cei care utilizează HAProxy Load Balancer impreuna cu Wordpress, există o modalitate simplă de a schimba adresa de login…
Cloudflare Firewall Rules - How to Block Bots and Securing WordPress If you use CloudFlare services then you must know that you can filter out much of the useless traffic and…
Cloudflare Firewall - Cum sa blochezi botii si sa securizezi Wordpress Daca folosesti serviciile CloudFlare atunci trebuie sa stii ca poti sa filtrezi mare parte din traficul inutil si chiar sa-ti…

Be First to Comment

Leave a Reply Cancel reply