The company I work for have a small Plone blog. But we have a problem with spam accounts. We use captcha on the site and Plone sends a mail to the users that they must confirm before they can edit the user profile. Still about 600 spam users are created every day. In the Plone user profile they paste all kinds of commercial links.
We are located in Denmark and the blog is in danish, therefore I have made a script to delete all users with a non danish mail adress. But even though most of the real users have a danish mail account I probably still deletes some real users when running the script.
The spam users register from a vide range of ip-adresses, so blocking ip's is not an option.
Does anyone have ideas to what to do about this problem?
Disable Plone comments/public user creation and use a third party commenting service such as Disqus.
They somehow trick recaptcha (if you find out, please let me know :)
But how do they do the email validation? They don't have to. Plone join_form has a hidden field for password which is filled by this bot and Plone saves it as the real password (check the REQUEST object comming from this bot)
So the bot doesn't need to check email for password. That's how they get in and activate those accounts. So fix the hidden password field from join_form.
Then, remove all users that have links in their profile description (as a real user you don't do that, do you?). Also don't let the users to input HTML within their profile description.
Related
I have no experience with this and I'm in need of major help. I have a word press website that I am trying to connect a gmail account to. So that the contact form gets sent to a gmail address. I got it all set up and it is telling me I need verification. This is only being used for my word press website. Probably very few users, not a business. Can I get around the verification process or not?
You would need an OAuth Consent Screen for your Project.
You can refer to this blog post on how you can connect a Gmail account on your Wordpress site
I've lost my brain the last couple of days trying to find the best solution for handling my transactional woocommerce emails, so that customers and store managers (on G Suite at the same domain as my site) get notified of new orders, etc.
TL;DR: I have a Woocommerce and want the next e-mail behavior and I wonder what's the best way to achieve this:
Have woocommerce emails don't go to my customer spam folders and get
notified to store.manager#mydomain.com and myemail#mydomain.com
G-Suite email accounts.
Use the info#mydomain.com and "MyDomain" as the "from email and name" in WooCommerce. Whether the info#mydomain.com is an e-mail
alias of my G-Suite email or a server side e-mail I don't care. What
I don't want is to configure a new G-Suite email just to serve
transactional e-mails.
So I'll describe my original situation, problem and the solutions I've read about:
When I setup the Woocommerce e-mails in settings, using a #mydomain.com email account two things happened:
Customers would receive the e-mails on their spam folder.
Store managers did not receive any e-mails whatsoever.
We also have this context info that might be of help:
We are just starting as an e-commerce, so no big load of emails...
We use the cheapest G-Suite plan (with up to 5 accounts) with our domain in Google Domain, so I don't want to use one of those account just to handle the transactional e-mails.
So I found the alias option and setup different aliases to both send and receive e-mails. E.g: "info#mydomain.com".
I read the official Woocommerce email-FAQ, and a bunch of other links in the Wordpress Forums and Stack Overflow, I came to find this three courses of action:
Setup split delivery and let my transactional e-mail address run from C-Panel.
Use an SMTP Plugin and set it up to use the Gmail API.
Create a subdomain and set WooCommerce/PHPServer to send the emails and just use my G-Suite emails as recipients.
I've read tons, and find myself in a loop where I don't know what's the best, future proof option, but this is what I've tried for every option:
I desisted on the idea of split delivery as soon as I found the e-mail aliases option in GSuite.
I did activated it and it solved one of my two problems, customers were no longer getting my emails to spam, but the Gmail API won't let me change the "from address" nor even the "from name", unless I select the alias as the default e-mail address on Gmail, which is not something I want; and if the alias (set up as mailer) and recipient is the same, then GSuite won't show the email in the inbox, but in the sent folder (and marked as read). So If the store manager email (storemanagername#mydomain.com) has an alias used to send Woocommerce emails (info#mydomain.com) he won't be notified for new orders.
I configured a domain alias on my Google Admin settings as a subdomain (store.mydomain.com) (which generates a new email alias with that subdomain) then I created a subdomain on my hosting provider (pointed at nothing for the moment) and had my hosting setup the Google MX records for my subdomain. Without the SMTP Plugin it does nothing, regardless of which e-mail I put in the from and recipient fields on the WooCommerce settings. With the SMTP Plugin things kind of work, using the alias#subdomain.mydomain.com as the recipient, as emails do arrive to inbox (instead of the sent folder) but doubled the regular mail and a huge postmaster notice, about how the domain alias "subdomain.mydomain.com" doesn't exist.
As a related note: Google per default generates a test domain alias which is mydomain.com.test-google-a.com when I use the alias e-mail with this alias domain recipient in woocommerce and the regular G-Suite in the from field on Woocommerce things pretty much work, except that my customers still get the emails to their spam folders.
How would I setup mailgun or sendgrid to use info#mydomain.com as the sender e-mail address? Would that work better?
