Yesterday our clients received an email notifying them of their passwords being updated with a stronger one. Right after this we set our system to automatically send clients their new password in the form of plain text email.

Some concern arose among a few clients as to the Why and How of this procedure, and we’d like to clear this up.

First and most important thing – there was at no time any security breach to our system

Why: The reason we performed the reset of passwords on user accounts was as a preventive action to ensure that all WPML accounts remain secure. The main purpose and underlying principle for this action was making sure everyone has a good new strong password, we consider this an important step in online security.

How: It’s true that WordPress itself has changed the way it creates new passwords for accounts – and this is not done anymore by sending the password in plain text but rather in a form of a ‘reset link’. The best practice would be, once the password is sent, to login and reset the password to a new strong one. We will definitely revise the way this is done in the future.

We’d like to once again assure you that not a single account was compromised during this process, and that we do not store passwords in plain text on our database as we use WordPress standards. We apologise for any inconveniences caused.

As always at WPML we are committed to learning from our clients.

Thank you for letting us know about your concerns with this enforced secure password change. We will use your feedback to help us deliver an improved experience.

27 Responses to “Password Update Email from WPML”

  1. Dimitri Grassi says:

    Hi,

    I’m not able to login into my account due to the automati password update as I don’t use the email account used for my WPML account. What can I do now?

    Thank you.

  2. Krystian says:

    You changed passwords to $….r f4ncy ones but also you tell clients that they should change their passwords again – and again they can change passwords to simple and non secure… so what is the point of all this? There is no mechanism to check if new password is strong enough…

    • Amit says:

      There are many online free services for generating strong passwords. You can use one of those if you think your email is compromised.

  3. Loic B says:

    Hi,

    Thanks for putting this additional security step for the WPML pluging by enforcing the password, I think it’s ultimately for the better ! You never know what might happen in the future

  4. bahij barhoumi says:

    hi im very very very dissapointed about this way of proceeding the password reset, FIRST i have three accounts and one of the three accounts i didnt get any information of the new password, and the biggest problem is whenever i try to reset my password, i cant remember the email address since i have many forwardings, to know which one is the right email used for the missing information of the password reset.

    anyways do u need the username used for the account that i cant reset my pasword?

  5. barhoumiB says:

    hi can someone help me reset my other account cause i can’t seem to get an email from your system when i ask for it online….

    please help

  6. Leopold Rehn says:

    Hi,

    Is there any Email you can use for support with your account?
    I haven’t got an email with password and I can’t even enter “lost password”.

  7. florianK-11 says:

    Honestly, I think instead of sending passwords in plain text via email you could also post it here in your blog! This was utterly unprofessional; how are you going to guarantee that people will use this password only once and directly create a new one? And how are you going to make sure people will not use “password12345” again, if they actually create new one?

    Password reset links are a de facto standard for years now and you are already using them on your site (https://wpml.org/account/lost-my-password/) – please never ever send me a password via email again!

    • Amit says:

      Hi there,

      Again we are sorry for any inconvenience, but as we said – not one account was compromised by this.
      It is true that we could have dealt with it better – communicating to our clients in advance of the step that will be taken.

      BTW WordPress not sending a plain text password was changed quite recently – on August 2015 (https://codex.wordpress.org/Version_4.3).

      Thanks!

  8. Nick says:

    Yes, but now? I’m a lifetime user and i need a new pass…what should i do?

  9. Maurice Pels says:

    Hello,

    We tried to login to our account to purchase additional plugins but noticed that the password has been changed.
    I do not know which email ID is linked to our account (p….3).
    Please send me the details of the email ID so I can reset the password.

    Thanks,

    Maurice

  10. nicolasM-6 says:

    Ok Thanx! it worked !

  11. janfc says:

    Hi,
    I am no longer using the email to which the reset password was sent. Please let me know how to solve this, as I cannot login to mu account for now.
    Thanks

  12. Mark Dolan says:

    Hi

    I cannot access my account to register the product. My current password is blocked and i have not received the new password. I need to get this working

    Can you please help

    Mark

  13. Amit says:

    Hi Mark,

    Please send our admin team the details through this form – https://wpml.org/home/contact-us/contact-form/

    Thanks!

  14. Stefan says:

    So, to put it into a nutshell:

    1. you decided that some of your customers may have insecure passwords

    2. to make these accounts more secure, you’ve sent the new passwords of all of these accounts in plaintext via unsecure email to the customers

    3. any user that logs in with the new “secure” password can easily change it back to their old, “unsecure” password

    4. before and while sending these emails, that very easily may have been considered as phishing emails by your users, you haven’t published any information about the whole process on your company blog, so your customers weren’t able to verify the source and authenticity of these emails

    5. after many users and blogs complained about the whole thing, you published this blog post stating that “As always at WPML we are committed to learning from our clients”, although the initial intention behind the whole thing seems to be that your clients should learn from you and set more secure passwords for their accounts.

    Call my crazy, but I thought that a professional company – developing a range of one of the most important, commercial wordpress plugins – does not require to learn from its customers how to implement a basic level of security, trust and professionalism…

    • Amit says:

      Our admin team will contact you through email.

      Thanks!

    • Amir says:

      We appreciate your feedback and advice very much. If you need help with your account, password or access, please use our contact form. We received your feedback and we are happy to learn and improve.

  15. Riskonnect says:

    We need to upgrade our WPML plugin to 3.2.7 but none of us know what our login credentials are (email or password), so I’m not able to reset password.

    We are definitely running WPML plugin in our site; however, if I can’t get this resolved we may have to remove the plugin.

    Thoughts on this?