A popular security plugin for WordPress, known as “All-In-One Security (AIOS) – Security and Firewall,” has been found to store users’ passwords in plain text within the database. The developer provided an update three weeks after users started complaining, but this update seems to be causing website issues. The plugin functions as a web application firewall. It provides various security features for the login process, including two-factor authentication and lockouts after a certain number of incorrect login attempts.
The plugin is installed on over a million WordPress sites. Three weeks ago, a user discovered that the plugin stores users’ login attempts in plaintext in the database. Oliver Sild of security company Patchstack said, “It is certain that hackers will collect the login details from the logs of compromised sites using the plugin. The developer hasn’t even told users to change all their passwords.”
On July 10, version 5.2.0 of the plugin was released, but it caused “fatal errors” on websites. Subsequently, a new version with a fix was released last Wednesday, but users are still complaining about malfunctioning websites. Furthermore, out of over a million websites using the plugin, only about 525,000 are running the versions where the problem has been addressed. This implies that about half a million websites are still logging login attempts.