For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Per_Hagstrom's avatar
Per_Hagstrom
Icon for Nimbostratus rankNimbostratus
Feb 25, 2019

Simple WordPress login protection using referral

I'm trying to protect the default login page (/wp-login.php) on our WordPress site, using a "secret" (/secretlogin) page as a referral, and only then should you be able to login: (otherwise you get r...
BIG-IP
devops
irule
iRules
protect login
referer
Dave_McCauley_3's avatar
Dave_McCauley_3
Icon for Cirrostratus rankCirrostratus
Feb 25, 2019

Drop the static variable and see if that helps. Static variables are put into the tmm's global namespace, i.e. even other iRules would see this variable and generally shouldn't be used. If you use a standard variable, you'll have it be distinct for each new connection, which is what I think you want here.

 

https://devcentral.f5.com/wiki/iRules.static.ashx

 

-Dave

 

Per_Hagstrom's avatar
Per_Hagstrom
Icon for Nimbostratus rankNimbostratus
Feb 26, 2019

Dave,

 

Great! Yes, that seems to have fixed the problem! Thank you very much! 🙂

 

/ Per

 

ps. in case someone else would like to use this iRule, here is the corrected code:

 

 when CLIENT_ACCEPTED {
    set triggerWP 0
}
when HTTP_REQUEST {
    if {[string tolower [HTTP::path]] contains "/wp-login.php" and $triggerWP == 0 } {
             HTTP::redirect "https://[HTTP::host]/restricted-access"
    }
    if {[string tolower [HTTP::path]] equals "/secretlogin"} {
             set triggerWP 1
             HTTP::redirect https://[HTTP::host]/wp-login.php
    }
}