Unable to install plugins to child sites w/iThemes Security disable backend enabled

We are unable to install any plugins to child sites (even the site where mainwp dashboard is setup) via “Upload .zip file” without first disabling iThemes Security hide backend from parent dashboard site. The error for the installation fails with not_found. Worked on this issue with iThemes developers and they are saying that it is being caused because mainWP is unaware of the hide backend URL. The not_found is the default redirect URL when someone tries to hit the wp-login.php with hide backend enabled. The only workaround for now is to disable the hide backend feature and then re-enable it every time you need to install a plugin to child sites (using the upload .zip feature).

The issue persists in the latest beta as well.

To clarify, is the issue with running iThemes security on your Dashboard or is it from the iThemes Security Extension on your child sites?

Hi Dennis,

The issue is when iThemes Security hide backend is running on the Dashboard. It doesn’t matter if iThemes Security is running on the child sites or not.

I wouldn’t classify this as a bug since it seems things are working as they should; this is more of an edge use case.

I’m not in a place to test it myself, but I’ll have @bogdan check with the development team on Monday if anything can be done, such as telling the Dashboard to use the Login Slug.

If anything can be done, it won’t be in the upcoming 4.1 version since features are locked for next week’s release.

1 Like

Hi Vince, thanks for reporting this, however, are you sure that the hide backend feature is breaking the functionality? I have seen this behavior and it was caused the Filter Long URLs.

Also, in this help document: https://mainwp.com/help/docs/am-i-allowed-to-change-wp-admin-and-wp-login-php-url/ we have a warning that changing the backend (wp-admin) slug may cause problems, so I would skip doing this. If you need additional security on your MainWP Dashboard, you can use the Clean and Lock extension to lock it down.

Hi Bogdan,

Yes I tested it with hide backend enabled as well as disabled. I brought it up to you before as well when I was having this issue before. Ok so then anyone that changes from wp-admin may have issues even though this is a pretty standard security practice. Is there anything in the pipeline as to whether this will be supported or not?

This is not “standard security practice”, but “security through obscurity”. It’s like trying to hide the door of your house instead of locking it. And it’s known for causing problems/conflicts, not only with MainWP.

3 Likes

Yes, I fully agree with @josklever

1 Like

Ok I apologize, I chose the wrong wording. However you want to call it, “Security through obscurity” is still a way to “help” keep your site secure by hiding it. This isn’t my only form of helping keep my site protected from malicious actors, but it is an option i enabled in iThemes Security. And if you want to give an example of locking your door, well a locked door doesn’t secure your home if I can just pick the lock or break the door down. There are multiple things we must do to help keep our sites secure. We can debate this forever and I don’t want to go off topic. I would just like to know if this is something that MainWP is thinking about implementing or if we should just accept this as it is.

Since MainWP is open source, you never have to accept things as is, I invite you to visit MainWP.dev for information on coding with MainWP.

This is not something we will prioritize at this time, and I can not say if and when we would ever implement something officially for this.

2 Likes

fair enough. thank you.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

For those of us using MainWP and who are not developers, I for one would like to see this topic reviewed again.
Setting iThemes set to mask the login URL should not affect the ability to install plugins. Knowing that developers tend to talk better with developers, I would like to see if someone from MainWP would be willing to contact and work with iThemes to isolate and solve this incompatibility with their feature to obfuscate the WordPress login url and make it to where plugins can still be installed.