Stealth Login WordPress Plugin Review

Stealth Login WordPress Plugin

Stealth Login Plugin

Authors: skullbit, devbit
Plugin version: 1.3
WordPress versions: from 2.3 to 2.7.1 according to author’s information. I made my tests with WordPress 3.1, single.
What this plugin do?
It allows to customize URL for login, logout and register links. For example, it is possible to set login URL to "http://www.yourblog.com/login-wp-1870" instead of standard "/wp-login" one. As especially notable feature I wish to mark the so-called “Stealth mode”, which could be realized with the help of this plugin. It denies direct access to ‘wp-login.php’ script. That is link like "http://yourblog.com/wp-login.php" will not work if you activate stealth mode feature.
Using more difficult to guess login link as minimum prevents your site from exploring that dark armies of dummy bots, which try to brute force your blog administrator’s password and penetrate into it. After blog penetration you will get a lot of spam as posts and comments in the best case. In the worst case you site could be used as participant of criminal attacks to other Internet resources.
How it works? Nothing mysterious. It uses .htaccess URL rewrite engine for that purpose.
Why it is useful?
Did you ever look into your blog .htaccess file? If “Yes”, you are a Web developer or experienced user possibly. A lot of bloggers never looked into theirs .htaccess file. I’m sure. Make it now. What does all that “bla-bla-bla” mean?! I think, you know the answer on the question about the purpose of “Stealth Login” plugin now. It make difficult work for you and you still could know nothing or very little about .htaccess URL rewrite rools :).
That’s a joke of course. For those of you, who interested in the subject, there is a good post “Pretty Login URL: a Simple Rewrite API Plugin Example”, which describes well the technique used in the “Stealth Login” plugin. The most curious of you can read Apache HTTP Server documentation about .htaccess rools writing requirements:

Stealth Login WordPress Plugin Settings

Stealth Login WordPress Plugin Settings

But let’s return to our review now. About what do we talk? Yes. “Stealth Login” plugin. Take a look on its settings page screen shot to the left. You can click on it to get a full size image.
Field labels are self-explained. Just do not touch that thing which you don’t understand. Be careful with “Custom Rools” field. Its content will be directly added to you blog .htaccess, so if you make mistake, then… You can crash you blog. Joke :). If something wrong happened with you blog after this plugin installation just restore you old .htaccess file copy. You don’t make one. Do not forget make it the next time. Download .htaccess file via FTP or with your CPanel file manager. Open it in your favorite text editor and remove lines between comments inserted by plugin
# STEALTH-LOGIN
and
# END STEALTH-LOGIN

How it works if you try to access your admin back-end with the “Stealth mode” activated? You automatically will be redirected to your blog home page. Good decision.
I went through the code. It is accurate, well structured and doesn’t contain any features unrelated to plugin functionality. That is there are no any security threats found in it.
Good things and positive impressions about this plugin are finished.

Now about a fly in the ointment. Inspite of plugin works fine in my tests there are a lot of negative feedbacks about it left at wordpress.org recent months:

There is a security hole in the declared defense of this plugin: way to bypass Stealth Login.
In short – “Stealth Login” URL rewrite rools misses somehow a try of direct access to wp-login.php if you use login link from 'wp-admin/install.php' page
The last update of “Stealth Login” was too long ago: 2009-3-4, about 2 years ago. I checked the author’s personal site http://devbits.ca/ It has 2 posts only made in September 2010. Author wrote about his intention to refactor his plugins and … That was the end. Its a pity. May be he will return and continue his work.

Plugin still is in intensive use. Users download it about 50-60 times daily. So, decision to use “Stealth Login” or not is for you.

Finally, I think that this security addition to WordPress could be useful (after testing on the test installation, do not crash you alive blog :)) for those of bloggers, who can’t use Apache HTTP authentication feature, which could be configured manually according to the documentation or tutorial, or via your site control panel “protected directory” feature.

P.S. Plugin was removed from WordPress plugins repository. I suppose the reason was that it was not updated too long time. It is appeared under new name – ‘Hide Login’ and tries to start a new life, but still has some problems and even block your blog if you turn on WordPress permalink structure…

Tags: , ,

  • Molana Gendut

    cus of Stealth Login, i cant entering my admin…(even just open my web) any suggest for me

  • http://shinephp.com Vladimir Garagulya

    1) Connect to you site via ftp or ssh.
    2) Remove Stealth Login plugin folder ‘wp-content/stealth-login’. This will deactivate plugin automatically. Restore .htaccess file if you have backup copy. If you have not one, open your current .htaccess file in the text editor and remove rows between
    # STEALTH-LOGIN
    and
    # END STEALTH-LOGIN
    This will fully free your blog form Stealth Login plugin.

  • http://shinephp.com Vladimir Garagulya

    Альтернативу подсказать не могу. Не искал. Если попадётся, что-нибудь стоящее, поделитесь информацией, пожалуйста.
    3.1.1 добавляет верхней строкой меню для админа. Если использовать линк выхода из этого меню, то работает? Может тогда кастом-линк и не нужен?
    Если найду решение, напишу дополнительно.

  • http://shinephp.com Vladimir Garagulya

    Thanks for the request. I will see what is “Lockdown WP” and make review.

  • Jason
  • http://www.k9stud.com/viewalldogs.aspx Dogs

    Lockdown WP works and because soembody has been trying to force login
    into my wordpress so I needed something that would hide my wp-admin
    section.

  • http://shinephp.com Vladimir Garagulya

    Попробуй этот плагин: http://www.shinephp.com/lockdown-wp-admin-plugin-review
    Если решишь использовать, не забудь заблокировать в его коде отправку своих данных автору на сервер.

  • http://shinephp.com Vladimir Garagulya
  • http://awesomehairtransplant.com/ Harris A

    I was constantly getting attacked by IPS in China and Russia. the
    lockdown was limiting their logins but they had enough ips to create a
    brute force attack. changing the code in wp-login.php worked fine too.

    if ($_SERVER['REMOTE_ADDR'] == ‘xxx.xxx.xx.xxx’) { //safe IP Address
    } else {
    exit;
    }