{"id":98301,"date":"2019-02-19T14:43:07","date_gmt":"2019-02-19T14:43:07","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/disallow-pwned-passwords\/"},"modified":"2019-02-19T17:41:37","modified_gmt":"2019-02-19T17:41:37","slug":"disallow-pwned-passwords","status":"publish","type":"plugin","link":"https:\/\/ar.wordpress.org\/plugins\/disallow-pwned-passwords\/","author":16861673,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"0.3.2","stable_tag":"0.3.2","tested":"5.0.25","requires":"4.9.8","requires_php":"7.0","requires_plugins":"","header_name":"Disallow Pwned Passwords","header_author":"Itineris Limited","header_description":"Disallow WordPress and WooCommerce users using pwned passwords.","assets_banners_color":"","last_updated":"2019-02-19 17:41:37","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/github.com\/ItinerisLtd\/disallow-pwned-passwords","header_author_uri":"https:\/\/itineris.co.uk","rating":5,"author_block_rating":0,"active_installs":10,"downloads":1896,"num_ratings":2,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["faq","changelog","description"],"tags":[],"upgrade_notice":[],"ratings":{"1":0,"2":0,"3":0,"4":0,"5":"2"},"assets_icons":[],"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["0.3.0","0.3.1","0.3.2"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":"2034854","resolution":"1","location":"assets"},"screenshot-2.png":{"filename":"screenshot-2.png","revision":"2034233","resolution":"2","location":"assets"}},"screenshots":{"1":"WordPress","2":"WooCommerce"},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[710,168146,168147,1930,600],"plugin_category":[38,54],"plugin_contributors":[168148,78961],"plugin_business_model":[],"class_list":["post-98301","plugin","type-plugin","status-publish","hentry","plugin_tags-authentication","plugin_tags-have-i-been-pwned","plugin_tags-hibp","plugin_tags-password","plugin_tags-security","plugin_category-authentication","plugin_category-security-and-spam-protection","plugin_contributors-itinerisltd","plugin_contributors-tangrufus","plugin_committers-itinerisltd","plugin_committers-tangrufus"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/disallow-pwned-passwords.svg","icon_2x":false,"generated":true},"screenshots":[{"src":"https:\/\/ps.w.org\/disallow-pwned-passwords\/assets\/screenshot-1.png?rev=2034854","caption":"WordPress"},{"src":"https:\/\/ps.w.org\/disallow-pwned-passwords\/assets\/screenshot-2.png?rev=2034233","caption":"WooCommerce"}],"raw_content":"<!--section=faq-->\n<dl>\n<dt>What are the minimum requirements?<\/dt>\n<dd><ul>\n<li>PHP v7.0<\/li>\n<li>WordPress v4.9.8<\/li>\n<li><strong>(Optional)<\/strong> WooCommerce v3.4.4<\/li>\n<\/ul><\/dd>\n<dt>Did you just send all the passwords to someone else?<\/dt>\n<dd><p>No. <strong>User passwords never leave your server, not even in hashed form<\/strong>.<\/p><\/dd>\n<dt>How do you compare user passwords with the 6,493,641,194 pwned ones?<\/dt>\n<dd><p>Curious users can learn more from:<\/p>\n\n<ul>\n<li><a href=\"https:\/\/www.troyhunt.com\/ive-just-launched-pwned-passwords-version-2\/#cloudflareprivacyandkanonymity\">I've Just Launched \"Pwned Passwords\" V2 With Half a Billion Passwords for Download<\/a><\/li>\n<li><a href=\"https:\/\/blog.cloudflare.com\/validating-leaked-passwords-with-k-anonymity\/\">Validating Leaked Passwords with k-Anonymity<\/a><\/li>\n<\/ul>\n\n<p>Paranoia users should check the <a href=\"https:\/\/github.com\/ItinerisLtd\/disallow-pwned-passwords\/tree\/master\/src\">plugin implementation<\/a>.