Global Password reset?

  • Resolved matttechmodular

    (@matttechmodular)


    8 years ago

    Hi all. In the midst of my lovely GDPR preparations I have had to prepare a “Breach Recovery Plan”…and one thing I could really know how to do in the event of a hack/ breach is this: how to FORCE all wordpress users (WooCommerce customers) to reset their passwords?

    This seems like a really obvious thing for a security package to offer, but I cannot find anything in Wordfence, and am very wary on entrusting such an important process to a free plugin (of which there are a few, albeit outdated..)

    Is this something that would be part of a Site Cleaning package?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Ambyomoron

    (@josiah-s-carberry)

    8 years ago

    I’m curious. What would you do if a user choose to not change a password?

    Thread Starter matttechmodular

    (@matttechmodular)

    7 years, 12 months ago

    I’d rather they didn’t have any choice if I’d had a data breach which involved passwords (which I pray will never happen obviously..)

    Ambyomoron

    (@josiah-s-carberry)

    7 years, 12 months ago

    I understand, but suppose you inform all your members of the breach and telling them that they must change passwords else they can no longer access the site. You should expect the following: some of your messages will never reach their intended recipients, for any number of reasons; and for those that do reach the intended recipients, only a certain percentage will ever change their passwords. So, my question is, how do you intend to handle the inevitable cases where certain passwords are not changed.

    You might also consider the case where someone uses the same password for WordPress and for email. The hacker hijacks the email account, receives your notification and then changes the password.

    Thread Starter matttechmodular

    (@matttechmodular)

    7 years, 12 months ago

    No, I wasn’t intending to send out emails, although that could be a secondary option – what I wanted was a way to force ALL users to change their passwords when they try to log in. We used to have a system like this at my old workplace, and you couldn’t bypass it – you HAD to change it. It also wouldn’t allow passwords that had been previously used, or were too similar to your previous ones. Just surprised there isn’t something like this in Wordfence, as they’ve thought of so much other stuff! I’d gladly pay a bit more for it, so as to have peace of mind

    wfasa

    (@wfasa)

    7 years, 12 months ago

    Hi @matttechmodular!

    Thanks for the inquiry. What you can do in terms of “Breach Recovery Plan” is to change the salts in wp-config.php. That will automatically log out all logged in users and force them to log in again.

    What you could do is change all users passwords. This would force them to use the password reset function before they could log in. I’m afraid we do not have a function like that at this time. However, I have added it to our feature requests.

    As per WordPress.org forum rules we are not allowed to answer any questions related to paid services here, so for information about site cleaning services please send an email to presales@wordfence.com.

    Thanks!

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Global Password reset?’ is closed to new replies.