Please make sure to update to WPML 4.3.5 and check our list of Known Issues before reporting

Hi, Amit here, I am the WPML Support Manager, our current ticket queue is high, update your WPML plugins and make sure you meet the minimal requirements for running WPML before reporting an issue please - many tickets are resolved doing that

Please look at our updated list of Known Issues and you can also use our support search to find helpful information and of course review our documentation before opening a ticket.

If you do need to open a ticket please make sure to provide us with all the needed information as described in this page

This is the technical support forum for WPML - the multilingual WordPress plugin.

Everyone can read, but only WPML clients can post here. WPML team is replying on the forum 6 days per week, 22 hours per day.

This topic contains 8 replies, has 5 voices.

Last updated by Vincent 4 years, 3 months ago.

Assigned support staff: Denise.

Author Posts
September 8, 2015 at 2:23 pm #699832

Mark

I received an email today that is very suspicious and looks like a phishing attempt. The email suggests that all WPML client accounts are going to have auto-generated passwords sent and further instructions will come in a following email.

As I said, this seems like an obvious phishing attempt - no professional software developer would generate passwords and send them in cleartext email as suggested. So I am sure that the company behind WPML will not do this.

However when I look at the raw source of the email, I see no other "signatures" of common phishing attempts, which suggests this IS a legitimate email.

Please confirm that this is a phishing attempt and no passwords to my "secure" account will be sent by email.

September 8, 2015 at 2:43 pm #699856

arjunB

I received this message as well. It came to my mailbox via mcsv.net, and mcsv.net is in the SPF records for 'wpml.org' so it's probably legit.

wpml.org IN TXT "v=spf1 include:_spf.google.com include:spf.mandrillapp.com include:servers.mcsv.net ?all"

I agree with you about the doubtful attempt to increase security by sending passwords in email.

September 8, 2015 at 3:16 pm #699887

Frances

Sadly, no, they really did send your new password with login url and login name in plain text. Why didn't they didn't just force a password reset next time a user logs in?

September 8, 2015 at 3:23 pm #699893

Mark

Note I have not received the follow-up email and my password has not changed. Yet.

I urge WPML to NOT go through with this. Quite frankly, it will force me to reconsider my use of the plugins, because I place a good deal of faith in the company to adhere to at least minimum security standards, which clearly they are unable to do if they choose to proceed with this scheme.

This is simply unacceptable in 2015. Also, if it is really as serious as *requiring* everyone to change their passwords whether or not there is a problem for all accounts, then I suspect that there has been a breach and I expect that WPML must be transparent about this and properly warn customers.

September 8, 2015 at 6:52 pm #700090

arjunB

Got my plaintext password: they sent it to a mailing list. Luckily, it was thrown into most people's spam folders because the message had two DKIM signatures and both failed.

X-DkimResult-Test: Failed

September 8, 2015 at 6:59 pm #700100

Mark

I got mine too - without even a single mention that anyone getting such a password should immediately log in to their account page and change their password to something new.

This is a shocking security lapse on the part of WPML. I see there was a response in another thread about this but that there has been no formal reply here as well is a problem.

September 8, 2015 at 7:55 pm #700143

Denise

Hello,

I apologise for any inconvenience that the email sent today from hello@wpml.org (subject: your account password change) caused. This email was automatically generated by our system and sent to clients with passwords that were deemed too simple. However, sending new passwords in plain text via email without requiring user action is not best practice. I urge you to change your WPML account password. https://wpml.org/account/account-settings/

You were right to be cautious of this sudden email. Although it was not a phishing attempt, it was not the best way to ensure a safe password. In the future we will be mindful of adhering to strict security standards. Please let me know if you have any further questions.

Regards,
Denise

September 8, 2015 at 7:59 pm #700146

Mark

Thank you for acknowledging the problem and responding in this thread. Personally, I did receive the new password and was immediately able to log in and change it to something more secure so all is well.

Thanks again.

September 9, 2015 at 7:25 am #700421

Vincent

Fail upon fail.

1. Resetting passwords out of the blue to make "accounts more secure" clearly indicates something is amiss. Please provide transparency.

2. Sending new passwords plain-text over email: WTF? How on earth is this secure?

3. Apologising for inconvenience: "This email was automatically generated by our system and sent to clients with passwords that were deemed too simple.": WTF^2? Are you, on top of all this, effectively admitting you have stored all passwords in plaintext? How else could you possibly distinguish weak from strong passwords?