Last week we looked at one example of the poor state of security information surrounding WordPress, security companies falsely claiming that brute force attacks against WordPress admin passwords are happening (and also offering products and services that are supposed to protect against that non-existent threat). That has negative impact on security since you end with a lot focus and concern on something that isn’t actually threat while other issues, like the poor state of WordPress plugin security, which actually leads to websites being hacked, don’t get the focus and concern they should and needs to get.
While security companies being part of the problem isn’t something that really surprises anymore, considering that most of them seem to either know and or care little about security, when other companies that you would expect to be better, are part of the problem, it is surprising to us. That brings us to the company closely connected to WordPress, Automattic, which has among their offerings the plugin Jetpack.
Despite the fact that brute force attacks simply are not happening, protection against them is prominently advertised feature of the Jetpack plugin. As can be seen on the plugin’s page on wordpress.org:
and on the features page on the plugin’s website:
It easy to think the public would be more likely believe that they were happening when they see that.
At the same time the Jetpack website provides further confirmation that brute force attacks are in fact not happening. Going back to our previous post, with a password made up of numbers and letters (upper case and lower case) that is six characters long, there are over 56 billion possible combinations. By comparison according to the website, Jetpack has only blocked over 1 billion attempts:
Jetpack has blocked over one billion malicious log-in attempts aimed at our users’ WordPress websites.
While that might be enough attempts for a brute force attack to succeed if they all occurred on one website, that is a cumulative total across possibly millions of websites and maybe for a period of over a year, so it shows that there are not even close to enough attempts for brute force attacks to be happening.
We hope that Automattic will become more consciousness of the impact they have on the security of WordPress going forward, because it would be a help to us and others that are trying to improve the situation.
OK, OK. We get it. You’re being very pedantic about the words “brute force.” And yes, maybe a lot of security companies are using the term incorrectly. But, that doesn’t mean that the bad guys aren’t trying to break in.
Consider those that pick the low hanging fruit by using a user enumeration request to discover a username and then, depending on what returns, hit that with a dozen or so guesses. True, that’s not a “brute force” attack, but it can yield results a surprising number of times.
Some security products do enough detection to know that there’s a password guessing attack underway and they try to stop it. … sometimes quite effectively.
So, why quibble so much about the words “brute force?”
You should read the previous post on the fact that brute force attacks are not happening, as we already addressed the questions you have raised in that. The short version is that we a) don’t claim there are not malicious login attempts and b) the more effective solution to prevent an attack with a few dozen attempts is to use a strong password. If the password could actually be guessed in a few dozen attempts, then it would be rather trivial for someone to work around brute force attack protection to gain access. Among the options would be to simply space their login attempts to avoid detection or use a botnet to gain access to enough IP addresses that each one could be used for a single login attempt. By using a strong password instead an attacker wouldn’t be successful in this situation, hence the importance to not mislead people into focusing on a type of attack that is not occurring.