I can clear up a few points here but first I want to say thanks to Jan for all the good suggestions and links. Your incites are thoughtful and truly helpful.
to Treebeard: As I have just discovered today, that WishList Member plugin is in-fact ok, and I am confirming it's a false positive. I am working on white-listing it now. Thanks for bringing it to my attention.
There is actually a built-in way to restore files that have been mistakenly cleaned/fixed. Just go to the View Quarantine page and check the boxes by the files you want to restore, then click Restore.
And now let me clear up the "WP Login Exploit" issue. Over a year ago I labeled TimThumb as an Exploit because it could be used to place malicious scripts on a host site without any credentials. My plugin was made to find these vulnerabilities and automatically fix them by upgrading the files to a new patched version ( and also remove the injected malicious scripts). I came under fire for my bold, pro-active solution at that time too. But my solution was working and highly appreciated by my users, so stood my ground and helped thousand of people get their sites cleaned up and protected.
So now it comes again and I must defend my bold actions and Exploit label again. I understand your agree with the defense of the core WordPress login page (Any page that prompts for a login is susceptible to brute-force attack, it's true) but there is one crucial point that has missed here that tipped the scales for me and propelled me into pro-active prevention more once again. You may have heard of the extremely high volume of brute-force attempts targeting WordPress login pages have sprung up over the past month. This was a sudden onset of a wide-spread attempt to gain access to WordPress sites around the world. Again I would agree that this SHOULD NOT be a problem IF you have a strong password. However, it was a problem for servers hosting WordPress sites, even if the login attempts were all failing!
- Here is the (possibly unintended) problem for WordPress users (even if you have a strong password) that no other plugin I know of has yet overcome (other than mine):
The first thing the wp-login.php file does is load the WordPress bootstrap (wp-load.php).
Because, when bombarded with thousands of login attempts per minute (even failed ones), the loading of WordPress creates an overhead that has proven to be too high for many server under those conditions. You may say "well, your just not using an adequate server then". Well, I have seen first have the effect of these attack on servers from a variety of popular hosting providers like ixwebhosting, hostgator, godaddy, bluehost, and even some private VPS machines. This attack was crippling the servers and every site hosted on them. Only by being "out there in the field" when these attacks started and my clients granting me full access to their servers was I able to determine the cause of the server overload. My first fix was to rename the wp-login.php file and I made a script and posted a blog entry on how to do it. Many of the larger hosting companies globally blocked all access o the wp-login.php URLs while they worked on a way to endure these attacks and keep there servers running.
My plugin can find the "Exploitable" files and patch them with an open-source code solution that loads before the WordPress bootstrap and successfully prevents the server overload from occurring. It simply kills the login attempt (prebootstap) if certain condition match this specific type of brute-force attack that has had this effect on all these server.
So there it is. I hope you were patient enough to read through my explanation completely. I want to point out that I love WordPress, I'm a big fan and huge supporter of open-source projects. I have donated countless hours to helping people around the world to un-hack their sites. I help anyone who contacts me and, while I always welcome donation for my plugin, I do not require any to pay to use my plugin. Not have I ever turned down anyone's request for help due to lack of donation or ability to pay. I have even helped a lot of people that paid someone else (like $89 to sucuri) to get them clean and they are still infected and getting no more help, then I come along and do everything I can to help and usually get them all clean.
I hope you can overlook the blemish that my Exploit label may create and see that I am here to help WordPress become better, because I believe in the WordPress platform.
I'd be happy to hear any followup comments on all this and I will always support my plugin and any ideas and suggestions that make it better.
Aloha to all,