Password collection : enable/disable option

Step by Step and a screenshot here [1]:

1. Click the “Sucuri Security” in the sidebar,
2. Go to the plugin’ settings page,
3. Click in the “Alerts” panel,
4. Scroll down until “Security Alerts”,
5. Uncheck “Receive email alerts for failed login attempts including the submitted password”.

[1] https://i.imgur.com/Hm11j11.png

The problem is not related to emails, but to logs inside the back-office.
The option you mention is already unchecked.

Thanks

Were the passwords in the logs submitted before the option was disabled?

The current version of the code [1] uses the same option for both the security alerts and the audit logs. If the option is disabled (as you already did) the plugin will stop appending the password in the mails and the logs. I believe that the passwords that you are seeing in the logs were sent to the API before the option was disabled. There is no option to delete the logs from the server. You would need to generate a new API key and start from scratch.

[1] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/13de2f4/src/hook.lib.php#L156-L162

The passwords are still being logged, hence after the option was disabled.

But I’m not talking about logs sent through the API, its about logs I see in my wordpress’ sucuri plugin, in the back-office.

@shklenny — I don’t understand what you mean by “logs in the back-office”, the plugin sends all the logs to the API automatically when they are triggered. Maybe a screenshot would help, that way I can understand where exactly are you seeing these passwords and give you a solution. Please sending it to my personal email [removed] (removed to avoid spam).

Hello again, I finished working in your website.

To be honest, I was not able to find the root of the issue, after several changes to the code I just learned that your website was not supporting internationalization at all, so it was not really the plugin’s fault, I went to the global settings page and changed the interface to French and it didn’t work, so I decided to download a fresh copy of WordPress and replaced the admin, includes and content directories, and now everything works.

I left the old directories in the server with a different name [1][2][3] in case that you want to compare the code between these folders and the ones that I installed. I reactivated all the plugins as well as the custom theme that you were using, none of them were involved in the problem that you were experiencing.

Due to limitations in the access to the server (no SSH for example) I couldn’t go into details of why the directories that you had before were blocking the translation of the interface. Please use a tool like Meld [4] to compare the content of these directories [1][2][3] with these other directories [5][6][7] considering that you have SSH access it will be easier for you to find out what was happening there.

Please visit all the Sucuri plugin’s pages and verify that everything loads correctly on your side, I tested here and everything looks fine. If anyone else stumble across a similar issue, please be sure to have “gettext” installed in your server and that both “wp-admin” and “wp-includes” contain the correct source code.

Let me know if you need more information.

[1] /public_html/__wp-admin
[2] /public_html/__wp-content
[3] /public_html/__wp-includes
[4] https://meldmerge.org/
[5] /public_html/wp-admin
[6] /public_html/wp-content
[7] /public_html/wp-includes

Hi Yorman,

I guess your last message was in the wrong discussion, don’t think you actually worked on my website ??
I was referring to the “failed logins” panel. Passwords are shown here.

Here’s the screenshot : https://ibb.co/dCsG9k

Thanks, Klenn

I’m having the same issue – I’ve never had the “Receive email alerts for failed login attempts” option selected, and so the “Receive email alerts for failed login attempts including the submitted password” option isn’t selected either. On the main Sucuri Dashboard tab, I see failed login attempts along with the submitted password. Before the big plugin update I wasn’t having this issue.

Here is a screenshot: https://www.dropbox.com/s/zry5lqyq46sqnzd/Screen%20Shot%202017-08-03%20at%207.16.09%20PM.png?dl=0

This is of course not an issue with bogus login attempts like these, but when a client attempts several versions of their actual password it’s a problem that it’s being stored in plaintext here.

Marking as unresolved again while I investigate this issue one more time.

There are two things to consider here, in @shklenny case the information is being stored their own web server, in this file [1] so deleting this file will immediately “hide” the sensitive information from that page. In @linnalexandra case the problem is more difficult to resolve because taking a look at the code that sends the password to the API [2] you can see that it only does it when the option “:notify_failed_password” is enabled, and this option is disabled by default as you can see here [3].

I understand that you are seeing the option uncheck in your website, I can believe that, however this only makes the investigation harder as it contradicts what the code is doing. I will keep this ticket open for a couple of days while I try to reproduce the issue in my own website and find a solution.

For now, you can modify the content of this file [4] and delete lines 158 and 159 which are the ones sending a copy of the password to both the API and the local cache. I will work on this in the next couple of weeks. Thank you for your patience.

[1] /wp-content/uploads/sucuri/sucuri-failedlogins.php
[2] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/13de2f4/src/hook.lib.php#L150-L162
[3] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/13de2f4/src/option.lib.php#L74
[4] /wp-content/plugins/sucuri-scanner/src/hook.lib.php

This bug was fixed with commit #6736c59 [1]; thank you for the report.

[1] https://github.com/cixtor/sucuri-wordpress-plugin/commit/6736c59