Title: NOT A BUG – Security
Last modified: August 30, 2016

---

# NOT A BUG – Security

 *  Resolved [Damon](https://wordpress.org/support/users/damonlawner/)
 * (@damonlawner)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/not-a-bug-security/)
 * Hello,
 * I am trying to understand the implications of the password appearing in plain
   text in the content of post in the editor.
 * Can you please explain the security model of this plugin? And how and when is`
   crypt()` used?
 * Thanks!
 * [https://wordpress.org/plugins/content-protector/](https://wordpress.org/plugins/content-protector/)

Viewing 6 replies - 1 through 6 (of 6 total)

 *  [K. Tough](https://wordpress.org/support/users/kjvtough/)
 * (@kjvtough)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/not-a-bug-security/#post-6837744)
 * It’s pretty simple, actually. An Author (or anyone who has rights to edit a post)
   can add a section to a post that is password protected. It is up to that person
   to distribute the password to those who are authorized to view that content. 
   It is assumed that you are not trying to protect anything from others that have
   publishing or admin access to your site.
 *  Thread Starter [Damon](https://wordpress.org/support/users/damonlawner/)
 * (@damonlawner)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/not-a-bug-security/#post-6837804)
 * Understood. Thank you.
 * Can you elaborate on how the `crypt()` function is used? How is the encryption
   algorithm used if the password is visible in plain text? In other words, is it
   that when the post is saved, the password is hashed and the hash is stored in
   the DB as well? And then when the user provides a password, it is compared to
   the hash? And the plain text one just exists in the post for reference or historical
   purposes?
 * Thanks!
 *  [K. Tough](https://wordpress.org/support/users/kjvtough/)
 * (@kjvtough)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/not-a-bug-security/#post-6837819)
 * Most of that is correct. The password is stored in plaintext as part of the post
   content, the unspoken assumption here is that anyone authorized to edit a post
   with protected content is also authorized to view and edit that content. A hash
   is generated on-the-fly and is sent as part of the access form. This is what 
   the password gets compared to. This hash (and the salt used to generate the hash)
   is unique to each pageload (unless you’re caching your password hashes in the
   settings).
 *  Thread Starter [Damon](https://wordpress.org/support/users/damonlawner/)
 * (@damonlawner)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/not-a-bug-security/#post-6837823)
 * Thanks so much for this information!
 * Really appreciate you taking the time to respond.
 * Thanks!
 *  [mateuriko](https://wordpress.org/support/users/mateuriko/)
 * (@mateuriko)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/not-a-bug-security/#post-6837864)
 * I have a problem with the last update
 * Generally I use it in this way
 * See the error: **[»Please enter and see the ERROR«](http://sharex.me/2015/12/12/test-post/)**
 * captcha should go in the bottom of the post
 * **codes that are inserted into the post**
    ____________________________________________
 *     ```
       <strong><span style="font-family: georgia; font-size: 20px; color: black; font-weight: normal;">Testing</span></strong>
   
       <img src="http://s8.postimg.org/ajayh8lbp/demi_lovato_demi_lovato_sonrisa_demi_lovato.jpg" alt="" />
       <!--more--><img src="http://s29.postimg.org/w88dng9hj/ariana_grande_cumple_22_anos_lo_sabes_todo.jpg" alt="" />
       <code>
       <span style="color: #000000;">Testing</span></strong>
   
       [content_protector password="CAPTCHA"]
       SECRET CONTENT
       <img src="http://s13.postimg.org/5883d8yfb/ariana_grande_ariana_grande_concierto_ariana.jpg" alt="" />
       </strong>
       [/content_protector]
       ```
   
 * ____________________________________________
 * The error occurs when sending post
 * and I see the publication
 * The captcha is placed on the top of the post
 * That should not be so
 * please if you can repair the problem
 * this page is only for test
 * Now note
    shortcode that I have in over 5000 post
 * `[content_protector password="CAPTCHA"][/content_protector]`
 * and it’s not fair that my whole blog miscarry
 *  [K. Tough](https://wordpress.org/support/users/kjvtough/)
 * (@kjvtough)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/not-a-bug-security/#post-6837883)
 * Hi, mateuriko.
 * If you require support, please begin a new topic and ask your questions there.
   Thank you.
 * P.S. Your bug is fixed in 2.6.2. 🙂

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘NOT A BUG – Security’ is closed to new replies.

 * ![](https://ps.w.org/content-protector/assets/icon-256x256.png?rev=2206760)
 * [Passster - Password Protect Pages and Content](https://wordpress.org/plugins/content-protector/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/content-protector/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/content-protector/)
 * [Active Topics](https://wordpress.org/support/plugin/content-protector/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/content-protector/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/content-protector/reviews/)

 * 6 replies
 * 3 participants
 * Last reply from: [K. Tough](https://wordpress.org/support/users/kjvtough/)
 * Last activity: [10 years, 4 months ago](https://wordpress.org/support/topic/not-a-bug-security/#post-6837883)
 * Status: resolved