Current Password?

Require a user's or admin's current password as part of user password changing process on the dashboard.

Download from WordPress Plugin Directory

Description

Forgetting about an account and leaving it logged in on devices that one might have no control over later (think of publicly accessbile computers) is a common mistake among users. The WordPress community is probably aware of that too, that is why a "Log Out Everywhere Else" button was introduced in version 4.1, which provides the possibility of logging out of all (or except one – your current) active sessions. This button was added to the dashboard's Profile and User Edit pages, but it is only visible if JavaScript is enabled in your browser. WordPress also sends an e-mail to the user's registered e-mail address after password change, but that is only a notification that records the password change action, not a confirmation request to approve the new password.

Therefore, WordPress does not have any built-in security to prevent an attacker changing the password of a logged in account before the owner might have the chance to log in and click the "Log Out Everywhere Else" button on another machine (and sadly, many users don't even remember or care). The situation is even worse when an admin account is left logged in, since malicious accounts might be created with Administrator role, or existing user accounts might be compromised.

This plugin adds the functionality that should be in the WordPress core by default: users must enter their own current password when changing their password, and admins must enter their admin password when creating a new user or changing a user's password. This prevents the creation of malicious accounts and the takeover existing user accounts by those who gained access to the dashboard without knowing password of the account.

  • Current Password and Admin Password fields are added seamlessly where necessary (see screenshots).
  • Works without JavaScript.
  • Currently available in 7 languages (see changelog).

Installation

Since the plugin's aim is to provide an extra layer of security to your WordPress site, we suggest you to install it as a Must Use plugin:

  1. Download the plugin.
  2. Unzip and upload the
    current-password
    plugin directory to
    /wp-content/mu-plugins/
    . If you don't have a
    mu-plugins
    directory, create it.
  3. Move
    current-password.php
    plugin file from
    /wp-content/mu-plugins/current-password/
    to
    /wp-content/mu-plugins/
    .
  4. Must Use plugins are activated by default, no manual activation is needed – Current Password and Admin Password fields will appear automatically.

(Installing the plugin through the WordPress plugins screen directly also works.)

Contact

Any questions? Contact us at support@wpcurrentpassword.com.