When it comes to WordPress security, one thing we can’t emphasis enough is that people putting out security products and services for it don’t seem to have a good grasp of security. One of the most glaring examples of this is how often the falsehood that there are lots of brute force attacks against WordPress admin passwords happening, despite the evidence presented that they are happening actually showing the exact opposite.
Recently, while doing testing on how WordPress security plugins did in protecting against real world plugin vulnerabilities (short version, they haven’t done well in the testing so far) for our Plugin Vulnerabilities service we ran across the plugin Anti-Malware Security and Brute-Force Firewall. The plugin is one of the most popular security plugins, with 100,000+ active installs according to wordpress.org.
On the Firewalls Options page you will find that they have an option for Brute-force Protection:
So they are using a non-existent threat to try to get people to register and donate. On top of that, the protection seems to involving modify a core file, which isn’t a very good idea.
It’s a matter of semantics. Your insistence that “brute force” means a full scale attack of tens of thousands of attempts is completely lost in the wind. You are probably the only person in the universe adhering to that definition.
The reality is that most malware bots use very limited, formulaic, probes for wp-admin accounts. While they are certainly not what you call “brute force,” they are problematic to the victims who are successfully attacked. And those victims don’t care whether it fits your definition of “brute force” or not. Their site is broken and the label for the type of attack doesn’t matter.
Trying to get an entire industry to adhere to your definition of “brute force” is like urinating into the wind. At one end of the scale, you get wet and look silly. At the other end of the scale, you sound tyrannical.
Much of your advice is very valuable, but this ranting about other people’s use of “brute force” has gotten stale and sounds like whining.
This isn’t our definition of what a brute force attack, that is what it actually refers to. Here for example is what the Wikipedia says about it, “The attacker systematically checks all possible passwords and passphrases until the correct one is found.” It also would involve a lot more than “tens of thousands of attempts” as we explained before.
Also, as we explained before the type of attack does matter since how you protect against what looks to be actually going on, dictionary attacks, is different then how you do that for brute force attacks. So if people are only concerned about protecting themselves, then what type of attack is actually going on matters. Hence the need to highlight the problem with WordPress security companies misleading people.
It is odd that you are so incensed about it being pointed out that WordPress security companies don’t know what they are talking about and taking advantage of people, instead of what they are doing. If you want to bury your head in the sand on this, our blog really isn’t for you.