Ready to get started?Download WordPress


ThreeWP Activity Monitor
[resolved] privacy issue: login failed password should NOT be shown! (3 posts)

  1. crysman
    Posted 8 months ago #

    When wp_login_failed option is enabled, the password entered is shown to admins:

    <some_username> tried to log in to <some_WP_site>
    Password tried aaa
    IP some.ip.address | 12.34.567.89
    User agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0

    I do not like it. Admins should NOT see what users entered - this is Big Brother. They should see there was a fail on login due to incorrect password, indeed, but not the password itself.

    I am suggesting add an option (checkbox) do not log the password entered or something like that.


  2. Ov3rfly
    Posted 8 months ago #

    See section "Misc" in ThreeWP Activity Monitor "Settings" tab...

    You could set "Password length" e.g. to "1", so failed logins are logged but you only see the first character.

  3. crysman
    Posted 8 months ago #

    OK, haven't seen that option in "Misc"... thanks.

    In any event, I would add this hint to the relevant place in the "Activities" tab. Right now, there is this text:

    Logs the password the user tried to login with.
    Logs sensitive information.

    There could be something like this instead:

    Logs the password the user tried to login with.
    The logged password length may be set in "Settings -> Misc".
    Logs sensitive information.


You must log in to post.

About this Plugin

About this Topic