• Resolved danMWD

    (@danmwd)


    Hi, I had a few questions regarding passwords and how they are handled in WP-Members.

    I wanted to force users to use strong passwords but when I tried to add a plugin to do this – either it was ignoring WP-Members or WP-Members was ignoring it. I believe I have located the right script to edit (wp-members-register.php) where I might add my own strength checks – is this the correct place or is there some setting I am missing or should other plugins that check password strength be working?

    Secondly I noticed that when someone forgets their password the system sends them a password in the clear to their email address – perhaps I am missing a setting somewhere but would prefer if it could be done using the user_activation key (like core WordPress is doing now – at least I believe so). I believe that the script handling this is wp-members-core.php – is this correct? – and/or have I also missed a setting? I am somewhat concerned about the security of sending a new password rather than a key that can be used or expired once a new password is set.

    If you could point me in the right direction or correct any misunderstanding I might have that would be great.

    Also I am also somewhat reluctant to start hacking at the code as any changes I make will be lost when the plugin is updated.

    Thank you for your time on this matter.

    https://www.ads-software.com/plugins/wp-members/

Viewing 1 replies (of 1 total)
  • Plugin Author Chad Butler

    (@cbutlerjr)

    Second question first – the plugin originally only allowed emailing of a random initial password (with the obvious intention that the user would change this upon logging in). There’s not much difference between that and an activation key, from a security standpoint.

    Only recently has the option for user selected passwords during registration been included in the plugin. However, with that option, you do not *have to* send the user their login credentials since they are creating them at registration.

    It may be that I add an activation key process in the future, but that would come in some later version.

    Also I am also somewhat reluctant to start hacking at the code as any changes I make will be lost when the plugin is updated.

    A wise choice, since there are many hooks in the plugin for allowing proper customization.

    If you want to enforce strong passwords, there are two action hooks you could use:

    These two filters work essentially in the same manner. Hopefully it is obvious which processes they belong to.

    Depending on whether you are allowing the user to create a password at registration, or they are doing it when update their profile would determine which to use (and you could use both hooked to the same function for the kind of validation you are talking about).

    The information you need for how to use the hook to stop the process and return an error message is in the documentation for the register hook, but the update hook works the same way.

Viewing 1 replies (of 1 total)
  • The topic ‘passwords’ is closed to new replies.