<\/p><\/dd>\n<dt>What to do if I don't trust haveibeenpwned.com?<\/dt>\n<dd><p><a href=\"https:\/\/www.troyhunt.com\">Troy Hunt<\/a> is a well-kown security expert. You should trust him more than me (the plugin author).\nAnyways, you can replace the default API client with yours:<\/p>\n\n<pre><code>&lt;?php\n\nuse Itineris\\DisallowPwnedPasswords\\HaveIBeenPwned\\ClientInterface;\nuse League\\Container\\Container;\n\nclass YourCustomClient implements ClientInterface\n{\n    \/\/ Your implementation.\n}\n\nadd_action('i_dpp_register', function (Container $container): void {\n    $container-&gt;add(ClientInterface::class, YourCustomClient::class);\n});\n<\/code><\/pre>\n\n<p>This plugin uses <a href=\"https:\/\/packagist.org\/packages\/league\/container\">league\/container<\/a>. Learn more from <a href=\"http:\/\/container.thephpleague.com\/3.x\/\">its documents<\/a>.<\/p><\/dd>\n<dt>What to do if I don't trust the plugin author?<\/dt>\n<dd><p>Good question! You shouldn't blindly trust any random security guide\/plugin from the scary internet - including this one!<\/p>\n\n<p>Review the <a href=\"https:\/\/github.com\/ItinerisLtd\/disallow-pwned-passwords\/tree\/master\/src\">plugin implementation<\/a>.<\/p><\/dd>\n<dt>I have installed this plugin. Does it mean my WordPress site is *unhackable*?<\/dt>\n<dd><p>No website is <em>unhackable<\/em>.<\/p>\n\n<p>To have a secure WordPress site, you have to keep all these up-to-date:<\/p>\n\n<ul>\n<li>WordPress core<\/li>\n<li>PHP<\/li>\n<li>this plugin<\/li>\n<li>all other WordPress themes and plugins<\/li>\n<li>everything on the server<\/li>\n<li>other security practices<\/li>\n<li>your mindset<\/li>\n<\/ul>\n\n<p>Strongly recommended:<\/p>\n\n<ul>\n<li><a href=\"https:\/\/github.com\/TypistTech\/wp-password-argon-two\">WP Password Argon Two<\/a> - Securely store WordPress user passwords in database with Argon2i hashing and SHA-512 HMAC using PHP's native functions<\/li>\n<li><a href=\"https:\/\/wordpress.org\/plugins\/wp-cloudflare-guard\/\">WP Cloudflare Guard<\/a> - Connecting WordPress with Cloudflare firewall, protect your WordPress site at DNS level. Automatically create firewall rules to block dangerous IPs<\/li>\n<li><a href=\"https:\/\/wordpress.org\/plugins\/two-factor\/\">Two-Factor<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/roots\/wp-password-bcrypt\">wp-password-bcrypt<\/a><\/li>\n<\/ul><\/dd>\n<dt>Can strong passwords been pwned?<\/dt>\n<dd><p>Yes. Example:<\/p>\n\n<ul>\n<li><a href=\"https:\/\/www.xkcd.com\/936\/\"><code>correct horse battery staple<\/code><\/a><\/li>\n<\/ul><\/dd>\n<dt>How to disable WooCommerce password strength meter?<\/dt>\n<dd><p>For testing only, use at your own risk!<\/p>\n\n<pre><code>add_action('wp_print_scripts', function () {\n    wp_dequeue_script('wc-password-strength-meter');\n}, 10000);\n<\/code><\/pre><\/dd>\n<dt>Will you add support for older PHP versions?<\/dt>\n<dd><p>Never! This plugin will only works on <a href=\"https:\/\/secure.php.net\/supported-versions.php\">actively supported PHP versions<\/a>.<\/p>\n\n<p>Don't use it on <strong>end of life<\/strong> or <strong>security fixes only<\/strong> PHP versions.<\/p>\n\n<p>Note: Current version supports PHP 7.0 because wordpress.org svn pre-commit hook rejects PHP 7.1+ syntax. However, you should not use PHP 7.0 because <a href=\"https:\/\/secure.php.net\/eol.php\">it has reached <strong>end of life<\/strong> since 10 January 2019<\/a>.