via pluginvulnerabilities.com => original post link
We recommend against using all-in-one WordPress security plugins for a number of reasons. One of them is that they likely include a lot of functionality that you don’t need, which, among other issues, can create additional security risk when you are trying to reduce it. Another is that a plugin focused on one thing should, theoretically at least, do a better job at providing the needed functionality. All-in-one plugins are rather popular, despite those concerns. The All-In-One Security (AIOS) plugin has 1+ million installs. That popularity is despite the previous and current developers having a pretty bad track record with security across the plugins they developing, including this plugin. That makes a security issue in the latest version of the plugin not all that surprising.
On June 23, a user of the plugin created a support forum topic with this concerning headline, “Cleartext passwords written to aiowps_audit_log“. They would appear to not be aware of the plugin’s poor track record, as their message started this way: [Read more]