WordPress.org

Ready to get started?Download WordPress

Forums

ThreeWP Activity Monitor
Password tried == Too Much Information (4 posts)

  1. Michael
    Member
    Posted 2 years ago #

    This is a feature request for a future version of ThreeWP Activity Monitor. I would love to see the ability to disable the logging and display of failed passwords, but still retain the failed login activity item.

    I see where you can disable "wp_login_failed"; however, knowing that a user from an Eastern European IP address made multiple attempts to log in as user "wordpress" is valuable info. Knowing what password they tried is more info than I need, especially, with legitimate users.

    On our network, only Super Admins have permission to see the activity streams, but that still gives the Super Admins too much information about the users who are trusting us with their log-in info.

    Very often failed password attempts are legitimate passwords for other systems (I personally have at least 5 passwords in my mental keychain), or they might be just one typo away from the real password. We also have our login system tied into our LDAP authorization, so when the LDAP server is temporarily unreachable, that login attempt is logged as a failed attempt. Then I, as a super admin, now have access to that user's password for his/her primary work account.

    Michael

    http://wordpress.org/extend/plugins/threewp-activity-monitor/

  2. Ov3rfly
    Member
    Posted 2 years ago #

    Had the same problem. Wanted to see failed logins, but not the password.

    Solved it with a small patch in file ThreeWP_Activity_Monitor.php v2.3

    Old line 571:

    $this->_( 'Password tried' ) => esc_html( $_POST['pwd'] ),

    New line 571:

    $this->_( 'Password tried' ) => esc_html( '[n/a]' ),
  3. Michael
    Member
    Posted 2 years ago #

    Thank you for pinpointing the line I would need to change, Ov3rfly.

    I will wait a few days to see if there is any response from the plugin author. Then I will probably see if I can write a mini plugin to remove the "wp_login_failed" filter and add a function with the patched value.

  4. edward mindreantre
    Member
    Plugin Author

    Posted 2 years ago #

    I guess there should be an option for this..

    I'll have a look at it for v2.5

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic