This is a feature request for a future version of ThreeWP Activity Monitor. I would love to see the ability to disable the logging and display of failed passwords, but still retain the failed login activity item.
I see where you can disable “wp_login_failed”; however, knowing that a user from an Eastern European IP address made multiple attempts to log in as user “wordpress” is valuable info. Knowing what password they tried is more info than I need, especially, with legitimate users.
On our network, only Super Admins have permission to see the activity streams, but that still gives the Super Admins too much information about the users who are trusting us with their log-in info.
Very often failed password attempts are legitimate passwords for other systems (I personally have at least 5 passwords in my mental keychain), or they might be just one typo away from the real password. We also have our login system tied into our LDAP authorization, so when the LDAP server is temporarily unreachable, that login attempt is logged as a failed attempt. Then I, as a super admin, now have access to that user’s password for his/her primary work account.
- The topic ‘[Plugin: ThreeWP Activity Monitor] Password tried == Too Much Information’ is closed to new replies.