WPML Emails Passwords to Affected Customers in Plaintext

Clear Text Password
photo credit: thegloamingcc
Customers who purchased WPML, a multilingual plugin for WordPress, are receiving a suspicious email that looks similar to a phishing attempt. Matt Radford, a customer of WPML, kindly sent the Tavern a copy of the email.

Dear Matt,

We want to make sure that your WPML account remains secure. For this, we are updating all client accounts with auto-generated strong passwords. A strong password helps prevent unauthorized use of your WPML account.

Our system will start the password update shortly. We will send you another email with your new password.

All the best,

WPML team

Radford received a follow-up email that includes his new password in plaintext. WPML explains why the passwords were sent in plaintext, “We detected weak passwords in our system and following this we are enforcing, on a one-time procedure, strong passwords to all our clients.

“As for sending them in plaintext, if you consider it not to be safe, please update your password in order to keep it secure,” WPML said.

When questioned if passwords are stored in plaintext within the database, WPML replied, “As for storing passwords in our database we are not storing it in plaintext, we are using standard WordPress. Yes they’re salted and hashed.”

Denise VanDeCruze, a WPML support forum moderator, says the email was generated automatically from their systems. She confirms that sending passwords in plaintext is not a best practice and urges users to login to their accounts and generate a new password using the reset password link.

This email was automatically generated by our system and sent to clients with passwords that were deemed too simple. However, sending new passwords in plain text via email without requiring user action is not best practice. I urge you to change your WPML account password. https://wpml.org/account/account-settings/

You were right to be cautious of this sudden email. Although it was not a phishing attempt, it was not the best way to ensure a safe password. In the future we will be mindful of adhering to strict security standards. Please let me know if you have any further questions.

WPML has not published any information on its blog that explains the situation and has yet to respond to our requests for comment. If you’re a WPML customer and receive an email with a new password, you should immediately login and generate a new password using the site’s reset password link and follow the instructions.

Emailing passwords in plaintext is a terrible security practice. One of the key improvements in WordPress 4.3 is that WordPress no longer emails passwords. Instead, it sends password reset links that expire after 24 hours. In hindsight, WPML should have generated and sent password reset emails to affected customers.


28 responses to “WPML Emails Passwords to Affected Customers in Plaintext”

  1. To be fair, if they had a lot of bad logins lately, then testing everybody is a reasonable thing to do. Back when we did the big reset on org in 2011, we just blanked everybody’s passwords out and forced them to go through the two step reset process. Not the best, but the most straightforward thing to do at the time. Didn’t cause too much hassle, although I was dealing with the confused user emails for the next three years (not a joke).

  2. Sending a new password i plain text does not mean passwords are stored in plain text. Sending and existing password, on the other hand, will prove it.

    But how can they detect that an existing password is “too simple” when not stored? I guess it would mean walking through a huge list of “simple” and common passwords and compare with the stored salted hash of each user.

    I think, nobody and no script should ever do such, except for anonymous research purposes. The stored hash, and corresponding user ID, should only be retrieved for the purpose of password validation.

    • sending passwords in email is a bad habit as all you need to do to get it is read access, and since emails are not encrypted every node in which it passes can read the password. For example if you use exchange then the admin of the server can read your emails, and same goes for google apps.

      Getting password in an email is like putting it on a paper and trying to hide it.

      As for how did they know the passwords are bad, this probably can be done without having the password in plain text by using some rainbow tables for a quick brute force attack against the account.

      • If they have brute forced the salted and hashed passwords in order to expose short or common passwords, then I think they’re being security conscious. I’m not sure its right to crack your customers own passwords, but if they’re doing it to improve security in the context of increasing bad login attempts, then ok.

        But the way in which this has been carried out does not give me confidence that they have security best practice in mind. If they couldn’t send password reset emails then blanking all passwords would have been better. My password was perfectly secure until a new, shorter one was emailed to me in plaintext.

      • To be fair, if they can read your emails, they can do a password reset and get in as well. Most people’s email accounts are the central core of their online identities. Which is why you should use two factor authentication on email and only go with good providers who know what they’re doing.

        • That is not exactly true. If I need to reset a password in order to login into your WPML account then most likely you will be notified and will be alerted to the fact that someone is trying to do bad things with your account. To avoid you noticing it I will need to prevent your access to your email, something that you will notice as well sooner then later.
          So if I have a RO access to your email and you just sending unencrypted data in it I may as well just seat quietly and do nothing.

          And then there is the issue with not so private computers in the household and workplace. Do you really want your kids to have free access to your amazone account?

  3. It’s easy to write a plugin that would measure the strength of users passwords. You just intercept the $_POST variable when users log in.

    As to emailing only customers who had weak passwords, I received this email and my previous password was something like “Mf7JU!eP43ps”. Not fantastic, but hardly weak.

    I don’t see a problem with emailing customers passwords, so long as you insist that they change the password after log in. But you’re right, a password reset email would have been much better.

  4. So, to put it into a nutshell:

    1. they decided that some of their customers may have insecure passwords

    2. to make these accounts more secure, they’ve sent the new passwords of all of these accounts in plaintext via unsecure email to the customers

    3. any user that logs in with the new “secure” password can easily change it back to their old, “unsecure” password

    4. before and while sending these emails, that very easily may have been considered as phishing emails by their customers, they haven’t published any information about the whole process on their company blog, so their customers weren’t able to verify the source and authenticity of these emails

    5. after many users and blogs complained about the whole thing, they published a blog post stating in the end that “As always at WPML we are committed to learning from our clients”, although the initial intention behind the whole thing seems to be that their clients should learn from them and set more secure passwords for their accounts.

    Call me crazy, but I thought that a professional company – developing some of the most important, commercial wordpress plugins – does not require to learn from their customers how to implement a basic level of security, trust and professionalism…

    As someone stated in the WPML support forum, with the above Facts in mind, it is at least questionable if they are able to maintain a decent level of security in all of their wordpress plugins…

    • Stefan,

      I agree with you as for the lack of communication (points 4 & 5) from our side, but the rest seems to me a bit exaggerated.

      No account was compromised and the simple fact is that at the end of the day strong passwords are an essential part of online security and are at the hands of each user.

      As we said we’ll review how all this process was handled and make sure we learn from it.



Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: