Earlier today on Twitter, WordPress community member Travis Ballard @Ansimation published a link to a plugin that will have people thinking twice before they sign up to a WordPress based website. Ironically, it’s called WPEvil and saves passwords into plain text instead of hashes. One thing I’ve learned over the years is that passwords are to never be stored in plain text, for any reason. I reached out to the creators of this plugin to see if they could give me a couple of legitimate use cases. Here is what they had to say.
Legitimate use would be I guess to tell one of your users their password if they can’t reset it for some reason. There are no appropriate uses for this plugin, I guess you could do your own research to see what people actually use as passwords.
Motivation? Bored.
Travis also got in touch with the plugin author on Reddit to discuss legitimate uses for this plugin and was greeted with an insult that it was above his pay grade.
So if you come across a WordPress powered website that you can tell is using this plugin, would you register your account there? How does it make you feel to see a company release such a plugin to the wild? Should anyone be worried that this plugin exists?