Skip Navigation

This is the technical support forum for WPML - the multilingual WordPress plugin.

Everyone can read, but only WPML clients can post here. WPML team is replying on the forum 6 days per week, 22 hours per day.

This topic contains 8 replies, has 5 voices.

Last updated by Vincent 5 years, 8 months ago.

Assigned support staff: Denise.

Author Posts
September 8, 2015 at 2:23 pm #699832


I received an email today that is very suspicious and looks like a phishing attempt. The email suggests that all WPML client accounts are going to have auto-generated passwords sent and further instructions will come in a following email.

As I said, this seems like an obvious phishing attempt - no professional software developer would generate passwords and send them in cleartext email as suggested. So I am sure that the company behind WPML will not do this.

However when I look at the raw source of the email, I see no other "signatures" of common phishing attempts, which suggests this IS a legitimate email.

Please confirm that this is a phishing attempt and no passwords to my "secure" account will be sent by email.

September 8, 2015 at 2:43 pm #699856


I received this message as well. It came to my mailbox via, and is in the SPF records for '' so it's probably legit. IN TXT "v=spf1 ?all"

I agree with you about the doubtful attempt to increase security by sending passwords in email.

September 8, 2015 at 3:16 pm #699887


Sadly, no, they really did send your new password with login url and login name in plain text. Why didn't they didn't just force a password reset next time a user logs in?

September 8, 2015 at 3:23 pm #699893


Note I have not received the follow-up email and my password has not changed. Yet.

I urge WPML to NOT go through with this. Quite frankly, it will force me to reconsider my use of the plugins, because I place a good deal of faith in the company to adhere to at least minimum security standards, which clearly they are unable to do if they choose to proceed with this scheme.

This is simply unacceptable in 2015. Also, if it is really as serious as *requiring* everyone to change their passwords whether or not there is a problem for all accounts, then I suspect that there has been a breach and I expect that WPML must be transparent about this and properly warn customers.

September 8, 2015 at 6:52 pm #700090


Got my plaintext password: they sent it to a mailing list. Luckily, it was thrown into most people's spam folders because the message had two DKIM signatures and both failed.

X-DkimResult-Test: Failed

September 8, 2015 at 6:59 pm #700100


I got mine too - without even a single mention that anyone getting such a password should immediately log in to their account page and change their password to something new.

This is a shocking security lapse on the part of WPML. I see there was a response in another thread about this but that there has been no formal reply here as well is a problem.

September 8, 2015 at 7:55 pm #700143



I apologise for any inconvenience that the email sent today from (subject: your account password change) caused. This email was automatically generated by our system and sent to clients with passwords that were deemed too simple. However, sending new passwords in plain text via email without requiring user action is not best practice. I urge you to change your WPML account password.

You were right to be cautious of this sudden email. Although it was not a phishing attempt, it was not the best way to ensure a safe password. In the future we will be mindful of adhering to strict security standards. Please let me know if you have any further questions.


September 8, 2015 at 7:59 pm #700146


Thank you for acknowledging the problem and responding in this thread. Personally, I did receive the new password and was immediately able to log in and change it to something more secure so all is well.

Thanks again.

September 9, 2015 at 7:25 am #700421


Fail upon fail.

1. Resetting passwords out of the blue to make "accounts more secure" clearly indicates something is amiss. Please provide transparency.

2. Sending new passwords plain-text over email: WTF? How on earth is this secure?

3. Apologising for inconvenience: "This email was automatically generated by our system and sent to clients with passwords that were deemed too simple.": WTF^2? Are you, on top of all this, effectively admitting you have stored all passwords in plaintext? How else could you possibly distinguish weak from strong passwords?