31 Oct

Claimed Brute Force Attacks Against WordPress Admin Passwords Are Unlikely to Be Tied to Plugin Vulnerabilities

One of the ways we keep track of what vulnerabilities are in WordPress plugins, to provide our customers with the best data on them, is to monitor the wordpress.org support forums for threads related to them. In addition to relevant threads we run across various other security related queries. Recently we have run across several where people believed that brute forces against WordPress admin passwords might be an indication of some sort of a security issue with a plugin. Seeing as this keeps coming up we thought it would be a good time to discuss this, as it gets to security companies spreading falsehood and that leading to people getting further from focusing on the real security issues that the WordPress ecosystem has these days.

Here is one example of issue being brought up:

Someone has been attempting brute force hack on my sites all weekend. I have wordfence setup to block incorrect usernames but somehow he/she is now attacking my newest site I just put up last week that may not even be indexed by google. It is a duplicate of a site and has all the same plugins so I am wondering if it is possibly a plugin that is causing this hacker to attempt to brute force my new site. This is like looking for a needle in a haystack I know but do you guy/gals have any suggestions?

The first issue here is that brute force attacks against WordPress admin password are not happening. Yes lots of security companies will tell you they are happening (and that have the solution to protect your website from them), but the reality is that they are not. For example, we previously looked at how the evidence provided by Wordfence and Sucuri to back their claim that brute force attacks were happening, actually showed they were not. In reality it looks like most of the malicious login attempts that are occurring are dictionary attacks, which can be prevented by simply using a strong password since a dictionary attack involves trying to log in in using common passwords. Unfortunately because security companies have been successful at pushing this falsehood far too many people spend their time monitoring login attempts when they really don’t need to. In this case it seems to have then lead them to thinking that plugin vulnerabilities are somehow tied into this.

So would actual dictionary attacks or imagined brute force attacks be an indication of a plugin vulnerability? The answer is that it would be very unlikely to be an indication. If someone is able to get access to an Administrator account in WordPress they generally have the ability to almost anything, so they wouldn’t have much if any need for a vulnerable plugin at that point. For example, they would normally not only be able to edit existing plugins, so they could place code to do the equivalent of a vulnerability in a plugin, but they would also be able to install entirely new plugins as well.

About the only thing we could think of that a vulnerability in a plugin could do to make malicious login attempts easier would be if it exposed the valid usernames on the website, but normally those can be easily obtained, so that seems an unlikely issue.

The only place we could think of where the two could come together is if a vulnerability was only exploitable (which is often the case), but in that case it looks like hackers will just try to see if they can register for an account and if they can’t they move on. Seeing as many WordPress websites only have an administrator account if you were to successful in a dictionary attack you would likely not need to exploit the vulnerability anyway.

Focusing on The Wrong Threat

The problem when things like this are focused on, is that actual security issues don’t get attention they need. Take for example part of the response that original poster received:

It seems all plugin vulnerability probes are for long ago patched vulnerabilities. If you’ve kept your plugins updated and they are regularly maintained by the authors, there’s not any reason for concern. Sure, there could be a zero day vulnerability, but that’s highly unlikely.

It would great if that were true, but we frequently are finding hackers probing for usage of plugins and then finding vulnerabilities in the current version that hackers would target if they were aware of them. Those vulnerabilities are likely to be zero-day vulnerabilities, which are vulnerabilities being exploited before the developer of the software is aware of them. Making this more concerning is the fact that we appear to be the only security company that is spotting those, despite other companies claiming that they do they same type of monitoring. Wordfence for example promotes their paid service in part by claiming that “Wordfence protects over 1 million WordPress websites, giving us unmatched access to information about how hackers compromise sites” and they even claim exclusively be aware of many zero-day vulnerabilities (that claim is based on their confusion between any vulnerability they have discovered in a plugin and an actual zero-day vulnerability, which is of much more concern). Focusing on the real insecurity of WordPress plugins could actually lead to improved security whereas a focus on non-existent brute force attacks only seems to waste time and help the bottom line of security companies.