All In One Login — WP Admin Login Page Security and Customization with Google reCAPTCHA, Social Login, Limit Login Attempt, 2FA, and more. Security & Risk Analysis

The "change-wp-admin-login" plugin, version 2.1.1, exhibits a generally strong security posture based on static analysis. A significant positive aspect is the complete absence of unprotected entry points across its REST API routes and AJAX handlers. Furthermore, all SQL queries are secured using prepared statements, and a high percentage of output is properly escaped, indicating good development practices in preventing common web vulnerabilities. The plugin also demonstrates diligent use of nonces and capability checks. However, the presence of two external HTTP requests warrants careful review to ensure these connections are not exploited for data exfiltration or other malicious purposes. The plugin also bundles Freemius and DataTables, which should be monitored for their own security vulnerabilities.

Despite the current static analysis showing no critical or high severity issues, the plugin's vulnerability history is a significant concern. With three previously discovered medium severity vulnerabilities, all of which are now patched, it indicates a pattern of weaknesses that have required remediation. The common vulnerability types of "Protection Mechanism Failure" and "Incorrect Authorization" suggest that the plugin's core security features have been susceptible to bypass or misconfiguration in the past. While the current version has no unpatched vulnerabilities, this historical pattern necessitates ongoing vigilance and a proactive approach to security updates, as past issues can sometimes resurface or be exploited in new ways.