Support » Plugin: BruteProtect » Why does BruteProtect allow bruteprotect to remotely enumerate a site's plugins?

  • Resolved David Anderson



    I’ve used BruteProtect on a few sites – it’s been very useful – and was reading the code because I wanted to suggest an action to be called (if not already) when a site is blocked; allowing me to pick up the information and pass it to the firewall.

    When doing so, I learnt that:
    – When a site gets its API key, it also receives back a key from the ‘mothership’ (

    – The mothership can then call back, via a URL of this form, using the key that it knows, in order to enumerate the site’s plugins:<key&gt;

    The output, supplied via bruteprotect/uptime_securewatch.php, is then a JSON-encoded list of the site’s plugins (all plugins – not just BruteProtect), and their versions, together with an indicator of whether or not the site has a user named ‘admin’:

    $plugins = get_site_option('active_plugins');
                    $t = plugin_dir_path(__FILE__);
                    $t = preg_replace('/'. preg_quote('bruteprotect/', '/') . '$/', '', $t);
            if(is_array($plugins)) :  foreach($plugins as $pfile) :
                    $pf = $t.$pfile;
                    $pl['shortname'] = trim(plugin_dir_path($pfile), '/');
                    $p = get_plugin_data($pf);
                    $pl['name'] = $p['Name'];
                    $pl['version'] = $p['Version'];
                    $pls[] = $pl;
            endforeach; endif;
            $o['version'] = get_bloginfo('version');
            $o['plugins'] = $pls;
            if(username_exists('admin')) { $o['has_admin_user'] = 1; }
            echo json_encode($o);

    On the face of it, this appears to be a backdoor, and a breach of the guidelines ( – point 7, unauthorized collection of user data). I can detect no reason in the plugin’s code or design as to why it needs to provide BruteProtect HQ with special access to, at any time, enumerate my site’s plugins or usernames.

    What this looks like very much shakes my confidence in BruteProtect, and I’d really like to hear an explanation of firstly why BruteProtect HQ needed this backdoor, and secondly why it’s nowhere mentioned in the documentation?

    Many thanks,

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Sam Hotchkiss


    Hi David– I certainly do apologize, this was not intended to make it out into our live code yet, and I’ve released an update removing it.

    We didn’t want to let the cat out of the bag quite yet, but we are working on a service where we can proactively notify you when one of your plugins has been flagged as having a serious security issue (to help distinguish between minor plugin updates and major security fixes)– at this point, we have built the functionality to allow our server (and ours alone– there is a second key which is known only to your site and ours) to get back your plugin name/version, WordPress version, and whether or not you have a user named “admin”, so that we can provide feedback to help you make your site more secure.

    Remember to make that service Opt In 😉

    Hi Sam,

    Thanks – it is reassuring to know that the code was for a purpose and not just a back-door!

    Any chance of adding an action call in brute_kill_login() ?

    do_action(‘brute_kill_login’, $_SERVER[‘REMOTE_ADDR’]);

    That would give other code an opportunity to log the IP somewhere else too – e.g. get the information up to the firewall so that it can be blocked before it uses up any more resources on other sites.


    Plugin Author Sam Hotchkiss


    Hey David– no problem, sorry for any confusion!

    We can definitely add a hook in– I’m on vacation this week, so I’m running from the boat to dinner, but I’ll get it in as soon as I have a few!


    Plugin Author Sam Hotchkiss


    Hey David– this hook (along with brute_log_failed_attempt) has been added into, which will be released on Monday.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Why does BruteProtect allow bruteprotect to remotely enumerate a site's plugins?’ is closed to new replies.