On April 11th, 2023, a software update was released to patch a severe vulnerability within the Limit Login Attempts WordPress security plugin. With over 600,000 installations, it’s among the most popular WordPress plugins in use to help prevent unauthorized access to administrator dashboards. In an ironic twist, this vulnerability may allow attackers to do just the opposite as this could allow for unauthenticated hostile takeovers of websites.
We recommend that users patch to version 1.7.2 as soon as possible to help prevent website compromise. Fortunately, users of our website firewall are protected against this exploit.
Why limit login attempts?
This plugin is particularly popular because it addresses a severe problem which is present within default configurations of WordPress websites: The lack of limit of failed login attempts. This renders WordPress websites using default configurations vulnerable to brute force and password guessing attacks.
While limiting login attempts is not as robust a solution as disallowing access to unapproved IP addresses, for example, it can still be a useful part of a defence in depth strategy to secure your website, along with other restrictions such as 2FA.
Vulnerability details
Fortunately, the vulnerability does not affect every single website using this plugin as it requires a very specific configuration setup to be exploited. Namely, two options:
- Site connection – from behind a reverse proxy
- Log IP of locked out users must be enabled
Due to lack of sanitization and escaping of the stored IP value this allows attackers to craft malicious requests to vulnerable websites.
More details on the technical aspects of the vulnerability can be found on WordFence’s post. Fortunately, they were able to identify the exploit before the attackers did to allow for the plugin developers to issue a patch and allow website administrators to update.
Mitigation steps
As usual, we always recommend that website administrators keep their websites regularly patched and updated to avoid being exploited by vulnerabilities such as these.
Having automatic updates enabled for your WordPress plugins is also advisable for security reasons as websites with this configuration will be patched before anybody else and give the attackers almost no time to exploit the vulnerability (assuming that responsible disclosure was practiced and a patch is available).
We also recommend placing your website behind a web application firewall and practicing defense in depth to keep attackers at bay.