By Jeffro on May 8, 2013
Earlier today on Twitter, WordPress community member Travis Ballard @Ansimation published a link to a plugin that will have people thinking twice before they sign up to a WordPress based website. Ironically, it’s called WPEvil and saves passwords into plain text instead of hashes. One thing I’ve learned over the years is that passwords are to never be stored in plain text, for any reason. I reached out to the creators of this plugin to see if they could give me a couple of legitimate use cases. Here is what they had to say.
Legitimate use would be I guess to tell one of your users their password if they can’t reset it for some reason. There are no appropriate uses for this plugin, I guess you could do your own research to see what people actually use as passwords.
Motivation? Bored.
Travis also got in touch with the plugin author on Reddit to discuss legitimate uses for this plugin and was greeted with an insult that it was above his pay grade.
So if you come across a WordPress powered website that you can tell is using this plugin, would you register your account there? How does it make you feel to see a company release such a plugin to the wild? Should anyone be worried that this plugin exists?
Posted in Plugins | Tagged passwords, security, text |
By Jeffro on March 16, 2012
Perhaps one of the easiest attacks to perform on a WordPress based website is a brute force attack. Sucuri took the time to create a few different honeypots and monitored WP-Login.php to track the various IP addresses as well as the passwords used to break into the site. Their list of passwords attempted is no surprise to me as I’ve seen the same results over the course of a year via the Limit Logins plugin. It all comes back to the use of a strong password. A strong password would look something like this, RCu7R*0#zm. Unfortunately, many forms don’t accept certain characters in passwords so at the very least, add numbers to your password if you can only use numbers and letters.
The reason why this is one of the easiest attacks to perform is because by default, WordPress allows an unlimited amount of tries when logging into the backend. I understand that it’s the users responsibility to use a strong password but at the same time, I feel as though the software could help out by only allowing 3 login tries per IP address, very similar to how the Limit Login attempts plugin works. After 3 failed attempts, the IP address would be locked out for a certain amount of time. The only thing I can figure is this particular enhancement would cause some site owners more grief than peace of mind. Unlimited login attempts has been apart of WordPress since I started using it in 2007 and I don’t see it changing anytime soon, especially since the Limit Login attempts plugin exists and solves the problem so well.
Posted in WordPress | Tagged attacks, force, passwords |
By Jeffro on February 10, 2012
Alex who also goes by Viper007Bond has recently installed Limit Login Attempts on his personal blog because someone is trying to brute force their way into his site. I’ve mentioned this plugin before and his post reminded me that I should probably give you all an update as to the results I’ve seen over the past few months.
Since January 1st, 2012 there have been 75 email notifications sent to my inbox letting me know of an IP address that failed to login to the back-end of WPTavern three times in a row. In almost every case, the notifications look like the following with the IP address being different.
3 failed login attempts (1 lockout(s)) from IP: 78.29.15.137
Last user attempted: admin
IP was blocked for 20 minutes
There have only been a few times when Webmaster and even fewer with Jeffro as the attempted username. I receive multiple notifications every day with some spurts of 3-4 different IP addresses failing to login. I have no idea if these are real people or bots trying to login but thankfully, Limit Login Attempts is keeping me abreast of all the failed attempts. It’s definitely a plugin you should consider installing for the sake of monitoring the activity of failed login attempts. This is also a reminder that if you are using admin as your administrative username or have that username within the Administrator role, you’re begging for trouble.
Posted in Plugins | Tagged admin, limit, login, passwords, Plugins |
Earlier today on Twitter, WordPress community member Travis Ballard @Ansimation published a link to a plugin that will have people thinking twice before they sign up to a WordPress based website. Ironically, it’s called WPEvil and saves passwords into plain text instead of hashes. One thing I’ve learned over the years is that passwords are to never be stored in plain text, for any reason. I reached out to the creators of this plugin to see if they could give me a couple of legitimate use cases. Here is what they had to say.