Stealth Login WordPress Plugin Review

Stealth Login WordPress Plugin

Stealth Login Plugin

Authors: skullbit, devbit
Plugin version: 1.3
WordPress versions: from 2.3 to 2.7.1 according to author’s information. I made my tests with WordPress 3.1, single.
What this plugin do?
It allows to customize URL for login, logout and register links. For example, it is possible to set login URL to "" instead of standard "/wp-login" one. As especially notable feature I wish to mark the so-called “Stealth mode”, which could be realized with the help of this plugin. It denies direct access to ‘wp-login.php’ script. That is link like "" will not work if you activate stealth mode feature.
Using more difficult to guess login link as minimum prevents your site from exploring that dark armies of dummy bots, which try to brute force your blog administrator’s password and penetrate into it. After blog penetration you will get a lot of spam as posts and comments in the best case. In the worst case you site could be used as participant of criminal attacks to other Internet resources.
How it works? Nothing mysterious. It uses .htaccess URL rewrite engine for that purpose.
Why it is useful?
Did you ever look into your blog .htaccess file? If “Yes”, you are a Web developer or experienced user possibly. A lot of bloggers never looked into theirs .htaccess file. I’m sure. Make it now. What does all that “bla-bla-bla” mean?! I think, you know the answer on the question about the purpose of “Stealth Login” plugin now. It make difficult work for you and you still could know nothing or very little about .htaccess URL rewrite rools :).
That’s a joke of course. For those of you, who interested in the subject, there is a good post “Pretty Login URL: a Simple Rewrite API Plugin Example”, which describes well the technique used in the “Stealth Login” plugin. The most curious of you can read Apache HTTP Server documentation about .htaccess rools writing requirements:

Stealth Login WordPress Plugin Settings

Stealth Login WordPress Plugin Settings

But let’s return to our review now. About what do we talk? Yes. “Stealth Login” plugin. Take a look on its settings page screen shot to the left. You can click on it to get a full size image.
Field labels are self-explained. Just do not touch that thing which you don’t understand. Be careful with “Custom Rools” field. Its content will be directly added to you blog .htaccess, so if you make mistake, then… You can crash you blog. Joke :). If something wrong happened with you blog after this plugin installation just restore you old .htaccess file copy. You don’t make one. Do not forget make it the next time. Download .htaccess file via FTP or with your CPanel file manager. Open it in your favorite text editor and remove lines between comments inserted by plugin

How it works if you try to access your admin back-end with the “Stealth mode” activated? You automatically will be redirected to your blog home page. Good decision.
I went through the code. It is accurate, well structured and doesn’t contain any features unrelated to plugin functionality. That is there are no any security threats found in it.
Good things and positive impressions about this plugin are finished.

Now about a fly in the ointment. Inspite of plugin works fine in my tests there are a lot of negative feedbacks about it left at recent months:

There is a security hole in the declared defense of this plugin: way to bypass Stealth Login.
In short – “Stealth Login” URL rewrite rools misses somehow a try of direct access to wp-login.php if you use login link from 'wp-admin/install.php' page
The last update of “Stealth Login” was too long ago: 2009-3-4, about 2 years ago. I checked the author’s personal site It has 2 posts only made in September 2010. Author wrote about his intention to refactor his plugins and … That was the end. Its a pity. May be he will return and continue his work.

Plugin still is in intensive use. Users download it about 50-60 times daily. So, decision to use “Stealth Login” or not is for you.

Finally, I think that this security addition to WordPress could be useful (after testing on the test installation, do not crash you alive blog :)) for those of bloggers, who can’t use Apache HTTP authentication feature, which could be configured manually according to the documentation or tutorial, or via your site control panel “protected directory” feature.

P.S. Plugin was removed from WordPress plugins repository. I suppose the reason was that it was not updated too long time. It is appeared under new name – ‘Hide Login’ and tries to start a new life, but still has some problems and even block your blog if you turn on WordPress permalink structure…

Tags: , ,