Is it possible allow a visitor to see only a post?
I think it would be safer if it is restricted by IP instead by cookies.
For instance the plugin WP POST RATINGS of Lester Chan has the option to allow 1 voting by IP.
If you’re not requiring a login, Cooke’s or local storage are you’re only viable solution.
IP checks are flawed in that any number of users on a local network will make requests from the same public IP address.
I understand your concern but most users are not incentivized or knowledgeable enough to understand that clearing their cookies would potentially allow a second “vote”.
So unless you go to a full Auth system you’re better off with cookies.
Hide another pages for visitor. You can use "Anonymous Restricted Content" plugin for hide page for not logged in users.
Related
First of all, I'd like to preface this post by stating that I know this is a terrible user experience...
I have a client who would like to prevent site visitors from sharing login credentials.
Because this is a corporate marketing site, social login is not an option.
The client claims that there is a site where upon registration, a cookie is dropped onto the user's device and the user is also given a unique password that will only work on that specific device.
Does anyone know how to make this work using Wordpress? (I'd like to avoid using third party plugins)
This sounds like the use of Single Sign On (SSO) or 2 factor Authenticaton (2FA) will be needed. The SSO Wikipidea page references a cookie based solution for TCP/IP networks https://en.wikipedia.org/wiki/Single_sign-on so perhaps that's how this came up from your client.
Once you identify what your options are with that, based on what your client is using for authentication, then set up may be a bit easier. I think a plugin would save you a lot of time, since this is a pretty elaborate task. This one may do the trick https://wordpress.org/plugins/miniorange-saml-20-single-sign-on/
Regardless it's pretty challenging to prevent the sharing of credentials. SSO may be a deterrent if that gives access to something else that user doesn't want to share. 2FA doesn't prevent a user from sharing the pin thats generated too. Perhaps the only real way is to require an IP match on a device with bio-metric authenticaton.
Is there is any custom code for adding an IP address in WordPress for all users or also to allow WordPress site’s users to be allowed to add IPs using which they can auto-login to their respective accounts?
You're looking for $_SERVER['REMOTE_ADDR']
'REMOTE_ADDR'
The IP address from which the user is viewing the current page.
Learn more about $_SERVER # https://www.php.net/manual/en/reserved.variables.server.php
$_SERVER['REMOTE_ADDR'] will get you your user IP, you can now create a new custom meta box for each user with the remote address as value.
Keep in mind that more and more providers are giving users modular IPs, YOU even, probably have a modular IP. VPN are also a thing, so IPs are pretty much pointless to collect.
If you're living in the EU, bear in mind that collecting unnecessary datas with no end point can be fined since the introduction of the RGPD law.
Whenever I open my website admin https://www.examplesite.com/wp-admin
it is redirecting to homepage.
Edit: This answer was using the original URL as given by OP, and later edited/removed by David.
It works fine for me - presenting the admin login screen as expected, so maybe too many bad logins from your IP / address and it's therefore redirecting you.
Try logging in from a friends computer or via Tor Browser and then reset the list of banned IPs?
Or if you have access to the database (and knowledge thereof) you can clear the table of bad login attempts to re-enable your usual access.
Please read the whole question before saying duplicate.There are similar but this is different.
I have a website that users can post ads. Its written by using ASP.NET. So
If a user post an ad it should go through a review path.( Involving an admin )
eg: User posting an ad. Then admin log to his admin page and review the ad and then give the approve.
I developed it within the same solution file. Currently I put this page in a folder. To access it user have to type
www.test.com/admin/review.aspx
manually. Because that page is not linked from the main website. And this admin user doesn't have a user account in user account table. Note that whole site is secured with SSL.
So admin has to enter a password to enter this page. This password is hard coded( Not getting from the DB ).
So am I using the right approach? Can a hacker attack to this page?
I dont want search engines to index this page. Also what about this hard coded password method? Is it a secure way?
Is it a good way to implement this page in this domain? I have different domains for this website end with .org and .info etc. Can I use such to access my admin page?
Tell me the best and secured approach to do this. Thank you very much.
A hardcoded password is never a good idea:
Developers of the website will know the admin password for all deployments of the application.
If the password is discovered by an attacker, it cannot be easily changed.
Pre-production versions of the app will carry the same admin password as live versions.
The security of the admin page should be be based on the fact the URL is hidden. URLs are hard to keep secret as they're stored in browser and proxy logs, they are emailed, and are leaked in the referer header if links are followed or resources are used from other domains (e.g. JQuery).
Hiding the page from search engines is a good idea, however do so via the use of meta tags, not robots.txt, as robots can be viewed by anybody to determine the location of your secret pages.
Use established security methods to make your admin functionality secure:
Implement TLS/SSL so all acces is over HTTPS to mitigate Man-In-The-Middle attacks.
Implement account/IP lockout after a number of incorrect password guesses.
Use two factor authentication (e.g. Google Authenticator) to mitigate phishing attacks.
Store passwords in a DB or outsource your authentication to e..g Open ID.
If storing passwords in your DB, hash and salt them and use a slow algorithm such as bcrypt, scrypt or PDKDF2 with the highest number of iterations you can get away with.
Is it possible to prevent a site from being scraped by any scrapers, but in the same time allow Search engines to parse your content.
Just checking for User Agent is not the best option, because it's very easy to simulate them.
JavaScript checks could be(Google execute JS) an option, but a good parser can do it too.
Any ideas?
Use DNS checking Luke! :)
Check the user agent to see if it's identifying itself as a search engine bot
If so, get the IP address requesting the page
Reverse DNS lookup the IP address to get a hostname
Forward DNS lookup the hostname to get an IP address
Same idea provided in help article Verifying Googlebot by Google
Checking link access times might be possible, in other words, if the front page is hit, then the links on the front page are all hit "quickly".
Even easier, drop some hidden links in the page; bots will follow, people almost never will.