The All-In-One Security Plugin for WordPress stored user passwords in a plain text database that was also accessible to administrators.

Why convert passwords to salted hashes and only use them in secure databases when you can also write down credentials as text? There are many good reasons, but none of them could convince All-In-One Security (AIOS). This is a security plugin for WordPress that is installed on more than a million websites.

flat text

AIOS allows a website to allow users to log in. So the plugin has to deal with the passwords of these users. The developers have found no better way than storing these passwords in plain text in a database. Administrators of the site running the plugin have access to this database.

An administrator, or an attacker who can obtain an administrator’s credentials, gains access to those passwords. AIOS argues that the bug is not such a disaster as only high-privilege administrators have access to the database. This is irrelevant, because decades of bugs and hacks have shown that attackers regularly gain access to systems. Periodically, databases of passwords are stolen.

Salted hash

Usually it’s not a big deal. Password storage is not a complex problem whose proper solution is still debated. The correct way to save a password is not to save it. When you enter your password, it is converted to hexadecimal code using a cryptographic hash algorithm. This algorithm only works one way: converting the password to the code is easy, decrypting the password via the code is almost impossible.

Almost impossible, but not entirely impossible: To be on the safe side, the hash is seasoned. A salted hash contains some additional random information that makes password cracking even more difficult. When you log into a website, your password immediately goes through the algorithm and compares it to the hash in the database. For security reasons, your password is never stored. A stolen database of salted hashes is now virtually worthless to hackers. Only passwords that are too short can possibly still be retrieved.

Best practices are not followed

AIOS did not receive this memo. Saving passwords unencrypted and readable is a painful faux pas and actually not a mistake, but a grotesque oversight. AIOS has since released an update to its plugin that makes passwords in an accessible database unreadable.

The question is to what extent AIOS is now up to date with the latest security findings. After all, the company still offers a few tips and rightly recommends making sure that the AIOS plugin is always up to date and 2FA is enabled for WordPress and other accounts. However, we also read the tip to change the password regularly. It’s a completely outdated practice that research has shown leads to poorer passwords and less secure accounts.

It is of course a good idea to change your password after a potential security breach, for example if you have entrusted it to AIOS, which will then record it in a database.