WPS Hide Login recently patched a vulnerability that could expose the website’s secret login page. The vulnerability allows a malicious hacker to easily find the login page and then use Bruteforce or other mechanisms against the website. So, the vulnerability completely defeats the purpose of the plugin itself that claims to hide the login page.
Also see: Best Hacking Apps for Android
WPS Hide Login is a quite popular plugin with over one million installed. If you also use this plugin on your WordPress website, you need to update the plugin to the latest version.
According to the WPS Login Changelog:
“1.9.1
Fix : by-pass security issue allowing an unauthenticated user to get login page by setting a random referer string via curl request.page by setting a random referer string via curl request.”
The vulnerability was publicly reported on the plugin’s support page. Later, WPScan also published a proof of concept to show how the vulnerability is real.
WordPress is a popular content management system used by millions of websites. So, several hacking tools exist that claim to crack WordPress login using different methods. That’s the reason people use the WPS Hide Login plugin to hide the login page from malicious bots and users. WordPress login page usually exists at /wp-login.php, but you can use the plugin to change it to /some-folder/wp-login.php or anything you want.