WP-Safety

DoLogin Security Security & Risk Analysis

wordpress.org/plugins/dologin

Easy Login. 2FA login. Passwordless login. Cloudflare Turnstile reCAPTCHA. GeoLocation (Continent/Country/City)/IP range to limit login attempts.

7K active installs v4.3 PHP + WP 4.0+ Updated Jun 11, 2025
2fa-logincloudflare-turnstile-recaptchaeasy-logingeolocation-login-limitlogin-security
98
A · Safe
CVEs total4
Unpatched0
Last CVEOct 24, 2023
Download
Safety Verdict

Is DoLogin Security Safe to Use in 2026?

Generally Safe

Score 98/100

DoLogin Security has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Oct 24, 2023Updated 9mo ago
Risk Assessment

The "dologin" v4.3 plugin presents a mixed security posture. While it shows strengths in its SQL query handling, with a high percentage of prepared statements, and a lack of bundled libraries, several concerning areas emerge from the static analysis and historical vulnerability data. The significant number of flows with unsanitized paths, particularly those flagged as high severity in the taint analysis, alongside a considerable portion of output not being properly escaped, indicates a high risk of cross-site scripting (XSS) and other injection vulnerabilities. Furthermore, the presence of REST API routes without permission callbacks creates direct attack vectors that could be leveraged by unauthenticated users. The plugin's history of four known CVEs, including a high-severity one, across common vulnerability types like Missing Authorization and XSS, suggests a recurring pattern of insecure coding practices. Despite the absence of currently unpatched CVEs, the ongoing risk associated with these historical issues and the identified static analysis concerns warrants caution. The combination of unprotected entry points and a history of security flaws necessitates careful consideration before deployment.

Key Concerns

  • High severity taint flows
  • Unsanitized paths
  • Low percentage of properly escaped output
  • REST API routes without permission callbacks
  • Presence of high severity past CVE
  • History of medium severity past CVEs
Vulnerabilities
4

DoLogin Security Security Vulnerabilities

CVEs by Year

4 CVEs in 2023
2023
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2023-46608medium · 6.5Missing Authorization

DoLogin Security <= 3.7.1 - Missing Authorization via REST Endpoints

Oct 24, 2023 Patched in 3.8 (151d)
CVE-2023-4800medium · 4.3Missing Authorization

DoLogin Security <= 3.7 - Missing Authorization on Dashboard Widget

Sep 14, 2023 Patched in 3.7.1 (131d)
CVE-2023-4549high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

DoLogin Security <= 3.6 - Unauthenticated Stored Cross-Site Scripting

Aug 28, 2023 Patched in 3.7 (148d)
CVE-2023-4631medium · 5.3Use of Less Trusted Source

DoLogin Security <= 3.6 - IP Address Spoofing

Aug 21, 2023 Patched in 3.7 (155d)
Code Analysis
Analyzed Mar 16, 2026

DoLogin Security Code Analysis

Dangerous Functions
0
Raw SQL Queries
5
55 prepared
Unescaped Output
161
5 escaped
Nonce Checks
3
Capability Checks
6
File Operations
5
External Requests
5
Bundled Libraries
0

SQL Query Safety

92% prepared60 total queries

Output Escaping

3% escaped166 total outputs
Data Flows
18 unsanitized

Data Flow Analysis

23 flows18 with unsanitized paths
_install_3rd (src\installer.cls.php:18)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

