Developer of Limit Login Attempts Reloaded Admits Brute Force Attacks Are Not Happening
There is a widespread belief that there are brute force attacks against WordPress admin passwords going on. Just one plugin, Limit Login Attempts Reloaded, which is focused on preventing those attacks, has 2+ million installs. Despite the widespread belief, those are not happening. That is something that security providers falsely claiming they are happening sometimes admit to. We recently found that to be the case with the developers of Limit Login Attempts Reloaded.
In the first sentence of the description of their plugin on the WordPress Plugin Directory, they link the words “brute force attacks” to a post on their website. The first sentence of that post accurately describes what a brute force attack is: “Brute force attacks are relentless and automated attempts to crack passwords or encryption keys by systematically trying all possible combinations until the correct one is found.” Later in the post, they admit what is really happening with malicious login attempts, dictionary attacks: “The most popular method is a dictionary attack, which involves using precompiled dictionaries of commonly used passwords. These dictionaries may include words from various languages, character substitutions, and common phrases.”
That is a critical difference. As an attack that tries logging in using common passwords will never succeed if those common passwords are not used, while a brute force attack would eventually succeed (how long it would take to succeed partially explains why those attacks don’t happen). And because the approach to protecting those two types of attacks is different.
Later on, they admit that WordPress already provides protection against dictionary attacks: “One notable strategy involves the integration of strong password policies and the encouragement of complex, unique passwords.”
So why claim that brute force attacks are happening when they are actually dictionary attacks? Well, WordPress already provides the solution for what is really going on. So by claiming something else is going on, websites need to add a plugin to protect against the threat. From there, developers can try to scare people in to believing they are at risk of getting hack by emphasizing attacks that otherwise would be completely ignored. Take one user of Limit Login Attempts Reloaded, who got freaked out despite not needing to:
Hi, I have inserted your plugin and I have actually realized that the site, after a virus, is the object of continuous attack: in the sense that I have now realized that there are hundreds of access requests every day. I have changed the password by setting a very difficult one but the requests continue to be there, I have decreased the number of access attempts and increased the lookout time but what else can I do to discourage and block this situation?
Of course, the developer’s solution is to get the premium version of the plugin. The correct solution would be to stop using Limit Login Attempts Reloaded, as those failed login attempts could be safely ignored and were being safely ignored before they installed the plugin.
As part of our continued attempt to stop this abuse of the WordPress community by unscrupulous security providers, we are now warning about security plugins that are spreading the false claim that brute force attacks are happening through our Plugin Security Scorecard.