1. Konstantin Kovshenin

    Hah! In other words you’re giving Wordfence permission to bruteforce your passwords. Nice. And then the next version might ship with a shell for them to control your server, but hey that’s for your security and don’t worry, it’s encrypted. No thanks :)


    • Jeff Chandler

      I’ve pointed out your comment to the Wordfence team and asked them to respond.


      • mmaunderMaunder

        Thanks Jeff for a great article and a great site. Interesting conversation here so I thought I’d weigh in.

        I think the first thing that’s important to note is that if you install a plugin on your WordPress site e.g. Akismet, Wordfence, WordPress SEO or any of the other great plugins out there, you’re essentially giving them admin access to your site. So worrying that Wordfence or Norton or some other anti-virus product is going to hack you is like giving someone front door keys and worrying they’ll break down a wall to get in.

        To perform a password audit we double encrypt your data and analyze it on our servers. To put this in perspective, if you’re using one of the many backup plugins out there, they take that same data and store it externally but without doing the level of encryption we do. So we really are going above and beyond to keep you and your data secure.

        Once we find a weak password we never store the password – instead we just make a note of the password length and first letter and send that back to you securely. We do this so that you know we’re not lying about having cracked a password.

        Then we clean your data off our servers.

        So that’s it – super secure and a useful feature.

        I’d like to just clarify something else because it really helps you to understand the power of Wordfence Password Auditing: We are telling you not only which ‘admin’ level passwords are weak, but we’re giving you a way to warn your users about weak passwords they use. Of course it’s bad practice to use the same password across multiple websites, but unfortunately many users do, especially those with weak passwords. So this feature gives you a way to alert those users that they have a problem with the way they come up with passwords.

        The result is that not only will you force them to use a stronger password on your website, but it’s quite likely they will use better and unique passwords across the other websites and services they use.

        So by installing Wordfence and doing a password audit, you’re doing your user community a service.


        Mark Maunder – Wordfence Founder/CEO.


    • Joachim Jensen,Intox Studio

      It doesn’t really sound like brute force, but rather a dictionary attack. It makes sense, really, especially in a time where everybody in the WordPress community are focused on the recent hacks/vulnerabilities.

      If you want to see how long it would take to crack your password by brute force, see https://howsecureismypassword.net/ (if you trust the site not to save what you enter)
      Note that Wordfence already has measures built-in their free version to limit login attempts.


  2. Rick

    I guess it could be useful for people who use weak passwords and I suppose just given numbers of scale that WP sites do get hacked via password. Not sure I’d call that “hacked” but more like, “oops”.

    Traditional hacking does not attempt go through the front door (Mathew Broderick 101 LOL).

    The theory is quite simple. Find a plugin that has considerable usage which the WP site or ThemeForest etc. readily display: “Downloaded 14 quadbillionzillion times”. Install it. Throw hackers tools at it and/or security penetraion prevention – ware and see what turns up.

    Some of the better commercial based penetration testing software is AMAZING. They are created to attack Enterprise level applications be they Internet, Intranet, stand alone etc. They are built for industry and thus are quite adapt at what they do.

    A hacker finds the flaws. They then look at source code to find a signature. Data that comes back to a browsing session. It can be as little as a exposed comment, HTML, Javascript basically using these aspects as signatures of a potential targeted site. Just as “search engine bots” identify site applications so as well can any bot. I am sure that some hacker out there made a bot that does nothing but thus a list exists of who knows how many WP, Joomla whatall installations.

    Its relatively easy if a hole is discovered in some plugin to automate action against it.

    Running a zillion passwords against a zillion sites most assuredly can identify sites with weak passwords. Or, WP could by code enforce string passwords. Thats not hard to do. Maybe hard to remember for a user, but not hard to do.

    The general “web” concept (those automated thingies that have “Weak” or “Good” or “Excellent”
    password choice are usually pretty dumb.

    Instead concepts such as data pairs tend work better. AKA: Password must contain two Upper,Lower and Numeric data pairs: “wF3” and “Y2p” for example at the least or they can of course be larger. Regex wise, not real difficult to parse against.

    Instead sites say, “Must have at least 1 uppercase or 2 and a numeric” etc.

    Other ways include (but not limited to via automation) having a user password and partial password generated and concatenated. Simple “Enter an important date you will remember” which is then mashed by code, indexed across a datastore of buckets of 3-5 letter words and is attached.

    Actually I know a way come to stink of it (errr think of it) that protecting insecure admin logins can essentially be virtually completely eliminated. Perhaps I should create that.


Comments are closed.

%d bloggers like this: