What always seems like a good indication of the poor state of security when it comes to WordPress websites is how many websites are using security plugins that are insecure or provide protection that is easily bypassed. Both of those have applied to the plugin WPS Limit Login, which has 10,000+ installs. The changelog for the latest version of  that is “Fix : Security vulnerabilities (Thanks @juliobox)”. In looking over the changes made we noticed what looks like it would be an attempt to fix an easy way to bypass the plugin’s functionality, but that failed to accomplish that. It did accomplish fixing a more serious vulnerability.

…

[Read more]