Articles

Finding Hidden WordPress Login Page

by admin

Accessing a hidden website page, such as a WordPress login page, should only be done legally, for example, if you are conducting security testing on a site you own or have permission to assess. Engaging in unauthorized attempts to access hidden or private pages can be illegal and unethical. With that in mind, here are some common steps used to locate a hidden WordPress login page (with permission):

1. Try Default URLs

By default, WordPress login pages are found at:

  • https://example.com/wp-admin/
  • https://example.com/wp-login.php

Website owners sometimes change these default URLs to obscure the login page for security purposes. However, trying the default URLs is a starting point.

2. Check Source Code and HTML Comments

  • Inspect the HTML source code of the site’s pages for clues about the login page location. This could include direct links or code that references hidden login locations.
  • Sometimes, administrators may leave comments in the source code that can give clues.

3. Look for Login Widgets or Forms

Some WordPress sites might have login widgets or forms on the homepage or other public pages. Inspecting these forms may reveal the action URL that points to the login page.

4. Search Using Google Dorking

Google Dorking can be used to find hidden pages indexed by search engines. A few examples:

  • site:example.com inurl:login
  • site:example.com inurl:wp-admin
  • site:example.com intitle:"login"

These advanced search queries (dorks) might reveal login pages that are otherwise hard to find.

5. Use a Website Mapping Tool

Tools like Nmap, DirBuster, or Gobuster can scan a website for hidden directories and files. These tools look for commonly used WordPress login paths by brute-forcing directories.

6. Look for Security Plugins

WordPress websites often use security plugins that might rename the login page URL. Look for security-related headers, plugins, or tell-tale signs in the page’s code that could indicate the login page has been renamed or hidden by plugins like WPS Hide Login or iThemes Security.

7. Use WPScan (for security testing)

WPScan is a popular tool for testing WordPress security. It can enumerate WordPress URLs, plugins, and themes, which might reveal the login page.

wpscan --url https://example.com --enumerate u

8. Robots.txt File

Sometimes, the website’s robots.txt file contains paths that are excluded from search engines. It could include information about hidden pages that can be accessed manually.

9. Check Backups or Old URLs

Sometimes, older versions of the site or backup directories can still have accessible login pages. Tools like the Wayback Machine or scanning directories like /old/ or /backup/ can reveal older login pages.

10. Social Engineering (with permission)

Legitimate social engineering techniques (e.g., reaching out to customer support or reviewing public documentation about the website) can provide clues to the location of a hidden login page.

Ethical Considerations

Always remember that any actions you take on websites must be fully legal and authorized. If you are conducting a penetration test or security audit, ensure you have explicit permission from the owner.