I'm trying to use WordPress as a website CMS for a kiosk. Each kiosk needs a unique username therefore it must be logged in to WordPress.
I believe WordPress does not use Session ID's therefore how can I ensure the user is never logged out of the site even after X days of inactivity?
Thanks in advance.
How about just simply using the auth_cookie_expiration filter
add_filter('auth_cookie_expiration', function(){
return YEAR_IN_SECONDS * 2;
});
There seems to be mixed accepted answers. First, you should never modify the wordpress core code. Ever. Secondly, per the wordpress developer codex, the "auth_cookie_expiration" filter is what needs to be used here.
add_filter ( 'auth_cookie_expiration', 'wpdev_login_session' );
function wpdev_login_session( $expire ) { // Set login session limit in seconds
return YEAR_IN_SECONDS;
// return MONTH_IN_SECONDS;
// return DAY_IN_SECONDS;
// return HOUR_IN_SECONDS;
}
I've actually created a plugin to deal with this very issue. It uses the idea of persistent login to actually keep users logged into your wordpress website all the time, kind of link how Facebook does it.
Check it out, hope it helps!
WP Persistent Login
You can try configuring the session time for Wordpress. Unfortunately, Wordpress doesn't allow you to easily manipulated this.
You can try out this plugin: http://wordpress.org/extend/plugins/configure-login-timeout/
You can use the plugin "WP Login Timeout Settings" to achieve this. Under "Settings → Login timeout", it then allows you to configure the login timeout for both a normal login and one with the "Remember Me" box ticked.
That's just the same as what the "configure-login-timeout" plugin does, which was already recommended. Just that "WP Login Timeout Settings" seems to be a bit more actively maintained at the moment.
Related
Since last week I keep getting alerts about failed login attempts on my wordpress site.
The first couple of days the attacker used wrong username and subsequently was locked out after 3 attempts. I use the sucuri free and wp-security plugins. The later one has a login lockdown function.
My surprise came when after a couple of days the attacker found and used my username. I immediately changed it to a new username thinking that I would be safe. I also used most of the hardening options on both plugins. I specifically checked that the string
?author=n, does not provide any results on my website.
Regardless, today I got 3 more alerts that someone tried to login with this new username, which means I am locked out of my own site for 24 hours.
This leaves me wondering:
a) how is it possible for someone to find my username?
b) is there any other plugin like cerber security that prevents these exploits?
c) is there any rule I can add to htaccess? (although I believe that sucuri and wp-security have added several rules)
many thanks!
listing users
A user can list your usernames using :
yoursite.com?author=1
Where the ID is a user_id.
You can prevent it by detecting the author page, and redirect it with this for example (put in your theme function.php):
// Disable access to author page
function remove_author_pages_page() {
global $wp_query;
if ( is_author() ) {
$wp_query->set_404();
status_header(404);
wp_redirect(get_option('home'));
}
}
add_action( 'template_redirect', 'remove_author_pages_page' );
Find username from wp-admin
A attacker can find username by tring to login on wp-admin
If a attacker enter a good username, even with a wrong password, wordpress error message changes so attacker knows that the username exist
You can add this code to your function.php to prevent wp-admin wrong login error messages giving any pieces of information.
code:
function no_wordpress_errors() {
return '<strong>Error</strong>: check your logins';
}
add_filter( 'login_errors', 'no_wordpress_errors' );
prevent wp-admin bruteforce
This is a solution I really like:
It use the wp-fail2ban plugin
Your server needs the fail2ban package installed and configured
This package allows you to ban (from iptables) IP that fails to many time to connect SSH, or brute-force a port
the wp-fail2ban plugin gives you a custom fail2ban jail to add to your fail2ban jails (wp plugin have a complete documentation about it)
with both installed, fail2ban will ban IP that fails too much on WP-admin (on the IPtable level, so PHP is not even reached. Attacker, in the end, won't use much server resources as the server will block his IP. He cannot even reach PHP)
Some other plugin (like Wordfence) also provides some security, but as it reaches PHP attacker use much more resources. But it needs less technical knowledge to implement.
I am developing an extension for a plugin and would like to run some code after every time a user logs in. Because I extend a plugin, I wanted to use the already written functions, which inside use is_user_logged_in() calls. If I register for the wp_login action and run is_user_logged_in in my action hook it returns false, which sounds really weird.
Code I was running:
add_action('wp_login', 'exhib_persist_cookies_after_login');
/*
* This method will persist the favorite posts from the cookies just after someone logs in.
*/
function exhib_persist_cookies_after_login() {
//Check if all the required functions are available
if (is_user_logged_in()) {
error_log("persist: USER LOGGED IN");
}
else {
error_log("persist: USER NOT LOGGED IN");
}
}
And in the log I see USER NOT LOGGED IN.
