Hiding Wordpress app login page create backup problem

stoccafisso

Hi all

In wordpress app I use a plugin to hide the login page /wp-admin and /wp-login.php. Accessing these pages will then give the user a 404

BUT, it seems cloudron is sending a form of beacon signal to the wordpress app login page, to figure out if the app is up working or not. As cloudron does not find the login page, it detect it as an error and state in the cloudron admin panel that the app is "Not responding", even though the wordpress app is running fine.

It may look like this also prevents cloudron from creating automatic backups of the app, even if it is configured to do so. Manual backup seems to work though.

murgero

@stoccafisso Any reason why you would want to hide the login page? If for security, just enable 2FA on the blog instead. Still very secure and will allow Cloudron to check it properly still.

girish

@stoccafisso Indeed, the health check URL is configured to poll /wp-login.php. We used to use the / before but that didn't work for protected blogs.

stoccafisso

@murgero As far as I know, Wordpress does have 2FA when Cloudron is in charge of user management, but I most often let Wordpress have separate user management, as I don't want a bunch of wordpress users having to create cloudron-accounts.

There are other reasons not to use 2FA, and reasons to use it, but that is another discussion.

@girish would it not be better to have the health check point to some other file in wordpress, other than /wp-login.php? As it is now, it actually limits users freedom to chose their own way of protecting their blog.

girish

@stoccafisso Yes, let me look into if there is any other end point we can poll instead of the admin page. Maybe we can poll some css/js asset file.

affinity

I am also experiencing this issue. I'm guessing you are using "WPS Hide Login"? The workaround I've found is to use "Hide My WP Ghost – Security Plugin". It's not as lightweight or simple but it only changes access to the login which still allows cloudron to do its thing and change the login path effectivly. Hope that helps.

murgero

@affinity a custom .htaccess could be slapped into the wordpress directory to deny /wp-admin to unknown IP's.

nebulon

Ideally we would have a distinct /healthcheck route to call the app and it would report its status. As @girish mentioned we used to use / to simply check if the site/blog works, but besides non public sites, this also interfered with visitor stats on various plugins.

Does anyone here have any better recommendation or idea which route we could poll here?

murgero

@nebulon xmlrpc php using a blank call?

nebulon

@murgero not really sure what you mean by this. What we need is some URL which responds with an 200 or 300 http status code. This can be anything, a HTML file other assets or a REST api. So far it seems the ones we have chosen for WordPress always have some side-effects.

murgero

@nebulon Maybe use https://site-url/wp-includes/version.php it doesn't return anything, but HTTP 200 is the status of the call. Maybe worth a look.

rmdes

@murgero also thinking hitting the version file could be the best way to approach this..for some reasons the login or the / does not provide a stable way to do this...even on basic WP image without plugin interference on my case.

girish

@murgero Thanks for your suggestion! I have put the new healthcheck url in https://git.cloudron.io/cloudron/wordpress-app/commit/45dc91cd7868bd2e66ea726f0968c4752279812e . Will push out the update slowly and see if it causes any issues