Dear Matt,
We want to make sure that your WPML account remains secure. For this, we are updating all client accounts with auto-generated strong passwords. A strong password helps prevent unauthorized use of your WPML account.
Our system will start the password update shortly. We will send you another email with your new password.
All the best,
WPML team
Radford received a follow-up email that includes his new password in plaintext. WPML explains why the passwords were sent in plaintext, “We detected weak passwords in our system and following this we are enforcing, on a one-time procedure, strong passwords to all our clients.
“As for sending them in plaintext, if you consider it not to be safe, please update your password in order to keep it secure,” WPML said.
When questioned if passwords are stored in plaintext within the database, WPML replied, “As for storing passwords in our database we are not storing it in plaintext, we are using standard WordPress. Yes they’re salted and hashed.”
Denise VanDeCruze, a WPML support forum moderator, says the email was generated automatically from their systems. She confirms that sending passwords in plaintext is not a best practice and urges users to login to their accounts and generate a new password using the reset password link.
This email was automatically generated by our system and sent to clients with passwords that were deemed too simple. However, sending new passwords in plain text via email without requiring user action is not best practice. I urge you to change your WPML account password. https://wpml.org/account/account-settings/
You were right to be cautious of this sudden email. Although it was not a phishing attempt, it was not the best way to ensure a safe password. In the future we will be mindful of adhering to strict security standards. Please let me know if you have any further questions.
WPML has not published any information on its blog that explains the situation and has yet to respond to our requests for comment. If you’re a WPML customer and receive an email with a new password, you should immediately login and generate a new password using the site’s reset password link and follow the instructions.
Emailing passwords in plaintext is a terrible security practice. One of the key improvements in WordPress 4.3 is that WordPress no longer emails passwords. Instead, it sends password reset links that expire after 24 hours. In hindsight, WPML should have generated and sent password reset emails to affected customers.
To be fair, if they had a lot of bad logins lately, then testing everybody is a reasonable thing to do. Back when we did the big reset on org in 2011, we just blanked everybody’s passwords out and forced them to go through the two step reset process. Not the best, but the most straightforward thing to do at the time. Didn’t cause too much hassle, although I was dealing with the confused user emails for the next three years (not a joke).