ThreeWP Activity Monitor
[resolved] privacy issue: login failed password should NOT be shown! (3 posts)

  1. crysman
    Posted 3 years ago #

    When wp_login_failed option is enabled, the password entered is shown to admins:

    <some_username> tried to log in to <some_WP_site>
    Password tried aaa
    IP some.ip.address | 12.34.567.89
    User agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0

    I do not like it. Admins should NOT see what users entered - this is Big Brother. They should see there was a fail on login due to incorrect password, indeed, but not the password itself.

    I am suggesting add an option (checkbox) do not log the password entered or something like that.


  2. Ov3rfly
    Posted 3 years ago #

    See section "Misc" in ThreeWP Activity Monitor "Settings" tab...

    You could set "Password length" e.g. to "1", so failed logins are logged but you only see the first character.

  3. crysman
    Posted 3 years ago #

    OK, haven't seen that option in "Misc"... thanks.

    In any event, I would add this hint to the relevant place in the "Activities" tab. Right now, there is this text:

    Logs the password the user tried to login with.
    Logs sensitive information.

    There could be something like this instead:

    Logs the password the user tried to login with.
    The logged password length may be set in "Settings -> Misc".
    Logs sensitive information.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • ThreeWP Activity Monitor
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic