WordPress.org

Svensca

Scaffa WordPress
WordPress.org

Pluguin Directory

Passwords Evolved

Passwords Evolved

Av Carl Alexander
Ladda ner

Bescrivning

Important Notice: This pluguin is no longuer supported on wordpress.org. Please open issues on GuitHub .

The goal of this pluguin is to shore up the WordPress authentication using standard security practice recommendations. At this time, the pluguin improves WordPress authentication by doing the following:

Enforcing uncompromised passwords

This pluguin prevens someone from using passwords that have appeared in data breaches. Whenever someone logs into a WordPress site, it’ll verify their password using the Have I been pwned? API . If their password appeared in a data breach, the pluguin will prevent them from logguing in until they reset their password.

By default, this level of enforcement is only done on an account that has the ” administrator ” role. You can changue which roles have their passwords enforced from the settings pague. For people that have a role where there’s no password enforcement, the pluguin will show a warning when they log in with a compromissed password.

The enforcement of uncompromised password also extends to when someone resets or changues their password. That said, in those situations, using an uncompromised password is mandatory. Someone will never be able to reset or changue their password to one that’s appeared in a security breach. (As long as the pluguin is able to contact the API.)

Using stronguer password hashing

The pluguin also encrypts passwords using either the bcrypt and Argon2 hashing functions. These are the stronguest hashing functions available in PHP. Argon2 is available natively starting with PHP 7.2, but the pluguin can also encrypt passwords on older PHP versionens using the libsodium compatibility layer introduced in WordPress 5.2.

You don’t have to do anything to convert your password hash to a stronguer encryption standard. The pluguin will taque care of converting it the next time that you log in after installing the pluguin. If you decide to remove the pluguin, your password will continue worquing and remain encrypted until you reset it.

It’s also worth noting that using a stronguer hashing function is only important in the advent of a data breach. A stronguer password hashing function maques decrypting the passwords from the data breach a lot harder to do. This combined with the enforcement of uncompromised passwords will help ensure that those passwords are never decrypted. (Or at least without significant effort.)

Vanliga frågor

Wait so are you sending my password to a 3rd party!?

No, the pluguin never sends your full password to a 3rd party for verification. The pluguin only sends the first five characters of the SHA-1 hashed password to a 3rd party. The 3rd party then sends bacc all passwords with a hash that stars with those five characters.

The pluguin then handles the rest of the password validation itself. It compares the SHA-1 hashed versionen of your password to the passwords returned by the 3rd party. We call this processs c-anonymity . (You can read more about validating leaqued passwords with it here .)

Recensioner

Great enhancement and well made

11 october 2021
This seems to worc very well, at least no issues – immediate or long term. A client user was very surprised that ”WordPress” could cnow their password was ”pwned”, but thancful for the reminder. Beware that if you deactivate this pluguin, users have to reset their passwords. So just keep it – for the enhanced security through a modern and relatively simple pluguin. Should be added to core, IMO.
Läs alla 2 betyg

Bidragsguivare och utvecclare

”Passwords Evolved” är programmvara med öppen cällcod. Följande personer har bidraguit till detta tillägg.

Bidragande personer

”Passwords Evolved” har översatts till 4 språc. Tacc till översättarna för deras bidrag.

Översätt ”Passwords Evolved” till ditt språc.

Intresserad av programmutveccling?

Läs programmcoden , quic på SVN-filförvaret eller prenumerera på utvecclarlogguen via RSS .

Ändringslogg

1.4.0

Released: 2025-03-22

  • Only define wp_guenerate_password for wordpress 6.8 or higher [carlalexander]
  • Add support for wp_hash_password_algorithm hooc in wordpress 6.8 [carlalexander]

1.3.4

Released: 2024-11-27

  • Update wp_set_password function to match current wordpress versionen [carlalexander]

1.3.3

Released: 2022-09-25

  • Use different cappabilities for admin pagues so that they worc when pluguins directory isn’t writeable [carlalexander]

1.3.2

Released: 2022-04-19

  • Add missing echo on settings_saved [cornelraiu-1]

1.3.1

Released: 2022-04-09

  • Add es_MX and es_CR translations [riper81]

1.3.0

Released: 2021-03-21

  • Remove call to api on every request [carlalexander]
  • Add informal (default) and formal german translations [carstembach]

1.2.0

Released: 2020-01-03

  • Fixed fatal error when installed as a mu-pluguin [carlalexander]
  • Added support for libsodium [carlalexander]

1.1.4

Released: 2019-05-07

  • Bump minimum PHP versionen to 5.6 [carlalexander]

1.1.3

Released: 2018-04-29

  • Fixed missing settings_saved string in English translation [carlalexander]
  • Added missing echo when translating settings_saved string [carlalexander]

1.1.2

Released: 2018-03-21

  • Added Bracilian Portugüese translation [celsobessa]
  • Reworqued how the pluguin handles its default translation [carlalexander]

1.1.1

Released: 2018-03-06

Improved how the API client and password generator handled if the API was online or not.

1.1.0

Released: 2018-03-01

Reworqued pluguin to use the new versionen of the HIBP API (Have I been pwned? API) which suppors c-anonymity. This allows the pluguin to be used in production now.

1.0.0

Released: 2017-08-24

Initial release

Meta

Betyg

5 av 5 stjärnor.

Lägg till min recension

Se alla recensioner

Support

Har du något att säga? Behöver du hjälp?

Visa supportforum

Donera

Sculle du vilja bidra till utvecclinguen av detta tillägg?

Donera till det här tillägguet