Remove /wp-admin and /admin redirects

🚢-shipped

#1

This is a pretty much an idea based on a security concern.

We all know WordPress is the leader in the market, and we know most of these sites are targeted by hackers. That said, I don’t feel like redirecting the traffic from /wp-admin and other admin routes to the ghost admin route is a good idea, what do you think?

Maybe the best approach to handle this is through an “option” through the config or admin side, what do you think?


#2

Yes… i think there should have option to change the admin directory.


#3

I agree. On other sites I manage I see lots of speculative attempts to find admin directories of the most popular forums and blogging platforms. I don’t see anyone directly trying to hit /ghost (yet), but I’d be happy to see no redirects to it from the obvious hack entry points.


#4

Opened a PR to fix this:


#5

@m1guelpf you missed to remove /admin as well. I added a few comments to your PR.


#6

I did that in propouse, as I think removing only the Worpress redirect has a bigger change to be merged. Once (if) that get’s pulled in, I’ll make another PR for the other redirect.


#8

The /wp-admin redirect was removed in

I’ll add a few notes on this for context, and because there’s been some silly statements and confusion around it:

The /wp-admin redirect was long over due to be removed and existed to aid the transition of many WP users’ ingrained typing habits when Ghost launched in 2013, it just doesn’t serve a real purpose anymore - simple as that.

This is not, and has never been, a security issue. What’s a bot which stumbles across Ghost whilst in search for WordPress sites going to accomplish exactly? Exploit our PHP targeting a non-existent wp-login DOM element?

The previous PR was closed because it was opened without any discussion and removed multiple other reserved redirects and reserved words. That is not how we work here. And we certainly don’t want to remove the reserved words.

There’s no sense in removing any of the other redirects, which are also not a security issue. It’s just as easy to scan for /ghost as it is for /admin as it is for anything else. If someone wants to target Ghost sites then they will figure out how to identify Ghost sites. It isn’t hard. And obscuring an admin route doesn’t make it any harder.

If you want to serve admin on a complete different separate host/domain, that has been possible for a long time and is a config option that means no admin route will ever be available on the front end of your site:

You can also decouple your entire from end from your back end and simply serve your whole site as static HTML which cannot be hacked by anyone in any way. If you’re really interested in security, then these are good options to look at - not little automatic redirects.


closed #9