WordPress Site Locking AD Account?

  • jgarm07

    (@jgarm07)


    5 years ago

    Hello!

    I’ve read through the stickies and searched the forum so I hope I’m not missing any rules as I post this. I’ve recently taken a new position as a Linux admin at a university. As of now I have no experience with WordPress, but I’m working to learn. Among the systems I co-manage, we have an on-prem WordPress installation, which has existed for many years.

    The install contains about 400 sites and roughly 700 plugins. Examining the database yields about 1100 separate tables. A DB dump results in a 3.5gb dumpfile.

    We’re using an ldap plugin (I’ll update this post with the exact one), to authenticate against MS Active Directory. One of our WordPress admins is having a lockout issue with his AD account. At some point the wordpress admin changed his AD password and didn’t update it somewhere so he’s getting locked out of all of his AD connected apps on campus. Talking to our active directory admin, he confirmed the ip attempting to authenticate with his old password is the WordPress server.

    Since I’m not familiar with WordPress (yet) or how the plugins are constructed, is it possible for a plugin to have his old password saved and to be periodically using it to run an automated task? Is so, what is the best method of figuring out which plugin is the culprit?

    Thank you so much! My colleague has been swimming upstream with this for a few months and I’ve been in it the last few days with no solution in sight.

    • This topic was modified 5 years ago by jgarm07. Reason: Typos
Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Dion Hulse

    (@dd32)

    Meta Developer

    Hi @jgarm07, without knowing the site itself, it’s impossible to guess.

    It seems highly unlikely a plugin would be storing the users credentials, as in general plugins don’t need it.. however..

    Depending on how the LDAP plugin operates, it could have stored the credentials locally to allow access to WordPress and is re-using that to hit the AD server.

    It may also be possible that the user has a WordPress app on their mobile or something else that interacts with the WordPress site that has their old password still stored.. I think that’s a much more likely scenario.

    You may want to correlate the login attempts with the Webservers access logs to find what HTTP request is triggering the AD attempts.

    Thread Starter jgarm07

    (@jgarm07)

    That’s actually a lot more helpful than you might think. So with the way WordPress is structured, it’s unlikely for a plugin to store credentials independent of the primary WordPress credentials?

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘WordPress Site Locking AD Account?’ is closed to new replies.