VWFeature

Bots, looking for a site w a weak password.
Or, somebody who can login to the site got phished.

Teodor, my suggestion would be to incorporate this function into the mail plugin as a default, and allow the webmaster to specify the From Name and SUbject of email as a setting.

Can you send other emails?
Yahoo & Google are rejecting emails where the send is not the domain they’re coming from.
Good luck.

Google WordPress send mail

Post a one star review to get their attention. But look at the security guy’s review,too.
Suggest-uninstall, revert to backup.

My take- it inconveniences users more than attackers, and encourages shorter, simpler, and reused passwords.
Put a link to https://makemeapassword.org/#getpassword where they need to make a pw, and get them all to use KeePass. (Obviously secure the KP db with a strong PW.)

Agree w Meerkat. Look up Readable Passphrase Generator- https://makemeapassword.org/#getpassword
=>memorable, secure passphrases.

I detest sites that limit users to length of 10 or 12, because it means you either use an insecure pw or one that’s impossible to remember (JyMe,(3$]pw). Ech. Four/five words or a 40 char phrase are secure. (“Edible sunlamps defer all readable politicians”) which can be improved: (“Edible sunlamps defer?? all blue34politicians”) Etc.

The biggest risk is not direct attacks, but offline, high speed attacks. ArsTechnica had some great articles on PW cracking, and the vulnerability of any phrase that appears anywhere online. (Givemelibertyorgivemedeath and all its variants.)

Implementing Password bcrypt plugin and Google Authenticator – Two Factor Authentication will also improve your site’s security.

What about other login forms, NOT CF7?

Bingo!
Thanks!!

Actually, from my limited knowledge, this is the best way to allow registrations. The users have to give you a real email, and respond to the email within a period of time, AND the link expires after some time from 15 min to a day or so. So if someone gets a copy of that email a year later, they don’t get a password or link they can use on your account.
The password is never in clear text.

By the way, Readable Passphrases like on MakeMeAPassword allow you to generate memorable passphrases like
MY proton shined the monkey’s 23 TABLET (put THAT in zxcvbn! =>`112 bits or 4x 10^33)

And use KeePass or another password manager to remember different pws for all the sites you use.

I had a similar issue immed after installing a plugin, fixed by rolling it back. Thank you all!

What happens if someone has cookies disabled?
Suggestion- have some way to kick them to a CAPTCHA & disable CfC.