Moderator
t-p
(@t-p)
Install the plugin Wordfence plugin and scan your site.
WordFence Premium is installed and active. It’s scan is clean. This will not prevent the email from being sent out by WordPress 5.2 I believe.
Moderator
t-p
(@t-p)
To rule out any plugin or theme conflict, please attempt to disable all plugins, and use one of the default (Twenty*) themes. If the problem goes away, enable them one by one to identify the source of your troubles.
If you can install plugins, install “Health Check”: https://wordpress.org/plugins/health-check/ On the troubleshooting tab, you can click the button to disable all plugins and change the theme for you, while you’re still logged in, without affecting normal visitors to your site.
Thank you for your thoughts. The issue is the new WordPress generated email, not a site issue. The WordPress email should not contain a WP Admin User ID and Password.
This site has no security issues. The email is being triggered because of intentional firewall restriction that this site has in place. So, it is a false positive.
I just need to stop the WordPress generated email, or at least keep it from sending the id and password out in plain text email.
This is line 95 and it does not include the actual ID and password, just variables to hold them.
https://github.com/WordPress/WordPress/blob/master/wp-includes/user.php#L95
Are you actually seeing an ID and password in the email?
Hmmm… the #3 indicates you might be showing a stack trace and then it might actually show the parameters passed. if so, that should probably be reported to the developers via core.track.wordpress.org. Would you mind creating a ticket there?
Before you do that, can you post the full stack trace here? Feel free to remove the username and password or any other sensitive information you find in it.
Error Details
=============
An error of type E_ERROR was caused in line 356 of the file /home/homedirectory/public_html/wp-content/plugins/wordfence/modules/login-security/classes/controller/wordfencels.php. Error message: Uncaught Error: Class ‘WordfenceLS\Controller_Whitelist’ not found in /home/homedirectory/public_html/wp-content/plugins/wordfence/modules/login-security/classes/controller/wordfencels.php:356
Stack trace:
#0 /home/homedirectory/public_html/wp-includes/class-wp-hook.php(286): WordfenceLS\Controller_WordfenceLS->_authenticate(Object(WP_User), ‘WPAdminID’, ‘WPPassword’)
#1 /home/homedirectory/public_html/wp-includes/plugin.php(208): WP_Hook->apply_filters(Object(WP_User), Array)
#2 /home/homedirectory/public_html/wp-includes/pluggable.php(539): apply_filters(‘authenticate’, NULL, ‘WPAdminID’, ‘WPPassword’)
#3 /home/homedirectory/public_html/wp-includes/user.php(95): wp_authenticate(‘WPAdminID’, ‘WPPassword’)
#4 /home/homedirectory/public_html/wp-login.php(934): wp_signon(Array, true)
#5 {main}
thrown
“homedirectory”, “WPAdminID” and “WPPassword” above have been modified to place holders. They are the real/actual site’s home directory, WordPress Admin ID and WordPress Admin Password in the real stack trace.
Thanks for the stack trace.
The error in question is caused by the Wordfence plugin, you should email them about that and see if they can get a fix in.
The security team is also discussing this internally. See, WordPress cannot generate this kind of error by itself as it cannot generate a PHP error in the default authentication process. So, it doesn’t have a security issue in that respect. However, other plugins can insert themselves into the login process, and if they cause an error in that process, then yes, the stack trace would contain the username and password. Options are being considered for potentially modifying this behavior, however it is not a flaw in WordPress itself, it can only happen with a plugin causing an error at the right time.
