Remove plain text passwords from Joomla registration emails

Joomla CMS sends registration welcome emails with plain text passwords, which is not a great security practice.

To prevent this you can modify language file:
language/en-GB/en-GB.com_users.ini

Depending on your Joomla installation language en-GB bit may be different for you.

We are interested in two entries:
COM_USERS_EMAIL_REGISTERED_WITH_ACTIVATION_BODY
COM_USERS_EMAIL_REGISTERED_WITH_ADMIN_ACTIVATION_BODY

This is full text:

COM_USERS_EMAIL_REGISTERED_WITH_ACTIVATION_BODY=”Hello %s,\n\nThank you for registering at %s. Your account is created and must be activated before you can use it.\nTo activate the account click on the following link or copy-paste it in your browser:\n%s \n\nAfter activation you may login to %s using the following username and password:\n\nUsername: %s\nPassword: %s”

COM_USERS_EMAIL_REGISTERED_WITH_ADMIN_ACTIVATION_BODY=”Hello %s,\n\nThank you for registering at %s. Your account is created and must be verified before you can use it.\nTo verify the account click on the following link or copy-paste it in your browser:\n %s \n\nAfter verification an administrator will be notified to activate your account. You’ll receive a confirmation when it’s done.\nOnce that account has been activated you may login to %s using the following username and password:\n\nUsername: %s\nPassword: %s”

In both cases password is passed by the last %s variable, so all we need to do is modify text so last %s is not included. For example, something like this:

COM_USERS_EMAIL_REGISTERED_WITH_ACTIVATION_BODY=”Hello %s,\n\nThank you for registering at %s. Your account is created and must be activated before you can use it.\nTo activate the account click on the following link or copy-paste it in your browser:\n%s \n\nAfter activation you may login to %s using the username: %s and the password you entered during registration.”

Tested on Joomla 2.5.6


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *