New PHP Warnings related to – Simple Query String Login page protection

Home Forums BulletProof Security Pro New PHP Warnings related to – Simple Query String Login page protection

This topic contains 4 replies, has 2 voices, and was last updated by  AITpro Admin 5 months, 1 week ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #34734

    Josh
    Participant

    Hi,
    Suddenly I’ve noticed the php error log fill with tons and tons of PHP Warning messages related to the “Simple Query String Login page protection” code we got off the BPS website. I have no idea why this suddenly started logging like this. It’s the same code we’ve had in place for a while now and never had anything logged about it. I’m thinking there was a change at the host of from the latest WordPress upgrade.

    Example Warning Message:
    [05-Dec-2017 21:58:01 UTC] PHP Warning: Cannot modify header information – headers already sent by (output started at /home/xxxxxxxx/public_html/wp-login.php:73) in /home/xxxxxxxx/public_html/wp-content/themes/dunn-child/functions.php on line 40

    Our Query String Code: “I Inserted info where line 40 is”

    function hide_login_page_query_string_login() {
    $QS = '?my_querystring=fubar';
    $theRequest = 'https://' . esc_html( $_SERVER['HTTP_HOST'] ) . '/' . 'wp-login.php' . '?'. esc_html( $_SERVER['QUERY_STRING'] );
    	if ( site_url( '/wp-login.php' . $QS ) == $theRequest ) {
    		// comment this out after testing is completed
    		echo 'Testing: Query string matches';
    	} else {
    ***LINE 40 IS HERE***	header( 'Location: https://' . esc_html( $_SERVER['HTTP_HOST'] ) . '/' );
    	}
    }
    add_action('login_head', 'hide_login_page_query_string_login');

    Once logged into the backend of WP it seems like each page you goto within the admin dashboard generates several of the same messages in the php error log shown above.

    Any idea what we should change in this query string code?

    Thanks,
    Josh

    #34741

    Josh
    Participant

    Bump…

    Any ideas?

    I’ve been using the query string code I got off the BPS site for at least a month 1/2. Suddenly after upgrading WordPress and BPS pro to the latest versions (not sure what changed… but this wasn’t happening before), I now have my php error log filling up like crazy with the similar log entires like the one I show in my original post. It seems when I login to the backend of WordPress, anything I click, one of these log entries follows. One session, I had over 100 of these log entries.

    I searchdc the BPS forums on “headers already sent”. The only thing I see that becomes possibly applicable would be caching. Unfortunately I uninstalled the LiteSpeed caching pluging and ensured my host had it turned off for the domain in question. So I don’t see how caching is the problem

    So I’m kindof at a loss as to… “how” do I fix the issue? It seems like the query string code needs to be modified as that’s what the log is complaining about.

    Thanks,

    Josh

    #34748

    AITpro Admin
    Keymaster

    Sorry for the late reply.  We had some wild fires in our area.  Fortunately we were extremely lucky.  Stressful stuff.  Yeah not really sure what might have changed. Honestly you do not need to do any other “form” of login security protection if you are using LSM and JTC.  So just delete that additional security measure/code – it is not needed.  😉

    #34758

    Josh
    Participant

    No problem. Hope your house and loved ones are ok. Fires are no joke.

     

    I took your advice and removed that query string code.  I just don’t like having a login page at a known location. I’ll get over it. 🙂

     

    Josh

    #34759

    AITpro Admin
    Keymaster

    Thank you for your kind words.  We got really lucky, but a lot of folks did not.  Sending them every bit of goodness/compassion I can.  🙂

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.