How do I disable the password recovery link in a WordPress password recovery email?
The email, along with the link, is generated and sent by WordPress when you press the lost password link. WordPress says just ignore the email, but the recovery link is still active and can lead anyone to a page to reset the password to that account. I want to force that link to expire prematurely.
I have tried changing the authentication keys and salts, playing around with the account but what I don't want to do is delete the account and create a new one.
Related
The password-protected page feature in Wordpress is great for what I need EXCEPT that it doesn't require the password every time and when I delete the password the user can still get in.
How can I get it to require the password every time?
I assume you are changing the visibility of a specific page or post to "password protected". You save this change after that.
You cannot use a password which is longer that 20 characters, have a look:
https://wordpress.org/support/article/using-password-protection/
If you experience that you do not have to enter a password, it probably is caused by your browser remembering the password in a cookie.
Please notice (from the link above):
WordPress stores this password in a browser cookie so readers don’t
have to re-enter passwords if they visit the same page multiple times.
Furthermore, if multiple posts use the same password, the reader will
only have to enter the password once to access every post (see caveat
below).
So to answer your question, Wordpress Password-Protected page feature forces the user to enter a password to view the content, as you wish it to be.
The password is required every time unless a cookie has already been set.
I am faced with a beautiful enigma. In wordpress I have a widget that allows you to login with social login (google and facebook). When you login for the first time, the system automatically generates a password and username. This works well. I checked the database and password is correctly present as hashed.
Now, the problem is that if the user goes into profile settings and wants to change their password they have to enter current password first, but they can't know it since it was generated automatically.
I would like to give the user full control over the security of his account, so that he can change his password even if he is logged in with the social login.
So I foresee three possible solutions
Allow the password to be changed without entering the current one (but it seems insecure).
Email the automatically generated password (and I have no idea how I could do it). Or alternatively view it in the user's profile but I don't know how safe it is.
Disable social login and rely on the classic registration :)
Has anyone faced a similar situation before? Can you clarify this with some standard method / practice ?
You can allow the user to ask for a new password he/she specifies. The user will specify the password twice (password and confirm password fields) and then you:
encrypt the password the user asked for
store the encrypted value somewhere as password candidate (metadata, perhaps)
send an email to the user so he/she can confirm that he/she indeed asked for a password
once the user clicks on the link you have sent to him/her, replace the value of the password with the password candidate and remove the password candidate
Don't forget that the user is already logged in when he/she changes his/her password, adding an email validation to the password he/she asked for is pretty safe.
If someone has access to the link, they most likely have access to the user's email account to which the email with the link was sent and can request (and read) a new password reset link email at will.
I want the following functionality when a user click on 'forgot password',
I want the user to get an email to reset his password.[(i.e.,)A password reset link to be sent] when he click on the link, A new password should be generated and sent to his email
Any idea?
Thanks
Drupal already has password reset functionality but it's not working exactly as you want it since sending passwords over email is not safe.
Instead you get a link for one time login where you can reset your password (is it safer at all?).
URL for password reset page is /user/password
I'm using forms authentication for an app that allows users to register but not active. We will send out an activation code via snail mail (long story) and the user can return with that info and activate their account.
I want to create a page where the user can come back and enter their username, password and generated key to activate the account. The key I have stored in another table and I plan to generate it. I'm having trouble verifying the username and password with an inactive account. I've tried Membership.ValidateUser(username,password) and it fails but if I activate the account, it works.
Ideas on how to check this?
Activate the account first.
If you are sending them the activation code in an email, have a anonymous access page which receives the activation code from the email (perhaps via querystring), activates the account, and redirects them to a login page with forms authentication activated (assuming the username and password are already created).
If the access code is invalid and fails, you can optionally deactivate the account.
I would not set IsActive = false. That is for disabling an account, preventing any type of login. Instead, I do not see a problem leaving them with the ability to login. I would use a Membership Role to specify when a user is verified. I.e. "Verified".
If they have not activated their account and attempt to login, you simply check to see if they have the Verified role. If not, redirect them to a page of "You account is not yet activated. Please wait for snail mail". Or a "Please enter your verification code below." message.
When they do finally enter the proper verification code from snail mail, you simply add them to the Verified role.
This gives you the control of allowing them to login and "check" the status of their account. And, resolves your IsActive issue.