Failed login alert includes password after upgrading to 1.8.7

  • Resolved deeveedee

    (@deeveedee)


    7 years, 5 months ago

    In version 1.8.3, we had configured Sucuri so that passwords were not included in the failed login alerts. After upgrading to 1.8.7, both the username and password are included in the failed login alert e-mail. For security reasons, we do not want the failed password included in the failed login alert. How do we change settings of 1.8.7 so that the password is not included in the failed login alert?

Viewing 7 replies - 1 through 7 (of 7 total)

  • I am seeing this as well

    have the same behavior with version 1.8.7…

    Had the subject line in email with variable name…but after updated to the latest version…i still have the password in clear text in the email.

    any fix ? or option to disable that ? other than disable completely this type of alert

    • This reply was modified 7 years, 4 months ago by Dudnee.

    They are dropping the ball with this plugin and I am going to start looking into other options.

    Thread Starter deeveedee

    (@deeveedee)

    We’re still optimistic about this plugin. 1.8.3 worked perfectly for us and there have been a lot of changes since then. The new version should probably have been numbered version 1.9 to reflect the changes (maybe even 2.0).

    Regardless, 1.8.7 is working well for us with the exception of including the password in the failed login notification e-mails. We configured the Sucuri 1.8.7 alerts to ignore “Postman Sent Mail” (Postman SMTP plugin) and “Shop Order” (WooCommerce plugin) posts (not sure why these posts are monitored by Sucuri). As soon as the failed login notification is fixed, we’ll be happy again with Sucuri.

    @deeveedee@7thcircle@dudnee@uberjuice — the option to remove the password from the failed login alerts was deleted with version 1.8.4; I have added a condition [1] to allow you to programmatically disable this behavior by setting a constant in the WordPress configuration file. Please install the alpha version of the code from here [2] to get the early update or wait until the public release of version 1.8.8; I will probably re-add the option to the settings page, but for now install the alpha code if you need an immediate fix.

    [1] https://github.com/cixtor/sucuri-wordpress-plugin/commit/b1a9169
    [2] https://github.com/cixtor/sucuri-wordpress-plugin

    @deeveedee@7thcircle@dudnee@uberjuice — I have re-added the option to disable the reporting of the passwords used during a password guessing attack here [1] please install the alpha version of the code from here [2] so you can have this feature available in your website, we will release version 1.8.8 in a couple of weeks to include this and other bug fixes.

    [1] https://github.com/cixtor/sucuri-wordpress-plugin/commit/84dd39d
    [2] https://github.com/cixtor/sucuri-wordpress-plugin

    Thread Starter deeveedee

    (@deeveedee)

    @yorman,

    Has the option to disable password reporting been added back into the Sucuri settings or does this still need to be set programmatically by modifying the WordPress config file?

    If this can once again be configured in Sucuri settings, where is the setting for this?

    Thank you.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Failed login alert includes password after upgrading to 1.8.7’ is closed to new replies.