Yet another WordPress plugin vulnerability leaves over one million websites exposed

Person editing a WordPress site
(Image credit: Pixabay)

A new WordPress plugin (opens in new tab) vulnerability has been discovered that could allow an attacker to gain access to a site's administrator login page (opens in new tab).

The vulnerability exists in the popular WPS Hide Login plugin and was discovered by a user with the handle thalakus who posted a brief description of the issue (opens in new tab) on WordPress.org's support forum. 

Ironically, this vulnerability defeats the purpose of the plugin which hides a WordPress site's administrator login page and makes the wp-admin directory inaccessible.

As over one million WordPress (opens in new tab) sites use WPS Hide Login to add a deeper layer of security, users of this plugin should upgrade to the latest version now to prevent any attackers from exploiting this vulnerability.

Hiding the administrator login page

While WPS Hide Login and can be used to hide a site's administrator login page, there's actually another way to do so without having to install a separate WordPress plugin according to Search Engine Journal (opens in new tab).

As hackers and bots trying to attack a WordPress site's login page often look in its default location, installing WordPress into a directory folder with a random name can be used to achieve the same outcome. So instead of housing the login page at /wp-login.php, you can install it into a directory folder with a random name so it appears like this instead: /random-file-name/wp-login.php.

Still though, the WPS Hide Login WordPress plugin can be useful for sites that already have WordPress installed at the root directory.

The creator of the plugin, Nicolas Kulka, has now fixed the issue and WPS Hide Login users should upgrade the plugin to version 1.9.1 (opens in new tab) to secure their sites from any potential attacks exploiting this vulnerability.

We've also rounded up the best WordPress plugins (opens in new tab), best WordPress hosting (opens in new tab) and best web hosting services (opens in new tab)

Via Search Engine Journal (opens in new tab)

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.