User Passwords visible in log?

Hi @djf3,

While the password in “Logs” won’t be masked when the access to wp-login.php is blocked, it will be masked when the access is not blocked even if the password is wrong.

So I’m afraid that your site has been attacked by “brute-force attacks”.

If you do not want to keep passwords in “Logs”, please remove pwd from “$_POST key to record with value” in “Privacy and record settings” section.

Thank you for your quick response!

Q: Is “access to wp-login.php” blocked after “Max failed login attempts per IP address”?

I just tested:
– Login as admin: working
– Incognito browser: login as test user with wrong password: the wrong password appears in the log
– Incognito browser: login as test user with good password: login OK

It seems that the pwd is logged every time a user enters the wrong password.
(status login/failed or login/limited)

Q: What does result “limited” mean? (and could I have found this information somewhere?)

Hi @djf3,

A: No. Sorry but I was wrong. When users who fail login, pwd will not be masked. (I tested the browser with cookie remained. In that case, pwd is masked.)

It seems that the pwd is logged every time a user enters the wrong password.

You’re right.

A: Please refer [ Help ] at the right on the header of “Validation logs” section.

Thanks for asking!