DoLogin Security Attack Surface

Entry Points4
Unprotected2

REST API Routes 4

GET/wp-json/dologin/v1/myipsrc\rest.cls.php:34
POST/wp-json/dologin/v1/2fasrc\rest.cls.php:42
POST/wp-json/dologin/v1/smssrc\rest.cls.php:48
POST/wp-json/dologin/v1/test_smssrc\rest.cls.php:54
WordPress Hooks 32
actionadmin_menusrc\admin.cls.php:18
filterplugin_action_links_dologin/dologin.phpsrc\admin.cls.php:19
actionadmin_initsrc\admin.cls.php:20
actionadmin_enqueue_scriptssrc\admin.cls.php:22
actionwp_dashboard_setupsrc\admin.cls.php:24
filteruser_contactmethodssrc\admin.cls.php:68
filtermanage_users_columnssrc\admin.cls.php:69
filtermanage_users_custom_columnsrc\admin.cls.php:70
actionadmin_noticessrc\admin.cls.php:72
actionlogin_headsrc\auth.cls.php:34
filterauthenticatesrc\auth.cls.php:35
filterregister_new_usersrc\auth.cls.php:37
filterregistration_errorssrc\auth.cls.php:40
filterlostpassword_errorssrc\auth.cls.php:41
filterauthenticatesrc\auth.cls.php:44
actionwp_login_failedsrc\auth.cls.php:50
actioninitsrc\auth.cls.php:54
filterxmlrpc_login_errorsrc\auth.cls.php:58
actionlogin_messagesrc\gui.cls.php:24
actionlogin_enqueue_scriptssrc\gui.cls.php:26
actionregister_formsrc\gui.cls.php:29
actionlostpassword_formsrc\gui.cls.php:31
actionlogin_formsrc\gui.cls.php:34
actionwoocommerce_login_formsrc\gui.cls.php:36
actionwoocommerce_login_formsrc\gui.cls.php:37
actionplugins_loadedsrc\lang.cls.php:16
actioninitsrc\pswdless.cls.php:28
actionrest_api_initsrc\rest.cls.php:23
actioninitsrc\router.cls.php:35
actioninitsrc\site.cls.php:32
actioninitsrc\site.cls.php:36
filterauto_update_pluginsrc\util.cls.php:19
Maintenance & Trust

DoLogin Security Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJun 11, 2025
PHP min version
Downloads163K

Community Trust

Rating90/100
Number of ratings13
Active installs7K
Alternatives

DoLogin Security Alternatives

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

limit-login-attempts-reloaded

A
98

Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.

2.0M 4 CVEs
All-In-One Security (AIOS) – Security and Firewall

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

A
93

Protect your website investment with All-In-One Security (AIOS) – a comprehensive and easy to use security plugin designed especially for WordPress.

1.0M 26 CVEs
Defender Security – Malware Scanner, Login Security & Firewall

Defender Security – Malware Scanner, Login Security & Firewall

defender-security

A
96

WordPress security plugin with malware scanner, IP blocking, audit logs, antivirus scans, firewall, 2FA, brute force login security, and more.

90K 7 CVEs
Wordfence Login Security

Wordfence Login Security

wordfence-login-security

A
92

Secure your website with Wordfence Login Security, providing two-factor authentication, login and registration CAPTCHA, and XML-RPC protection.

70K No CVEs
BulletProof Security

BulletProof Security

bulletproof-security

A
89

WordPress Security Protection: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam...

30K 12 CVEs
Developer Profile

DoLogin Security Developer Profile

WPDO

6 plugins · 8K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
146 days
View full developer profile
Detection Fingerprints

How We Detect DoLogin Security

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/dologin/assets/login.css/wp-content/plugins/dologin/assets/login.js/wp-content/plugins/dologin/assets/admin.js
Script Paths
https://challenges.cloudflare.com/turnstile/v0/api.js
Version Parameters
dologin/assets/login.css?ver=dologin/assets/login.js?ver=dologin/assets/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
cf-turnstiledologin-logodologin-processdologin-process-msg
Data Attributes
data-sitekey
JS Globals
dologindologin_admin
REST Endpoints
/wp-json/dologin/v1/2fa/wp-json/dologin/v1/sms/wp-json/dologin/v1/test_sms/wp-json/dologin/v1/myip
Shortcode Output
<img src="assets/shield.svg"class="dologin-logo"style="max-width:50px;max-height:37px;">
FAQ

Frequently Asked Questions about DoLogin Security