Popular WordPress security plugin, WPS Hide Login, was discovered to have a vulnerability. The vulnerability was immediately patched as soon as it was discovered.
The WordPress Vulnerability Database describes the update like this:
“fixed a vulnerability in version 184.108.40.206 and below that could allow an attacker to find and access the secret login page.”
What Is the WPS Hide Login Vulnerability?
WPS Hide Login is a WordPress plugin that creates a secret admin login page. This prevents hackers from attacking the admin login page with a password guessing attack since the login page is hidden.
The vulnerability allows a hacker to cause the plugin to reveal the URL for the hidden page. A hacker can then begin the attack.
Versions 220.127.116.11 and Older Affected
This vulnerability affects plugin version 18.104.22.168. All users of the plugin are urged to update their plugin to version 1.5.5 right away.
How the Vulnerability Was Discovered
A web application firewall publisher, NinTechNet, discovered the vulnerability on January 20, 2020. They communicated the problem to the developers at WPS Hide Login who promptly closed the vulnerability the same day.
The NinTechNet.com published an account of the discovery after the plugin was updated.
WPS Hide Login Changelog
Every WordPress plugin communicates the contents of its updates through a formal log called a changelog. A web publisher can check the changelog from the WordPress plugin dashboard and decide whether an update is important or not.
Some updates can break a site so some admins may choose to not update unless it’s for something critical.
Ideally, software makers should communicate how important and update is at the very least and at most just come out and say that it’s patching a vulnerability.
This update important because the vulnerability compromises the ability of WPS Hide Login to do the one thing that it’s supposed to do: hide the admin login page.
Is it unreasonable to believe that should be communicated within the changelog?
Here is a screenshot of the changelog for WPS Hide Login:
As you can see in the screenshot, there is no mention of what the update addresses nor any hint at the importance of the update.
WPS Hide Login Responded Responsibly
WPS Hide Login acted responsibly by swiftly patching their plugin. But it would be useful if they took the extra step to communicate the importance of any given update when it involves a security vulnerability.