Disable Logging Password for Failed Login

  • Resolved steveglick

    (@steveglick)


    7 years, 7 months ago

    There used to be an option to disable saving passwords for failed logins, but I do not see it anywhere anymore, and it is enabled by default after updating. First having it enabled by default at all is dangerous as you are using weak defaults, and second changing settings on an update is equally dangerous. I am not sure of the exact version numbers, but I am currently on the latest version.

Viewing 8 replies - 1 through 8 (of 8 total)

  • Go to the plugin’ settings page, in the “Alerts” panel there is a section called “Security Alerts”, search for an option called “Receive email alerts for failed login attempts including the submitted password” and uncheck it. When this option is checked the plugin executes this piece of code [1] which appends the submitted password to the logs, if the option is unchecked the plugin only uses the username.

    In this commit [2] submitted +24 days ago, I modified the default settings to keep the option “:notify_failed_password” disabled by default. These changes were both included with the release of version 1.8.8; let me know if this code is working differently in your environment so I can investigate.

    Marking as resolved, feel free to re-open if you need more information.

    [1] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/13de2f4/src/hook.lib.php#L156-L162
    [2] https://github.com/Sucuri/sucuri-wordpress-plugin/commit/9c86744

    @yorman
    I have updated from 1.8.7 and on other sites 1.8.3 and in both cases I needed to click the ‘submit’ button on the alerts settings page to stop the passwords being logged. This works regardless of making any changes to the alert settings. Note that I had the Receive email alerts for failed login attempts including the submitted password disabled already.

    Therefore I think that there is another fix required so that the plugin doesn’t log passwords by default.

    M

    @mattronica — would you like to install the development version of the code from here [1] I have submitted some changes associated to the failed-login code, maybe one of them will help you resolve the issue.

    These fixes will be included with the release of version 1.8.9 but it will take a couple of weeks before I make the announcement as there are other changes that have more priority. Please use the development version of the code for now.

    [1] https://github.com/cixtor/sucuri-wordpress-plugin

    @yorman
    Yes thats fixed it. Good stuff. Thanks for getting this fixed quickly.

    Thread Starter steveglick

    (@steveglick)

    @mattronica I appreciate the tip on submitting the alert settings. I also had it disabled and it was still logging, but this fix worked for me as well.

    @yorman Thanks for getting that patched so quickly!

    @yorman,

    Unchecking “Receive email alerts for failed login attempts including the submitted password” keeps the password hidden. Thank you!

    How do we clear the failed password log in Sucuri?

    Thank you.

    Thread Starter steveglick

    (@steveglick)

    @deeveedee

    Delete “sucuri-failedlogins.php” and “sucuri-oldfailedlogins.php” under Sucuri Settings > General > Data Storage.

    @steveglick,

    Thank you!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Disable Logging Password for Failed Login’ is closed to new replies.