Therefore, WordPress does not have any built-in security to prevent an attacker changing the password of a logged in account before the owner might have the chance to log in and click the "Log Out Everywhere Else" button on another machine (and sadly, many users don't even remember or care). The situation is even worse when an admin account is left logged in, since malicious accounts might be created with Administrator role, or existing user accounts might be compromised.
This plugin adds the functionality that should be in the WordPress core by default: users must enter their own current password when changing their password, and admins must enter their admin password when creating a new user or changing a user's password. This prevents the creation of malicious accounts and the takeover existing user accounts by those who gained access to the dashboard without knowing password of the account.
Since the plugin's aim is to provide an extra layer of security to your WordPress site, we suggest you to install it as a Must Use plugin:
current-passwordplugin directory to
/wp-content/mu-plugins/. If you don't have a
mu-pluginsdirectory, create it.
current-password.phpplugin file from
(Installing the plugin through the WordPress plugins screen directly also works.)
Any questions? Contact us at firstname.lastname@example.org.