<\/p><\/dd>\n<dt>It looks awesome. Where can I find some more goodies like this?<\/dt>\n<dd><ul>\n<li>Articles on <a href=\"https:\/\/www.itineris.co.uk\/blog\/\">Itineris' blog<\/a><\/li>\n<li>More projects on <a href=\"https:\/\/github.com\/itinerisltd\">Itineris' GitHub profile<\/a><\/li>\n<li>More plugins on <a href=\"https:\/\/profiles.wordpress.org\/itinerisltd\/#content-plugins\">Itineris<\/a> and <a href=\"https:\/\/profiles.wordpress.org\/tangrufus\/#content-plugins\">TangRufus<\/a> wp.org profiles<\/li>\n<li>Follow <a href=\"https:\/\/twitter.com\/itineris_ltd\">@itineris_ltd<\/a> and <a href=\"https:\/\/twitter.com\/tangrufus\">@TangRufus<\/a> on Twitter<\/li>\n<li>Hire <a href=\"https:\/\/www.itineris.co.uk\/services\/\">Itineris<\/a> to build your next awesome site<\/li>\n<\/ul><\/dd>\n<dt>Besides wp.org, where can I give a \u2605\u2605\u2605\u2605\u2605 review?<\/dt>\n<dd><p>Thanks! Glad you like it. It's important to let my boss knows somebody is using this project. Please consider:<\/p>\n\n<ul>\n<li>give \u2605\u2605\u2605\u2605\u2605 reviews on <a href=\"https:\/\/wordpress.org\/support\/plugin\/disallow-pwned-passwords\/reviews\/#new-post\">wp.org<\/a><\/li>\n<li>tweet something good with mentioning <a href=\"https:\/\/twitter.com\/itineris_ltd\">@itineris_ltd<\/a> and <a href=\"https:\/\/twitter.com\/tangrufus\">@TangRufus<\/a><\/li>\n<li>\ufe0f\ufe0f\u2605 star this <a href=\"https:\/\/github.com\/ItinerisLtd\/disallow-pwned-passwords\">Github repo<\/a><\/li>\n<li>watch this <a href=\"https:\/\/github.com\/ItinerisLtd\/disallow-pwned-passwords\">Github repo<\/a><\/li>\n<li>write blog posts<\/li>\n<li>submit pull requests<\/li>\n<li><a href=\"https:\/\/www.itineris.co.uk\/services\/\">hire Itineris<\/a><\/li>\n<\/ul><\/dd>\n<dt>Where to report security related issues?<\/dt>\n<dd><p>If you discover any security related issues, please email <a href=\"mailto:&#x68;&#101;&#x6c;&#x6c;&#111;&#x40;&#105;&#x74;&#x69;&#110;&#x65;&#114;&#x69;&#x73;&#046;&#x63;&#111;&#x2e;&#x75;&#107;\">hello@itineris.co.uk<\/a> instead of using the issue tracker.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<p>Please see <a href=\"https:\/\/github.com\/ItinerisLtd\/disallow-pwned-passwords\/blob\/master\/CHANGELOG.md\">CHANGELOG<\/a> for more information on what has changed recently.<\/p>\n\n<!--section=description-->\n<p>Disallow WordPress and WooCommerce users using pwned passwords.<\/p>\n\n<h3>Goal<\/h3>\n\n<p>Spoiler Alert: <strong>User passwords never leave your server, not even in hashed form<\/strong>.<\/p>\n\n<p>Although reusing passwords is solely users' fault but when evil attackers brute forced users' passwords, and stole all their personal information or spent users' hard earn money through your site. <strong>Those lazy users blame you<\/strong>, the site owner\/developer.<\/p>\n\n<blockquote>\n  <p>When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example,...<\/p>\n  \n  <ul>\n  <li>Passwords obtained from previous breach corpuses<\/li>\n  <\/ul>\n  \n  <p>-- <a href=\"https:\/\/pages.nist.gov\/800-63-3\/sp800-63b.html\">NIST Digital Identity Guidelines<\/a><\/p>\n<\/blockquote>\n\n<p>This plugin's solely purpose is to <strong>disallow WordPress and WooCommerce users reusing passwords listed in <a href=\"https:\/\/haveibeenpwned.com\/\">Have I Been Pwned<\/a> database<\/strong>.<\/p>\n\n<h3>Usage<\/h3>\n\n<p>Activate and forget.