Support » Plugin: IP Geo Block » User Passwords visible in log?

  • Resolved DJF3

    (@djf3)


    When I open the “Logs” tab, I can see user login requests.
    – The IP addresses are anonymized
    – Entries contain usernames and readable passwords.

    #1: How can I disable password from being visible in the Logs

    #2: Can I prevent any plugin from being able to see user passwords?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi @djf3,

    While the password in “Logs” won’t be masked when the access to wp-login.php is blocked, it will be masked when the access is not blocked even if the password is wrong.

    Unmasked password

    So I’m afraid that your site has been attacked by “brute-force attacks”.

    If you do not want to keep passwords in “Logs”, please remove pwd from “$_POST key to record with value” in “Privacy and record settings” section.

    $_POST key to record with value

    Thank you for your quick response!

    Q: Is “access to wp-login.php” blocked after “Max failed login attempts per IP address”?

    I just tested:
    – Login as admin: working
    – Incognito browser: login as test user with wrong password: the wrong password appears in the log
    – Incognito browser: login as test user with good password: login OK

    It seems that the pwd is logged every time a user enters the wrong password.
    (status login/failed or login/limited)

    Q: What does result “limited” mean? (and could I have found this information somewhere?)

    Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi @djf3,

    A: No. Sorry but I was wrong. When users who fail login, pwd will not be masked. (I tested the browser with cookie remained. In that case, pwd is masked.)

    It seems that the pwd is logged every time a user enters the wrong password.

    You’re right.

    A: Please refer [ Help ] at the right on the header of “Validation logs” section.

    Thanks for asking!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘User Passwords visible in log?’ is closed to new replies.