Anyone has a clue why is it happening? I thought is_user_logged_in is checking for the auth cookie, which is according to the doc is already set before wp_login is getting called.
Or anyone has an another idea what action should I register, which only fires once a user logged in and the is_user_logged_in returns there true?
Before you even look at why the modification isn't working, you should think about changing how you're modifying the plugin. Directly modifying a plugin is dangerous. It breaks the upgrade path preventing you from applying upgrades in the future which could resolve critical issues with the plugin itself. The same functionality could be achieved by creating a simple plugin that contains nothing but the code you want to run.
Could you please advice me how to check user status upon login?
I have added a new field named user_flag in wp_users table to control user status. user_flag has value of active or deactivate.
I want to check this field's value when user logs in.
if value is active, then user can proceed login,
but if value is deactivate, then user can not login, and a message will be displayed to notify user that his account is deactivated and he need to contact admin to re-activate account for him to be able to login.
I looked at wp-login.php file but had no idea where to write code to check above logic, could you please advice me where to check user_flag at login time?
Thank you so much.
Stop trying to modify core code and learn to use the pluggable architecture. Also stop modifying the core database tables. You can store additional fields for users in the usermeta table with add_user_meta and retrieve them with get_user_meta. If you start modifying core code and database tables, you will never be able to upgrade wordpress.
To answer your question, use something like the following in functions.php
add_filter('wp_authenticate_user', function($user) {
if (get_user_meta($user->ID, 'user_flag', true) == 'active') {
return $user;
}
return new WP_Error('Account Not Active...');
}, 10, 2);
See https://codex.wordpress.org/Plugin_API/Filter_Reference/wp_authenticate_user
I've looked over hundreds of answers for similar issues to this but can't find anything that seems to help.
I'm running the latest version of the PHP SDK and a login to facebook button which has a generated link from getLoginUrl().
Running on my development laptop and logged in as the application developer it passes me back to the redirect url (Both the callback url when calling getLoginUrl() and the URL set in my application settings are exactly the same) I then do a getUser call which will function in these circumstances.
If i try the same process using my Iphone on the same network, logged in as the same user on facebook getUser() returns 0.
It also does the same for any other user trying to login with facebook.
Sandbox mode is disabled.
my app domains seem to be set up correctly.
I'm really unsure of what to do next.
Many thanks for your responses guys - Turns out the issue was i was sending the request from one page and redirecting back to another. This seems to upset facebook (I'm guessing it will only re-direct back to the page it was called from).
That solved the problem anyway - but many thanks for your responses.
First make sure you are maintaining sessions in your scripts with:
session_start();
at the top of your php file.
Next use something like this to test if you have a fb user and if not, redirect them to the oauth, which will just renew their token if they've already authorized by it's expired.
require_once('facebook/fb.inc');
session_start();
if (!$fbUser) {
$loginUrl = $facebook->getLoginUrl(
array(
'scope' => 'email,publish_stream,user_location',
'redirect_uri' => 'http://scubadivinglog.org/php/fblink.php'
)
);
echo "<script type='text/javascript'>top.location.href = '$loginUrl';</script>";
exit;
}
Hope this helps. Let us know and if not post the code you are using.
Currently if a user is not logged in, they are redirected to the "login page" when checking out in UberCart. I need them to rather be redirected to the "registration" page.
In other words:
Go here: user/register
NOT here: user
The key here is to get it to work with UberCart. I know you can use login toboggan and other tricks to do it normally, but I can't get it to work with UberCart?
UPDATE
I still don't have a decent solution so I added bounty for this. Currently, if you have "anonymous checkout" disabled, ubertcart automatically add these messages:
You must login before you can proceed to checkout.
If you do not have an account yet, you should register now.
This is also a problem in that it doesn't make sense showing them if you go to the user page. So even my hard hack of forwarding the user to /user/register whenever it encounters "user?destination=cart/checkout" and the user is not logged, to forward them to "user/register?destination=cart/checkout" does not work that well.
Any ideas?
UPDATE 2
This is where the magic happens: line 94, uc_cart.pages.inc
// Send anonymous users to login page when anonymous checkout is disabled.
if (!$user->uid && !variable_get('uc_checkout_anonymous', TRUE)) {
drupal_set_message(t('You must login before you can proceed to checkout.'));
if (variable_get('user_register', 1) != 0) {
drupal_set_message(t('If you do not have an account yet, you should register now.', array('!url' => url('user/register', array('query' => drupal_get_destination())))));
}
drupal_goto('user', array('query' => drupal_get_destination()));
}
So, basically I need a way to override that behaviour? (i.e. without hacking core?)
You should look into the rules and token module. You will create a rule when a user logs in to redirect to the the TOKEN. Make sure you enable the token actions module as well.