WordPress sites using the WPS Hide Login plugin, which currently number over one million, are at risk of being compromised by hackers…
WordPress remains one of the most popular and widely-used CMS products on the internet. In fact, it’s behind some of the most recognizable and biggest names on the web. So, it’s a prime target for hackers and cyber-criminals. Because it’s open-source, this means there’s ample opportunity to exploit it. Now, there’s a new threat that ironically undoes the core functionality of one plugin.
WPS Hide Login Plugin Vulnerability Discovered
The vulnerability exists in the popular WPS Hide Login plugin, which is being used by more than one million sites. It was first discovered and reported by a user who posted the discovery on WordPress.org’s support forum. Basically, it defeats the software by exposing a site’s administration login page, something that the plugin is designed to do to keep it from being exploited.
Site owners conceal their admin login pages in order to prevent hackers and other threat actors from breaking into the backend, where all kinds of nefarious mischief can be unleashed. Once hackers are inside the site, they can not only take control but shut it down. It’s also possible to steal sensitive information. Fortunately, the creator of the plugin, Nicolas Kulka, has now fixed the issue. Any site running the plugin is urged to immediately update to version 1.9.1.