Support » Plugin: Limit Login Attempts » Mysteriously Broken

  • Even though this plugin is no longer under development, it is still being recommended. Unfortunately, I have found some problems with it, and there appear to be at least 2 work-arounds that the script kiddies have found to defect the protection offered by this plugin. I would warn folks NOT to rely on this plugin — here is an example of a fairly big security hole. Here are two emails I got from limit login attempts yesterday:

    WordPress 2:59 AM (16 hours ago)
    to me
    4 failed login attempts (2 lockout(s)) from IP: 104.194.25.135
    Last user attempted: [my admin account name]
    IP was blocked for 72 hours

    WordPress 10:45 AM (8 hours ago)
    to me
    4 failed login attempts (2 lockout(s)) from IP: 104.194.25.135
    Last user attempted: [my admin account name]
    IP was blocked for 72 hours

    If you look carefully, you will see that the IP was *NOT* blocked after two lockout for the 72 hours that I had set up when I installed it.

    I also discovered that using xmlrpc.php appear to circumvent limit login attempts, so I added this to my .htaccess file:

    <Files xmlrpc.php>
    Order Deny,Allow
    Deny from All
    Allow from [my IP address]
    </Files>

    That apparently wasn’t enough, so I added this:

    order allow,deny
    deny from 104.194.25.
    allow from all

    I suspect this is a temporary solution, since the script-kiddies have learned how to spoof IP addresses at will.

    This plugin gives only a false sense of security in the escalating battle with the blackhats, and the obvious flaws in the plugin lead me to consider it not worth my trust, and leads me to warn others away from it.

    Right now, I don’t have enough understanding of how things work with WP to go in an try to fix these problems (if they are actually fixable on this level, which is not a forgone conclusion), so I’m still looking for a better approach.

    I have installed Ninja WP Firewall, which cut the brute-force attacks *way* down, but did not eliminate them (from over 1000/day, enough to may the site unusable, to fewer than 5 a week). Since there are a few brute-force attacks are still getting through, I predict that whoever discovered the work-around will be selling it to the script-kiddies soon, rendering Ninja WP Firewall essentially useless — but at least it is still under active development.

    Even though I don’t expect brute-forcing my very long, randomly-generated password to succeed, 1) the attacks are a damned nuisance, and 2) I am fearful that there may be other security holes I currently don’t know about.

    There are a few sites on which I am the only person with a login, and I use .htaccess to whitelist my IP. For now, that works pretty well. Next thing to try is to password-protect the wp-admin directory of the sites with more than one user. That will make things less convenient for me as well as the other users, but less so than having to clean up a hacked site.

Viewing 2 replies - 1 through 2 (of 2 total)
  • It doesn’t look to me that xmlrpc isn’t secured by the plugin. The plugin hooks to filters which are directly or indirectly called by wp_authenticate. The xmlrpc code uses this function too.

    I think the problem is from somewhere else. One question: are the affected systems multisite installations?

    Thread Starter Howard Harkness

    (@chltx)

    None of my sites use WP multisite. You are probably right, though – the problem is “somewhere else” – namely, that the script kiddies have figured out how to defeat, or just go around, this outdated and inadequate plugin.

    I still use “Limit Login Attempts” but only to provide some reporting to alert me about ongoing brute-force attacks. I ignore the attempts on “admin” since that is a dummy account on my site with a very long random password — and no role for the site. When I see a report listing one of my real admin accounts, I update my .htaccess, which seems to help, at least temporarily. I use very large randomly-generated passwords on all of my accounts, which I hope will at least slow the attackers down enough for me to take other measures.

    As I said, “Ninja WP Firewall” appears to help, but I had a recent problem with that one (I think) — I awoke a few days ago to find that one of my sites had gone over the disk quota. Turned out that it had over 100 core-dumps, and it was dumping about every 5 minutes. It took some effort to get the core-dumps deleted — surprisingly, I couldn’t delete anything until I increased the disk quota. NWF issued an update the next day, which appears to have fixed that problem, although that particular problem was not mentioned in the revision notes.

    I’m still looking for better solutions.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Mysteriously Broken’ is closed to new replies.