Yesterday our clients received an email notifying them of their passwords being updated with a stronger one. Right after this we set our system to automatically send clients their new password in the form of plain text email.
Some concern arose among a few clients as to the Why and How of this procedure, and we’d like to clear this up.
First and most important thing – there was at no time any security breach to our system
Why: The reason we performed the reset of passwords on user accounts was as a preventive action to ensure that all WPML accounts remain secure. The main purpose and underlying principle for this action was making sure everyone has a good new strong password, we consider this an important step in online security.
How: It’s true that WordPress itself has changed the way it creates new passwords for accounts – and this is not done anymore by sending the password in plain text but rather in a form of a ‘reset link’. The best practice would be, once the password is sent, to login and reset the password to a new strong one. We will definitely revise the way this is done in the future.
We’d like to once again assure you that not a single account was compromised during this process, and that we do not store passwords in plain text on our database as we use WordPress standards. We apologise for any inconveniences caused.
As always at WPML we are committed to learning from our clients.
Thank you for letting us know about your concerns with this enforced secure password change. We will use your feedback to help us deliver an improved experience.
Read more here:: Password Update Email from WPML