How a Security login plug-in becomes insecure.
Loginizer – Briefed
Word Press.org states that “Loginizer is a WordPress plugin which helps you fight against brute-force attack by blocking login for the IP after it reaches maximum retries allowed. You can blacklist or whitelist IPs for login using Loginizer. You can use various other features like Two Factor Authentication, reCAPTCHA, PasswordLess Login, etc. to improve security of your website”.
I will try to explain in simple terms,
It is usual these days that the WP site is prone to vulnerabilities, provided your website is popular. Attackers will try to penetrate your most valued website commencing the login page. There are many plugins and scripts that let you protect your login page from such hack-attacks.
Loginizer is a plug-in developed to secure your login page from the brute-force attacks.
This plug-in, after attempting a few failed logins, immediately blocks IPs and also notification is given when someone is locked out. White-listing and black-listing IPs or IP ranges are available.
The features of the loginizer plug-in:
- reCAPTCHA integration in a very lesser time.
- Restricts a number of login attempt and blocking IPs.
- Since the login attempt is reduced, Bot iteration is blocked – Brute Force protection.
- Admin will be intimated if there is any difference of WP core.
- Using this plug-in you disable XML-RPC.
- Pingbacks disabling.
- Able to White-list and Black-list IPs or IPs range.
- E-mail intimations for misusing IP’s.
How Vulnerable your website is at?
Loginizer is a WordPress Plug-in which is actively used by 550000+ WordPress websites.
The unhappy part to tell is that, they possibly might be using an outdated version 1.3.5 and are prone to vulnerabilities any moment now.
Precisely, on daily basis, near about 10000 to 12000 downloads are done.
If you feel that you might be in this; your website might be under threat; the question you have to ask yourself is, what have you done about it?.
The latest audit on LOGINIZER emerged to contain Cross-Site Request Forgery (CSRF) and a SQL Injection vulnerability. In the Loginizer, version 1.3.6 and before, SQL Injection exists for WordPress via the “X-Forwarded-for HTTP” header.
What has to be done?
Immediate Update (IU) is the Only Possible Remedy (OPR)
ASAP, upgrade to the latest version of the plug-in: version1.3.8 to avoid hacker’s abuse.
According to the NIST – National Institute of Standards and Technology – NVD – National Vulnerable Datacentre, the vulnerability is currently awaiting for analysis.
So, instead of using the post-attack measures, follow the practices, norms and protect your website from any hackers using the preventive steps.
Whether Vulnerability was fixed?
Yes. The vulnerability was fixed in the updated version1.3.6 and using the security protocols it was rectified and made free from the bug.
The following features were updated to the latest version 1.3.6, which was prone to attack.
- Pagination was added to the Blacklist and Whitelist IPs.
- The Vulnerability regarding the SQL Injection fix for “X-Forwarded-For” found by Jonas Lejon was fixed.
- The missing referrer check was fixed in Blacklist and Whitelist ID Wizard.
The vulnerability about the Plug-in version 1.3.5 was discovered on 02-08-2017.
The same was fixed on 07-08-2017 using an updated version 1.3.6 and a blog was posted on the next day 08-08-2017.
Hope this blog clarifies you, that even the security plugin is causing insecurity and in turn how it harms the WP website.
It is always recommended to stick to the security norms, especially the updates, for averting such issues.
Thus, we have discussed, how the login protector fails to protect. We have suggested what we knew.
You might have several personal experiences and close encounters or even heard one or two.
Feel free to share those comments and the suggestion which you feel we forgot to mention, that way many might benefit from it.
What do you think is the best practice to avoid such mishap in the future?.