900,000+ Install WordPress Security Plugin Solid Security Focused on Non-Existent Threat
Recently the less popular than it used to be, but still used on at least 900,000 websites, WordPress security plugin iThemes Security was rebranded as Solid Security. Alongside that came new marketing for the plugin. The previous marketing was not at all honest about what the plugin actually accomplished. The new marketing suggests the plugin is focused on protecting against a non-existent threat to WordPress websites.
In the plugin’s header image on the WordPress Plugin Directory, the developer now emphasizes protection against two things by the plugin, brute force attacks and the related user login security (the third only exists in a commercial version and appears to not be an accurate description of what is offered either):
In the description, the developer makes these claims:
Solid Security shields your site from cyberattacks and prevents security vulnerabilities. It automatically locks out bad users identified by our Brute Force Protection Network that is nearly 1 million sites strong and leverages your own blacklist. It secures and protects your most commonly attacked part of your WordPress website – user login authentication.
As we noted yet again recently, brute force attacks are not happening. WordPress security providers have been lying about that for many years to promote unneeded security solutions. There are malicious login attempts that happen, but they are dictionary attacks. Those attacks involve trying to log in using common passwords. There is a simple solution to that. Use a strong password. WordPress already provides a password strength meter to accomplish that. No plugin needed. (It also a good idea to use a unique password, in case a password used on another website is compromised.)
Based on the rest of the description of the plugin, it doesn’t appear to offer anything that provides necessary protection for websites. It also looks to be breaking intended functionality of WordPress as well.
For those looking for a security plugin focused on real threats, they can look at the results of testing we do to see what protection those plugins provide against vulnerabilities in other plugins.