Security Vulnerability – DOS through IP spoofing

Viewing 1 replies (of 1 total)
  • Plugin Author WPChef

    (@wpchefgadget)

    We were contacted about this issue a while ago. The problem is this “vulnerability” can’t really be fixed. The only way to avoid it is to have your server detecting IP addresses correctly so you don’t have to use the “Trusted IP Origins” setting of the plugin. Unfortunately a lot of servers don’t detect IPs as they should so people have to specify custom IP origins or otherwise all they users would have the same IP and get blocked constantly. We had two options: remove the “Trusted IP Origins” field completely and make it impossible for a lot of users to limit login attempts, or leave it as is but annotate it with a warning (“We strongly recommend that you do not use anything other than REMOTE_ADDR since other origins can be easily faked.”) We picked the lesser evil and kept the latter option so people on “bad” servers could at least defend against non-spoofed brute-force attacks instead of not having any protection at all.

Viewing 1 replies (of 1 total)
  • The topic ‘Security Vulnerability – DOS through IP spoofing’ is closed to new replies.