I'm not new to wordpress, but definitely I'm a noob at WooCommerce and email protocol, setup in general.
Do you think you might exceed the G Suite sending limits? That'd push you towards the SendGrid/Mailgun/etc. solution for outgoing info#mydomain.com mail, with G-Suite accepting the incoming mail however you'd like. Though if it's important to avoid "reply-to" type addresses, make sure to choose a provider/plan that supports running off your domain (SendGrid calls it "domain authentication", Mailgun calls it "domain verification", etc.).
That will likely also solve that initial problem you described in your point #2 (assuming it was due to mail being treated as local-to-the-web-server).
If you take that approach, make sure to triple-check your SPF/DKIM/DMARC setup. And depending on which provider you go with, some of their WordPress/WooCommerce integration plugins are...not great. I've been working on summarizing the providers and their plugins if it's of any help.
And I had a little trouble following who needs to get copies of what, but there's the woocommerce_email_headers filter if it would be helpful to BCC the store managers. You could even do it selectively.
I am creating a website on top wordpress,
The reason to use wordpress is that,
We want to restrict or block the entire site,
Only registered people should be able to access the site that too after verification,
Can anybody help me choosing the right plugins to achieve this.
Note : the site will be similar to a membership website, but the users who are going to use this are not paying, We just want to allow only people whom we approve.
Example: The steps are the one we are looking,
Default page should be Registration page,
Once Registered, Email verification has to be done by clicking the link in the Email ID giving during registration,
Post verification, Email with log-in page link along with username & password goes to the user's registered Email ID,
User logs-in using the username and password,
User is able to view the entire site
I AM A NEWBIE IN WORDPRESS,
Thanks
Ashok
Check this plugin : https://fr.wordpress.org/plugins/wp-user-frontend/
It's the best to make membership / private page / registration page and etc.. and he is the most documented plugin on this.
Have fun and welcome on Wordpress :)
I'm using Wordpress 3.8 beta 1 running on 000webhost's free servers. I've created an email to post to my blog when I don't want to log in, but I can't seem to get it working.
Mail Server: mx.000webhost.com
Login Name: xxxxxxxxxxxxxx#onlinecalc.host56.com
Password: The correct password.
I sent a test post with the subject of "Testing WP-Email Post" and body of "I'm trying to use WordPress' post via email system." a few days ago, and the post still hasn't apperd on my blog!
I would suggest using Gmail here. Follow the steps below which have been found on:http://themefuse.com/blog/posting-to-wordpress-via-email-theres-a-safe-way-of-doing-this/
Using Gmail
Yes, Gmail will help us big time here.
Start by creating a new Gmail account with whatever username you wish.
You can even go with “secretemailformyblogposting#gmail.com” … it
truly doesn’t matter. What matters is what we’re going to do later on.
Go to your Gmail settings. Then “Forwarding and POP/IMAP” and enable
the “Enable POP for all mail (even mail that’s already been
downloaded)” feature. From now on your Gmail is supporting the
possibility of downloading messages via POP protocol (which WordPress
uses for email postings).
This next step is the crucial one. What we’re going to do here is
choose an email address which will be the only one allowed to send
anything to your new Gmail account, and therefore to post something to
your blog.
Go to “Filters” and “Create a new filter.” In the “from” field input
your primary email address and add a hyphen just before it. Example:
–yourmainemail#domain.com. Then press “Create filter with this
search.” Tick the “Delete it” checkbox, and press “create filter.”
That’s it.
From now on every email that hasn’t been sent from your own email
address will be immediately deleted.
I'm building a Membership site using wordpress and Membership Plugin .
The site is still on my localhost. I did some trial sign ups and it worked perfectly well. But I noticed that, I can use even a fake email address such as xyz#gmail.com or something to sign up and create an account. So that's the problem. I don't know how this will work when I moved the site to my server.
But do you guys think this is a security hole ?
And what can I do for this as a solution ?
Here's what I suggest:
On the registration page, add a field where users need to enter a special code to complete registration and make the code as an image (or at least as something robots cannot process easy). This will prevent robots from constantly signing up to new accounts with bogus information.
Next, perform basic email validation to make sure the format is correct.
Next, strip the email address the user entered and verify the domain part is correct and if it is, have your server automatically send an email to the new account holder asking him/her to return to a special section of the site where he/she enters a special registration code assigned to him/her to complete registration.
Also, to save database space (I'm assuming registration info will be stored in one), ask users to complete registration within a limited time period or they will have to start over. If the time is up then relevant data from the database can be removed. I suggest setting the time period to at least one day.
If you are unable to do this, then you may need to find a better plugin that has the functionality I described.
And whatever you do, play with the website on localhost and make as few modifications on the live server as possible. This means make all changes at once on localhost if you can then upload everything at once to the live server.