The All-In-One Security (AIOS) WordPress security plugin, used by over a million WordPress sites, was found to be storing plaintext passwords from user login attempts in the site’s database. This put account security at risk, as anyone with access to the database could easily obtain the passwords.
AIOS is an all-in-one solution developed by Updraft, offering web application firewall, content protection, and login security tools for WordPress sites. The plugin promises to stop bots and prevent brute force attacks.
The issue was first reported by a user three weeks ago. The user found that the AIOS v5.1.9 plugin was not only recording user login attempts to the aiowps_audit_log database table, but also recording the inputted password. This meant that anyone with access to the database could see the plaintext passwords of all users who had attempted to log in to the site.
The AIOS vendor released version 5.2.0 on July 11, which includes a fix to prevent saving plaintext passwords and clears out old entries. However, the update has not been universally well-received. Some users have reported that the update has caused problems with their sites, and others have said that it has not removed all of the old password entries from the database.
Users of the AIOS plugin are advised to update to version 5.2.0 as soon as possible. They should also change their passwords and enable two-factor authentication (2FA) for their accounts. 2FA adds an extra layer of security by requiring users to enter a code from their phone in addition to their password when logging in.
This incident highlights the importance of using secure passwords and enabling 2FA for all online accounts. It also shows the importance of keeping WordPress plugins up to date. Plugins are often the target of attacks, so it is important to install security updates as soon as they are released.