User names
Quote from Thierry on July 22, 2021, 12:20 amHi
This is definitively a security issue.
I require that login names ARE NOT screen names, at least for admins and for moderators.
So I have disabled the mentioning function.
I am using the plugin Front END PM for private messages. To find recipients, the plugin uses screen names, not login names.
Maybe you could do the same.
Kind regards
Thierry
Hi
This is definitively a security issue.
I require that login names ARE NOT screen names, at least for admins and for moderators.
So I have disabled the mentioning function.
I am using the plugin Front END PM for private messages. To find recipients, the plugin uses screen names, not login names.
Maybe you could do the same.
Kind regards
Thierry
Quote from qualmy91 on July 23, 2021, 10:29 amHey @thierry,
We are already aware of the situation and at the moment there are the following workarounds to keep your website more safe:
- use only email for login (iThemes Security free – Settings-> WordPress Tweaks )
- force admins and moderator to use secure password (iThemes Security free – Settings -> Strong Passwords)
- also also advice to use 2FA for admins (iThemes pro or Wordfence free)
The problem with the screen names is that they don’t have to be unique and an update could cause problems with that. Also if someone changes their name, all the posts would have to be searched and the mention name must be rewritten.
Hey @thierry,
We are already aware of the situation and at the moment there are the following workarounds to keep your website more safe:
- use only email for login (iThemes Security free – Settings-> WordPress Tweaks )
- force admins and moderator to use secure password (iThemes Security free – Settings -> Strong Passwords)
- also also advice to use 2FA for admins (iThemes pro or Wordfence free)
The problem with the screen names is that they don’t have to be unique and an update could cause problems with that. Also if someone changes their name, all the posts would have to be searched and the mention name must be rewritten.
Quote from Thierry on July 23, 2021, 10:46 amHey @qualmy91
Thanks for help
use only email for login (iThemes Security free – Settings-> WordPress Tweaks )
This is a very good idea! I will write or find a snippet to do this!
Kind regards
Thierry
Hey @qualmy91
Thanks for help
use only email for login (iThemes Security free – Settings-> WordPress Tweaks )
This is a very good idea! I will write or find a snippet to do this!
Kind regards
Thierry
Quote from Thierry on July 23, 2021, 12:57 pmHello @qualmy91
Below is a working snippet for email only login where you can customize/translate error messages.
For changing “Username or email” text in login form, I use Login Designer pluginRegards
Thierry*********
remove_filter(‘authenticate’, ‘wp_authenticate_username_password’, 20);
add_filter(‘authenticate’, function($user, $email, $password){
//Check for empty fields
if(empty($email) || empty ($password)){
//create new error object and add errors to it.
$error = new WP_Error();if(empty($email)){ //No email
$error->add(’empty_username’, __(‘<strong>ERROR</strong>: Email field is empty.’));
}
else if(!filter_var($email, FILTER_VALIDATE_EMAIL)){ //Invalid Email
$error->add(‘invalid_username’, __(‘<strong>ERREUR</strong>: Email incorrect’));
}if(empty($password)){ //No password
$error->add(’empty_password’, __(‘<strong>ERREUR</strong>: Il faut un mot de passe.’));
}return $error;
}//Check if user exists in WordPress database
$user = get_user_by(’email’, $email);//bad email
if(!$user){
$error = new WP_Error();
$error->add(‘invalid’, __(‘<strong>ERREUR</strong>: Email ou mot de passe incorrect’));
return $error;
}
else{ //check password
if(!wp_check_password($password, $user->user_pass, $user->ID)){ //bad password
$error = new WP_Error();
$error->add(‘invalid’, __(‘<strong>ERREUR</strong>: Email out mot de passe incorrect’));
return $error;
}else{
return $user; //passed
}
}
}, 20, 3);
Hello @qualmy91
Below is a working snippet for email only login where you can customize/translate error messages.
For changing “Username or email” text in login form, I use Login Designer plugin
Regards
Thierry
*********
remove_filter(‘authenticate’, ‘wp_authenticate_username_password’, 20);
add_filter(‘authenticate’, function($user, $email, $password){
//Check for empty fields
if(empty($email) || empty ($password)){
//create new error object and add errors to it.
$error = new WP_Error();
if(empty($email)){ //No email
$error->add(’empty_username’, __(‘<strong>ERROR</strong>: Email field is empty.’));
}
else if(!filter_var($email, FILTER_VALIDATE_EMAIL)){ //Invalid Email
$error->add(‘invalid_username’, __(‘<strong>ERREUR</strong>: Email incorrect’));
}
if(empty($password)){ //No password
$error->add(’empty_password’, __(‘<strong>ERREUR</strong>: Il faut un mot de passe.’));
}
return $error;
}
//Check if user exists in WordPress database
$user = get_user_by(’email’, $email);
//bad email
if(!$user){
$error = new WP_Error();
$error->add(‘invalid’, __(‘<strong>ERREUR</strong>: Email ou mot de passe incorrect’));
return $error;
}
else{ //check password
if(!wp_check_password($password, $user->user_pass, $user->ID)){ //bad password
$error = new WP_Error();
$error->add(‘invalid’, __(‘<strong>ERREUR</strong>: Email out mot de passe incorrect’));
return $error;
}else{
return $user; //passed
}
}
}, 20, 3);