<\/p>\n\n<p>This plugin intercepts when:<\/p>\n\n<ul>\n<li>creating new users on <code>\/wp-admin\/user-new.php<\/code><\/li>\n<li>changing other users' passwords on <code>\/wp-admin\/user-edit.php<\/code><\/li>\n<li>changing your password on <code>\/wp-admin\/profile.php<\/code><\/li>\n<li>new user registration on <code>\/wp-login.php?action=rp<\/code><\/li>\n<\/ul>\n\n<p>Additional interceptions if WooCommerce is installed:<\/p>\n\n<ul>\n<li><a href=\"https:\/\/github.com\/woocommerce\/woocommerce\/blob\/master\/includes\/class-wc-form-handler.php\"><code>WC_Form_Handler::process_reset_password<\/code><\/a> on Home \u00bb My account \u00bb Lost password<\/li>\n<li><a href=\"https:\/\/github.com\/woocommerce\/woocommerce\/blob\/master\/includes\/class-wc-form-handler.php\"><code>WC_Form_Handler::save_account_details<\/code><\/a> on Home \u00bb My account \u00bb Account details<\/li>\n<li><a href=\"https:\/\/github.com\/woocommerce\/woocommerce\/blob\/master\/includes\/class-wc-form-handler.php\"><code>WC_Form_Handler::process_registration<\/code><\/a> on Home \u00bb My account<\/li>\n<li><a href=\"https:\/\/github.com\/woocommerce\/woocommerce\/blob\/master\/includes\/class-wc-checkout.php\"><code>WC_Checkout::validate_checkout<\/code><\/a> on Home \u00bb Checkout<\/li>\n<\/ul>\n\n<h3>Explain It Like I'm Five<\/h3>\n\n<ul>\n<li><a href=\"https:\/\/www.troyhunt.com\">Troy Hunt<\/a>, a well-kown security expert, collected 6,493,641,194 (and counting) pwned passwords from previous security breaches<\/li>\n<li>Pwned passwords stored as SHA-1 hashes on haveibeenpwned.com<\/li>\n<li>Whenever WordPress \/ WooCommerce users attempt to change their passwords, this plugin hashes the user password<\/li>\n<li>Take the first 5 characters from the hash<\/li>\n<li>Ask haveibeenpwned.com for all pwned passwords with the same first 5 hash characters<\/li>\n<li>Check how many times the user password appears on the have I been pwned database<\/li>\n<li>Disallow the password change if it has been pwned<\/li>\n<\/ul>\n\n<p>Users aged older than five could learn more from:<\/p>\n\n<ul>\n<li><a href=\"https:\/\/haveibeenpwned.com\/FAQs\">Have I Been Pwned's FAQs<\/a><\/li>\n<li><a href=\"https:\/\/www.troyhunt.com\/introducing-306-million-freely-downloadable-pwned-passwords\/\">Why SHA-1 was chosen in the Pwned Passwords<\/a><\/li>\n<li><a href=\"https:\/\/www.troyhunt.com\/ive-just-launched-pwned-passwords-version-2\/#cloudflareprivacyandkanonymity\">I've [Troy Hunt] Just Launched \"Pwned Passwords\" V2 With Half a Billion Passwords for Download<\/a><\/li>\n<li><a href=\"https:\/\/blog.cloudflare.com\/validating-leaked-passwords-with-k-anonymity\/\">Validating Leaked Passwords with k-Anonymity<\/a><\/li>\n<\/ul>\n\n<h3>For Developers<\/h3>\n\n<p>Fork the plugin on <a href=\"https:\/\/github.com\/ItinerisLtd\/disallow-pwned-passwords\">GitHub<\/a>.<\/p>","raw_excerpt":"Disallow WordPress and WooCommerce users using pwned passwords.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/98301","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=98301"}],"author":[{"embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/itinerisltd"}],"wp:attachment":[{"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=98301"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=98301"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=98301"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=98301"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=98301"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=98301"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}