Brute Force Attacks

8 Aug 2024

Developer of Limit Login Attempts Reloaded Admits Brute Force Attacks Are Not Happening

There is a widespread belief that there are brute force attacks against WordPress admin passwords going on. Just one plugin, Limit Login Attempts Reloaded, which is focused on preventing those attacks, has 2+ million installs. Despite the widespread belief, those are not happening. That is something that security providers falsely claiming they are happening sometimes admit to. We recently found that to be the case with the developers of Limit Login Attempts Reloaded.

In the first sentence of the description of their plugin on the WordPress Plugin Directory, they link the words “brute force attacks” to a post on their website. The first sentence of that post accurately describes what a brute force attack is: “Brute force attacks are relentless and automated attempts to crack passwords or encryption keys by systematically trying all possible combinations until the correct one is found.” Later in the post, they admit what is really happening with malicious login attempts, dictionary attacks: “The most popular method is a dictionary attack, which involves using precompiled dictionaries of commonly used passwords. These dictionaries may include words from various languages, character substitutions, and common phrases.” [Read more]

28 Nov 2023

900,000+ Install WordPress Security Plugin Solid Security Focused on Non-Existent Threat

Recently the less popular than it used to be, but still used on at least 900,000 websites, WordPress security plugin iThemes Security was rebranded as Solid Security. Alongside that came new marketing for the plugin. The previous marketing was not at all honest about what the plugin actually accomplished. The new marketing suggests the plugin is focused on protecting against a non-existent threat to WordPress websites.

In the plugin’s header image on the WordPress Plugin Directory, the developer now emphasizes protection against two things by the plugin, brute force attacks and the related user login security (the third only exists in a commercial version and appears to not be an accurate description of what is offered either): [Read more]

8 Nov 2023

The Wordfence Security Plugin Isn’t Actually Protecting Against Brute Force Attacks

We recently had a potential customer ask if our firewall plugin protected against brute force attacks as they believed the Wordfence Security plugin is doing. They also noted that using something different than what Wordfence Security provides would seem like less protection, even if it was better protection. When it comes to brute force attacks, they have hit the nail on the head, as those are not even happening. Wordfence is pretending something that WordPress already provides effective protection against isn’t happening and instead brute force attacks are happening, which requires something that WordPress doesn’t have built-in protection against.

Here is how Wordfence describes brute force attacks: [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Brute Force Attacks

900,000+ Install WordPress Security Plugin Solid Security Focused on Non-Existent Threat

The Wordfence Security Plugin Isn’t Actually Protecting Against Brute Force Attacks