WPS Hide Login Updated to Fix Vulnerability via @martinibuster - Website Pro USA
Website Builder,SEO,Social Media Consultant, Hosting, Website Care Plans
40236
post-template-default,single,single-post,postid-40236,single-format-standard,theme-bridge,woocommerce-no-js,ajax_updown,page_not_loaded,,qode-content-sidebar-responsive,columns-3,qode-child-theme-ver-1.0.0,qode-theme-ver-9.2,hide_inital_sticky,wpb-js-composer js-comp-ver-7.9,vc_responsive

WPS Hide Login Updated to Fix Vulnerability via @martinibuster

WPS Hide Login Updated to Fix Vulnerability via @martinibuster

ADVERTISEMENT

Popular WordPress security plugin, WPS Hide Login, was discovered to have a vulnerability. The vulnerability was immediately patched as soon as it was discovered.

The WordPress Vulnerability Database describes the update like this:

“fixed a vulnerability in version 1.5.4.2 and below that could allow an attacker to find and access the secret login page.”

ADVERTISEMENT
CONTINUE READING BELOW

What Is the WPS Hide Login Vulnerability?

WPS Hide Login is a WordPress plugin that creates a secret admin login page. This prevents hackers from attacking the admin login page with a password guessing attack since the login page is hidden.

The vulnerability allows a hacker to cause the plugin to reveal the URL for the hidden page. A hacker can then begin the attack.

Versions 1.5.4.2 and Older Affected

This vulnerability affects plugin version 1.5.4.2. All users of the plugin are urged to update their plugin to version 1.5.5 right away.

How the Vulnerability Was Discovered

A web application firewall publisher, NinTechNet, discovered the vulnerability on January 20, 2020. They communicated the problem to the developers at WPS Hide Login who promptly closed the vulnerability the same day.

ADVERTISEMENT
CONTINUE READING BELOW

The NinTechNet.com published an account of the discovery after the plugin was updated.

WPS Hide Login Changelog

Every WordPress plugin communicates the contents of its updates through a formal log called a changelog. A web publisher can check the changelog from the WordPress plugin dashboard and decide whether an update is important or not.

Some updates can break a site so some admins may choose to not update unless it’s for something critical.

Ideally, software makers should communicate how important and update is at the very least and at most just come out and say that it’s patching a vulnerability.

ADVERTISEMENT
CONTINUE READING BELOW

This update important because the vulnerability compromises the ability of WPS Hide Login to do the one thing that it’s supposed to do: hide the admin login page.

Is it unreasonable to believe that should be communicated within the changelog?

Here is a screenshot of the changelog for WPS Hide Login:

Screenshot of WPS Hide Login ChangelogScreenshot of WPS Hide Login Changelog

As you can see in the screenshot, there is no mention of what the update addresses nor any hint at the importance of the update.

ADVERTISEMENT
CONTINUE READING BELOW

WPS Hide Login Responded Responsibly

WPS Hide Login acted responsibly by swiftly patching their plugin. But it would be useful if they took the extra step to communicate the importance of any given update when it involves a security vulnerability.

No Comments

Sorry, the comment form is closed at this time.