greentreefrog

That worked. Thanks!

(Meanwhile I had switched to a different payment processing plugin we were already using to handle ACH payments, but I’ll need to switch back to have credit cards integrated with your subscriptions plugin.)

Update: I also tried completely uninstalling Webtoffee’s Stripe Payment Plugin, but apparently something in the database remembered the previous settings anyway, because when I reinstalled it, it again said “Connected” (even though the App has been uninstalled in the only Stripe account I had installed it in).

Update: I have raised this issue on the WordFence support forum. Meanwhile, I did work out some PHP code to customize the behavior when the “Lost Password” form is submitted so that the same message would show regardless of whether a valid or invalid username or email was entered. Unfortunately, it only works when WordFence is deactivated. I will post the final solution here when I am sure everything works (unless someone else beats me to it).

Thanks, Sandip. Sorry I did not get back to this sooner.

The code you gave worked to change the error message (once I upped the filter’s priority to 11 instead of 10).

There is a somewhat different, related problem: On the “Lost Password” page, without the WordFence plugin active, if I type an email address or username that does not exist, I get the error message, “Invalid username or email.” If the username does exist, the confirmation message is shown (“Password reset email has been sent.”) Again, this lets a would-be hacker know whether or not they have a valid username or email, so we would like to change it.

However, there seems to be a conflict when both WordFence and UR are active: If the username or email is non-existent, no message appears at all on the “Lost Password” page, making it appear that the form failed to submit (which could still inform a hacker that the username or email did not exist). If the username does exist, the aforementioned confirmation message appears as usual.

Although WordFence is a very popular security plugin, my guess is that this issue is seldom noticed. Real users type in their correct username or email most of the time and if they keep trying the wrong one, sooner or later they’ll probably either quit the website or ask an admin for help. But I’d rather show a message instead of nothing; something like, “A password reset email has been sent. (If you do not receive it, check your spam folder. Also be sure you entered a correct username or email address.)”

Regards,
Margaret

Sandip,

I verified that when WordFence is deactivated, the error message for an invalid username is “Invalid username” (followed by the “Lost your password?” link). However, displaying “Invalid username” is a security risk, as then attackers know whether or not they have a valid username. That is why WordFence changes the error message used. We would prefer the message say, “Either the username or password is incorrect.” I am not seeing a setting for changing the error message for either the username or password field.

WordFence seems to just substitute the invalid password message for the invalid username message. In that case, all we really need to change is the invalid password error message. If your plugin has a way to do that, please show me. Otherwise, I will try to do it with the “wp_login_errors” WordPress filter.

Regards,
Margaret

• This reply was modified 2 months, 3 weeks ago by greentreefrog. Reason: Make a sentence clearer

I could not find a [Delete All Caches] button on the Overview page, only [Delete User Cache], but I did find “Enable Cache” on the “Forum Settings” page, so I changed that from “Yes” to “No.” That fixed the problem. I assume I can now re-enable that setting and all will continue to be well.

Thanks!

WordFence identified this same issue on our site. Note that their description at the aforementioned link includes this:

“The Popup Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the Subscribers Import feature. This makes it possible for unauthenticated attackers to extract sensitive data after an administrator has imported subscribers via a CSV file.”

Seems that if you don’t import subscribers via a CSV file, you’ll be fine. Nevertheless, I look forward to a fix.

Update: I found where you can change error messages for specific fields (which I assume is handled by JavaScript) but not for errors that result from checking the database, such as a non-existent username or a password that is incorrect for a correct username. Do such server-level error messages come from WordPress core, or can your plugin modify any of them?

Thanks again. I really like your plugin, by the way.

I work with narbutovskih and want to clarify that the main question is, can we as site administrators change the error messages that the plugin displays to the front-end users, and if so, how? The examples given are not the only ones we want to change.

Thank you for your time.

Perhaps I did not understand what ubaid ismail is asking, but without the custom code, when the user clicks the confirmation link in the email, they are automatically logged in, correct?

I am so glad mira19 (above) asked about this, because we feel that automatically logging users in when they confirm their email may confuse them. And I love that when automatic login is turned off this way, users see a message at the top of the login screen: “User successfully registered on [the website title appears here]. Login to continue.” That makes what’s going on totally clear.

While I am comfortable adding PHP code, being able to do the same thing via plugin settings would be a nice feature to add in the future.

Thanks for a great plugin!

The plugin is currently at Version 2.6.9 and automatic updates is on. Why WordFence would have flagged it for file changes is a mystery. I just looked at the plugin files and they were all last modified on March 21, 2024 at 6:39 AM (probably my local time, PDT). I will ask WordFence about this.

Thanks!

I am using the “Jace” theme, which I don’t believe is widely used. In any case, this theme seems to be relying on WooCommerce Blocks to list all the products on the shop page, which I believe uses AJAX to load the products. I tried every hook provided by your plugin and none of them worked for the shop page, probably because they rely on PHP hooks rather than AJAX.

I did, however, play with some JavaScript to show my own badge. Unlike the latest “Twenty Twenty…” themes provided by WordPress, the Jace theme fails to add an “outofstock” class for out of stock items, but it does change the “Add Item” button text to “Read More”, so I was able to look for that within a JavaScript “MutationObserver”.

Anyway, by the time I had the Shop page as I wanted it, I decided to add to my own custom plugin to take care of the single product page as well, which meant I didn’t need your plugin. However, I really liked your plugin and will consider it for other sites. As I said, it worked fine on the Twenty Twenty-Four, -Three and -Two themes, and it is easy enough for less-technical people to figure out.

I tried the new version on two websites so far. It works perfectly.

Thanks!

Margaret

Found it. Click on Espa?ol at the top and a submenu opens up for picking your language. Never mind!

Your suggestion worked fine and later WP updates still work. (Meant to get back to you sooner.)

Thanks!

Margaret