Admin security with leaked password

  • Resolved wpandlpuser

    (@wpandlpuser)


    3 months, 2 weeks ago

    Dear AIOS team,

    I would like to frame a theoretical question for a scenario when the admin user’s password is leaked and hackers want to access the site.

    I have currently a 2FA authentication (with AIOS of course) in place and the following WP REST API Settings: https://i.postimg.cc/pVDrFCKZ/settings-rest.png

    Let’s imagine, that the admin password gets leaked. Due to 2FA, the hacker cannot log into the admin panel.

    Is it possible for the hacker to get access to the admin panel in other ways?
    Wit these settings, is the hacker able to spam the website via REST API if I am logged in or logged out with the admin user?

    Thank you!

    • This topic was modified 3 months, 2 weeks ago by wpandlpuser.

    The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    3 months, 2 weeks ago

    Hi @wpandlpuser,

    I can not see what the WP REST API settings are. I need to check, but it seems for the REST API, TFA authentication is not required, so it will allow a hacker to get access using username and password.

    Regards

    Thread Starter wpandlpuser

    (@wpandlpuser)

    3 months, 1 week ago

    Hi @hjogiupdraftplus ,

    Please let me know which WP rest api settings you are referring to. I would attach a screenshot.
    As an additional information, the Application passwords are disabled (with AIOS) in the WP admin profile.

    Thanks!

    Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    3 months, 1 week ago

    Hi @wpandlpuser,

    I can see now the image, you have Disallow unauthorised REST access not enabled So it is not applicable that REST API is disabled.

    WP REST API Settings: https://i.postimg.cc/pVDrFCKZ/settings-rest.png

    For the REST API, TFA authentication is not required, so it will allow a hacker to get access using the username and password. But if you have disabled the application password it should not as per my knowledge.

    Can you see in the Server access log any access?

    Regards

    Thread Starter wpandlpuser

    (@wpandlpuser)

    3 months, 1 week ago

    Hi @hjogiupdraftplus ,

    Is the API still accessible and exploitable for a hacker who has the admin password, if there are no Application passwords defined for the Admin user?

    Thank you!

    Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    3 months, 1 week ago

    Hi @wpandlpuser,

    When I checked the details for REST API calls such as deleting or editing a user, they require an Application Password, not the standard account password. Therefore, even if the admin username and password have been leaked, it wouldn’t be possible to perform these actions if 2FA is enabled through AIOS.

    However, it’s still advisable to update the passwords for all admin accounts whose credentials may have been compromised.

    Regards

    Thread Starter wpandlpuser

    (@wpandlpuser)

    3 months, 1 week ago

    Hi @hjogiupdraftplus ,

    thank you very much for the research and confirmation.

    I believe it is the right time to give a 5 stars rating for your product and customer support 🙂

Viewing 6 replies - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

Tags