For those who use HAProxy Load Balancer with Wordpress server configuration there is a simple way to change the site’s login address, an easy solution to increase site/blog security!
WordPress default login URL is /wp-login.php or /wp-admin/ and it’ll redirect you to wp-login.php if not yet logged in.
Suppose we want to change the login address of the site as follows:
/wp-login.php to /mysecretlogin/
and starting from the premise of what we know,
- wordpress default login url => /wp-login.php
- new secret login => /mysecretlogin/
- referer when we access the admin page after login => /mysecretlogin/
- the parameter when we want to logout away from the site => action=logout
- the parameter when we were logged off, and redirected to the login page => loggedout=true
- The prefix of cookies in wordpress when we are logged in => wordpress_logged_in_
here is a functional code, tested on the HAProxy V2.1 version:
frontend http_front_ssl bind *:443 ssl crt /etc/ssl/robertvicol.com/robertvicol.pem mode http ... acl restricted_login path_beg,url_dec -i /wp-login.php acl secret_referer hdr_dir(referer) -i /mysecretlogin/ acl logged_out urlp(loggedout) true acl action_logout urlp(action) logout http-request silent-drop if restricted_login !secret_referer !action_logout !logged_out http-request redirect code 301 location / if logged_out acl restricted_admin path_beg,url_dec -i /wp-admin/ acl has_wp_logged_in hdr_sub(cookie) -i wordpress_logged_in_ http-request silent-drop if restricted_admin !has_wp_logged_in acl secret_login path_beg -i /mysecretlogin/ http-request set-path /wp-login.php if secret_login ... default_backend http_back
the important part is between dots (…), the rest of the configuration depends from server to server, each has its own settings.
I chose the “silent-drop” option to reject access, because the effect is more discouraging than the “deny” option that highlights the intention. It is better that the action seems to be a connection problem, rather than a blocking or error message!
In the future I will come back with a personal haproxy.cfg variant that I use in HAProxy as a Load Balancer and Failover (High-Availability) in combination with Varnish as a cache server!
The code does not protect against DDoS attacks, but on this aspect I will come back with another occasion.
Happy codding dear friends !