Plugin Overwrites Password Hint on Reset Password Page

Hello –

I’ve discovered a conflict with the AIOWS plugin and the Login Security Solution plugin. I bring it up in this forum because I believe the issue is on the AIOWS side, and your description says that

Works with Most Popular WordPress Plugins
It should work smoothly with most popular WordPress plugins.

…so since LSS is the most popular password plugin (20k+ active installations) you might be inclined to investigate.

LSS is used to require users to use strong passwords. This is important to me because I have a large base of users, and many sadly insist on trying to get away with easily crackable passwords. If AIOWS offered such a security feature I would use that and have no need for LSS, but it does not. (I use many other AIOWS features and love them!)

Here is the problem. If a user requests a new password from the default WordPress login page, they are sent an email with a link that looks similar to

https://domain.com/wp-login/?action=rp&key=1Xx1qgFHyO1YLIJNwEyw&login=username

This link shows a password reset screen and there is a hint at the bottom that typically shows the WordPress requirements: “…password should be at least seven characters long…”

The exact output is: <p class="description indicator-hint">Hint: The password should be at least seven characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! " ? $ % ^ & ).</p>

LSS enables an admin to require stronger passwords. As such it changes the hint to reflect the new requirements, in the default case it says:

The password should either be: A) at least 10 characters long and contain upper and lower case letters (except languages that only have one case) plus numbers and punctuation, or B) at least 20 characters long. The password can not contain words related to you or this website.

Unfortunately, with AIOWS enabled, the text is reverted back to the default text. I’m not sure if it is a specific option in AIOWS, or just the activating of the plugin, but that’s definitely the conflict as I’ve experimented with deactivating the plugin.

It may seem like a minor thing, and I suspect really is a minor fix, but it is huge in terms of my having to support end users. They are told they can use 7 characters, but in fact they need 10. And that’s when the support calls come in.

Ideally I could use both plugins because of AIOWS’s outstanding security options, and LSS’s strong password requirements. But right now, forcing users to reset to stronger passwords is terribly confusing because the password hint is totally wrong.

If it helps, Daniel Convissor, the plugin author for LSS was instrumental in having the WordPress core updated in 4.1 to move the password hint text to a function: https://core.trac.www.ads-software.com/ticket/21243. Maybe this new function is something AIOWS can take advantage of?

I’d really love it if these two very popular plugins could work together. Can one of the AIOWS authors assess the scope of the fix?

Thank you!

D.Lo

https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/