Alerts and incidents

WordPress force-updates Loginizer plugin to fix a severe vulnerability

A vulnerability in the popular WordPress Loginizer plugin was discovered last week that allowed attackers to carry out an SQL injection attack on websites with the brute force protection built into Loginizer activated.

As a result, WordPress took the rare step of force-updating Loginizer on millions of WordPress sites.

What is Loginizer?

With over 1 million active installations, Loginizer is one of the most popular WordPress plugins in the world.

Loginizer is a security plugin that protects WordPress sites from brute force attacks by blocking IPs trying to brute force websites for 15 minutes after three failed logins and for 24 hours after multiple lockouts.

Its free features also log failed login attempts, add IPs to a block or allow list, and allow for custom error messages on failed login attempts while paid features include adding password-less login, two factor authentication, and a CAPTCHA.

The vulnerability

The vulnerability is related to the plugin’s brute force protection feature, which logged any login attempts from unknown usernames in the WordPress site’s SQL database. The issue is that these login attempts were not being properly sanitized before being logged in the database, meaning that the plugin would send the username in an SQL query to the database as it was typed into the username field.

That means that someone could run code against the a site’s database if they logged into a WordPress site that had the Loginizer plugin installed using a username that included an SQL query.

Essentially, even someone with only basic command-line skills could completely compromise any of the millions of WordPress sites running this plugin.

WordPress force-updates Loginizer

Normally, when a security issue—even a serious one—is discovered in a WordPress plugin, WordPress leaves it to the site administrator to update their own plugins.

The reason they don’t usually force update plugins is that plugin updates can sometimes break certain users’ sites. Presumably, WordPress assumes the cost of breaking these websites is worse than that of fixing the bug.

This time, though, the vulnerability was so severe that they couldn’t take the risk and so they forced the update through on all websites running this plugin.

How to double check that you’re safe

It’s still worth double checking that you’re safe. Here’s how:

  1. Verify whether you use the Loginizer plugin
    If you do, you should see it under “Plugins” in your WordPress admin site.
  2. Check the plugin version
    You should see that you’re using version 1.6.4, which is the patched version, or later. If you see that you’re using an earlier version, UPDATE THE PLUGIN IMMEDIATELY.

Best Practices

To protect yourself more generally, we recommend the following best practices:

  1. Choose plugins that are regularly updated
  2. Activate snapshots on your Simple Hosting instance
  3. Regularly backup your entire Simple Hosting instance
  4. Follow WordPress’s security updates