The All In One WP Security & Firewall Plugin, installed on over one million WordPress sites, recently discovered a security flaw in version 5.1.9. The bug allowed users’ passwords to be stored in plaintext format, posing a significant risk. UpdraftPlus, the plugin maintainers, swiftly addressed the issue and released updates to mitigate the vulnerability. Users are advised to update their installations promptly to safeguard their websites.

Vulnerability Details:

Version 5.1.9 of the All In One WP Security & Firewall Plugin introduced a bug that resulted in users’ passwords being stored in plaintext format within the plugin’s database. This flaw enabled malicious site administrators to read these passwords, potentially compromising the security of affected websites. The issue was reported by a user who expressed concerns about such a fundamental security oversight in a security plugin.

Impact and Mitigation Measures:

If exploited, the vulnerability could allow site administrators with malicious intent to access and misuse users’ login credentials stored in the database. To address this issue, UpdraftPlus released version 5.2.0, which removed the logged passwords and implemented fixes. However, some users reported issues with broken sites and persistent password logs. Consequently, version 5.2.1 was released to address these problems.


All users of the All In One WP Security & Firewall Plugin are strongly advised to update their installations to version 5.2.1 without delay. By doing so, they will effectively address the vulnerability and protect their websites from potential compromise. Additionally, it is recommended that users enable two-factor authentication and change passwords, especially if the same credentials have been used on other sites.

User Concerns and Developer Response:

Some users expressed frustration with broken sites and the lack of password-logging warnings from the plugin developers. Oliver Sild, CEO of Patchstack, emphasized the importance of notifying users to change their passwords to prevent potential credential harvesting by threat actors.

Statistics and Urgency:

Considering the large number of websites still running older versions of the plugin, it is crucial for All In One WP Security & Firewall Plugin users to update their installations promptly. By doing so, they can effectively mitigate the risks associated with the vulnerability and ensure the security of their WordPress sites.


Addressing the vulnerability in the All In One WP Security & Firewall Plugin is essential to protect WordPress websites from potential security breaches. Users should update their installations to version 5.2.1, which resolves the vulnerability and provides necessary security improvements. By following recommended security practices, WordPress site owners can enhance their website’s resilience against potential threats.