May 11, 2016 at 12:31 pm #6861
I’ve been using your plugin for 2 weeks now and it’s truly a very good one. Easy setup, chat features are nice and simple. Really nothing bad to say on the user side and even a great thank you for your work.
The thing is, as some users said before me, there are 2 main problems on the admin side.
– Free user account activation which should follow the same process as paying members – Validation through validation link emailed. This way you don’t have to manually proceed and you’re 100% sure you don’t have fake users.
– Security on login + registration security issue. As some other user said on this thread, login security shouldn’t be displayed that way as it gives potential hackers a potential weekness on your side.
The other security issue is huge imo and I was very surprised about it. When a new user registers I receive an email notification with user details and password is displayed in it. This gives the opportunity to someone to exploit his user database and in another way, let’s say I have my admin email hacked, then all my users password leak.
Thank you again for your great work but this security issues are huge and need a fix asap.
Devin.May 12, 2016 at 2:17 am #6869
Hi thank you for your request and using this plugin 🙂
Do you currently use the Form Builder add-on?May 12, 2016 at 7:54 am #6870
No I don’t and it’s not related to what users are requesting here.
In the case you need people to buy the plugin in order to get those features, I’ll buy the plugin if we get these features 😉May 12, 2016 at 10:17 pm #6874
Hi, the Form Builder add-on has more control over the forms including the Free Membership sign up. In regards to security and password notification, the plugin developers will further look into.
Kind regardsMay 13, 2016 at 6:22 am #6878
The email that goes out is fully editable. You simply go to the email settings menu of the plugin, then remove any details that you don’t want to send out. The default configuration is applied for a simple setup. Everyone will have different needs and opinions about the setup. So you just edit the settings and adjust it to what you want.
Any user-friendly login system will show the user proper message so the user knows what is wrong and can correct accordingly. I totally understand what you are saying but also understand the following:
This login system ONLY gives access to protected content that is protected using this plugin (not your site admin). So there is not much incentive for hackers to do anything with the login system. Besides, brute-force systems doesn’t exactly work that way (that is a separate topic). Login security is very important but so is the user-friendliness. You can customize the language file to remove that message on your site if you don’t want to show it. Most of these things can be changed on your site (if you have any concern about it).
What content you are protecting is a big factor here that you need to consider. Our system is definitely not gong to be suitable for everyone out there. If you need a simple system for a simple membership type site then it will be good. Otherwise you will need to look at an alternative solution. We don’t want to make a global change to the plugin that will upset other users who love it just the way it is. So we have to balance the default behavior of the plugin based on what MOST of our users want. Others can change the configuration to what they want.
We do have plans to add some kind of a feature for the free registration to do the same as the paid ones.May 13, 2016 at 12:02 pm #6883
I understand that we can do any customizations that we want to, so that it shows the messages we want, but when the plugin gets updated, all of our changes will be erased. Then we are back to where we are now. I am not asking you to rewrite the plugin and upset MOST of your users. All you need to do is create a setting to customize the failed login messages. One setting for the wrong username message and one setting for the wrong password message. Default the messages to what they currently are. Then those who are more security aware can take the needed measures and you don’t run the risk of upsetting MOST of your users.
If you think for one second that people don’t use login systems like this to break in to sites, then you would be very mistaken. I know of people personally who do, which is why I am bringing this to your attention. People and companies use this plugin to protect whatever they protect. Some to make money from it and others not. MOST of your users will not have enough knowledge to know this is a security flaw and thus don’t care. But when your customers start losing money because of your plugin and it’s lack of security, they will start going elsewhere and find a more secure plugin. Anybody who has been in the IT field long enough will know this. To be honest with you, the fact that some of your customers are having to argue with you about this is SAD.
You must be logged in to reply to this topic.