New to the community? Start here

[Defender Pro] WP login and author exposure

1

Check pages for WP login and author exposure.
I have my Defender Pro set up with login masking.

Elementor is exposing a live login link.
Smart Crawl is exposing author/admin.

Defender does not pick this up, or there is no notice to check this. This totally beats the purpose of all these working together.

Wed, 10 Jun 2026 21:11:54
More Defender Pro discussions
Defender Pro
  • Fida Al Hasan
    • Staff

    Hello Goran ,

    I hope you are doing well.

    Regarding the Mask Login Area feature:
    This feature is designed to work with WordPress’s default wp-admin and wp-login.php endpoints. There are also certain WordPress-reserved login-related slugs that are covered by this functionality.
    You can learn more here:
    https://wpmu-dev.pro/docs/wpmu-dev-plugins/defender/#masking-url-slug

    However, custom login URLs or login forms created by themes, plugins, or custom code are not currently covered by this feature. Detecting and protecting all possible custom login implementations is significantly more complex.

    That said, I have forwarded your request to our Defender team for review. They will evaluate the feasibility of expanding this functionality, although there is currently no estimated timeline for implementation.

    Regarding SmartCrawl exposing author/admin information:
    Could you please provide a bit more detail about this issue and the steps required to reproduce it?

    Additionally, have you enabled Defender Pro’s Prevent User Enumeration recommendation on the site?
    You can find more information about this feature here:
    https://wpmu-dev.pro/docs/wpmu-dev-plugins/defender/#recommendation-prevent-user-enumeration

    Kind Regards,
    Fida Al Hasan

  • Goran
    • Design Lord, Child of Thor

    SmartCrawl > Schema > Advanced > Author
    In this case, author/admin were the same, and this creates a huge exposure.

    This should be something that Defender must detect and recommend checking first.

    More so, this is all within the WPMU ecosystem without any 3rd-party plugin.
    I believe this should be covered right from the start.

    This is something that I found out after trying to figure out multiple bot login attempts on one of my sites.

    This also does not help
    SmartCrawl > Settings > General Settings > Meta Tags
    This exposes the WordPress version and should also be picked up by Defender and recommend removing.

    And yes, I do have Defender Pro’s Prevent User Enumeration enabled.

    [attachments are only viewable by logged-in members]
    [attachments are only viewable by logged-in members]

  • Luigi Di Benedetto
    • Staff

    Hey Goran

    I was unable to replicate the issues you described. The author/admin pages are not accessible because the “Prevent user enumeration” feature is enabled in Defender. When I attempt to visit my test site’s URL using ?author=1 in an incognito window, I correctly receive a message stating I do not have permission to access the page.

    Regarding the WordPress version being visible, you need to enable the “Hide generator meta tag” option in Smartcrawl to hide it. It might also be beneficial to include this as a recommendation within Defender Security Recommendations, so users are prompted to enable it for better security.

    If you are still able to access the author page via an incognito tab even with “Prevent user enumeration” enabled, please open a support ticket so we can assist you further. Additionally, I will pass along your suggestion to display “Hide generator meta tag” as a recommendation in Defender to our development team.

    I hope this helps. Please feel free to contact us if you need any further assistance.

    Regards,
    Luigi.