PCI vulnerability for password field autocomplete=off

  • Resolved SmileWP

    (@anotheropus)


    8 years, 4 months ago

    Hello,

    We failed our recent, monthly PCI scan–apparently due to the Profile Builder Password field.

    It appears that the Profile Builder Pro Password field allows auto completion (browsers caching/remembering the password).

    In order for all Profile Builder Pro users to pass PCI scanning every time, this password field must have ‘autocomplete=off’ set.

    While this is a user convenience I personally enjoy–the PCI standards won’t allow it.

    An *easy* way to resolve this would be to enable an Autocomplete on/off checkbox in the admin settings.

    Thank you for your help with this.

    Chris

    https://wordpress.org/plugins/profile-builder/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Teodor Cosofret

    (@teodor-cosofret)

    8 years, 4 months ago

    Hi,

    Can you please submit a support ticket here with this issue?

    I will wait for your ticket.

    Best regards,

    Thread Starter SmileWP

    (@anotheropus)

    8 years, 4 months ago

    Thank you for the support Teodor.

    I’ve sent a support ticket at the link.

    Warmest,

    Chris

    Thread Starter SmileWP

    (@anotheropus)

    8 years, 4 months ago

    Hello,

    It seems like this function/plugin can do what is required for PCI compliance:

    https://buzelac.com/2014/10/disabling-wordpress-login-password-autocomplete/

    Can you give me the modification of this code which will apply it to the ProfileBuilder login pages?

    Thank you,

    Chris

    Plugin Author Razvan Mocanu

    (@razvanmo-1)

    8 years, 3 months ago

    Hello,
    The provided link shows you how to add the autocomplete attribute to the default WP forms.

    To set the autocomplete attribute to “off” for Profile Builder login forms you can use the following jQuery instructions:

    jQuery( document ).ready(function() {
	jQuery( "#loginform" ).attr('autocomplete', 'off');
	jQuery( "#user_login" ).attr('autocomplete', 'off');
	jQuery( "#user_pass" ).attr('autocomplete', 'off');
});

    To enqueue this code to your site, you can create an empty plugin, and add the following code to the end of it:

    function wppbc_autocomplete_off() {
	wp_enqueue_script( 'wppbc_autocomplete_off', plugins_url('wppbc_autocomplete_off.js', __FILE__) );
}
add_action( 'wp_enqueue_scripts', 'wppbc_autocomplete_off' );

    Then add the above jQuery code to a file named wppbc_autocomplete_off.js, and place it in the same folder as the php file.

    Install this plugin via FTP (copy it inside wp-content/plugins) or create a zip archive with it and install it via the WordPress plugin upload functionality.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘PCI vulnerability for password field autocomplete=off’ is closed to new replies.

Tags