Plugin info

Total downloads: 1,265
Active installs: 10
Total reviews: 0
Average rating: 0
Support threads opened: 0
Support threads resolved: 0 (0%)
Available in: 1 language(s)
Contributors: 2
Last updated: 5/11/2015 (3935 days ago)
Added to WordPress: 5/11/2015 (10 years old)
Minimum WordPress version: 4.2.2
Tested up to WordPress version: 4.2.39
Minimum PHP version: f

Maintenance & Compatibility

Maintenance score

Possibly abandoned • Last updated 3935 days ago

20/100

Is Password Confirm Action abandoned?

Possibly abandoned (last update 3935 days ago).

Compatibility

Requires WordPress: 4.2.2
Tested up to: 4.2.39
Requires PHP: f

Similar & Alternatives

Explore plugins with similar tags, and compare key metrics like downloads, ratings, updates, support, and WP/PHP compatibility.

No similar plugins found yet.

Description

Context

Please see Trac Ticket 20140.

XSS attacks and ‘lunch time raid’ attacks, among others, can allow an attacker to ‘steal’ a log-in session, and act as an authenticated user without knowing that user’s password.
The aim of this plugin is to prevent that user from being able to engineer permanent access to the site. They may attempt to do this by doing one or more of the following:

  • Setting the password of the hijacked user to one of their choosing
  • Changing the e-mail of the hijacked user
  • Creating a new user
  • Changing the role of their account to escalate privileges

The plugin prevents the attacker from doing any of these by prompting them for the user’s password.

Caveat

Of course by default WordPress allows adminstrative users the ability to install arbitrary plugins and themes, and edit existing plugins/themes through in-built editors. These freedoms render the above solution impotent. It is outside of the immediate scope of this plugin to password protect those features, though it may be considered at later date.
It’s the advice of the plugin author that you should disable such features in your site’s wp-config.php by adding:

define( 'DISALLOW_FILE_MODS', true ); 

as outlined in https://codex.wordpress.org/Editing_wp-config.php#Disable_plugin_and_Theme_Update_and_Installation.

To report bugs or feature requests, please use Github issues.

Can I Help?

Yes! Please do!. You could do either of the following:

  1. Use the plugin and report any issues.
  2. Find an unassigned issue and start working on it (please make PRs to the develop branch).

If you have an expertise in accessibility I would welcome any suggestions or improvements. Or if you encounter any issues regarding accessibility please do report these.

A special thanks

A special thanks to Human Made whose Require Password plugin (written by Jenny Wong) served as an inspiration for this plugin.

Installation

Manual Installation

  1. Upload the entire /password-confirm-action directory to the /wp-content/plugins/ directory.
  2. Activate Password Confirm Action through the ‘Plugins’ menu in WordPress.

Frequently Asked Questions

No FAQ available

Review feed

No reviews available

Screenshots

No screenshots available

Changelog

0.2.0

  • Initial release on the wordpress.org repository.

0.1.1

  • The 0.1.0 version didn’t actually work…
  • Fixes modal hiding highlighted invalid fields (See #1).

0.1.0

  • First release