WordPress.org

Hi Jeff,

Thanks for the great plugin! - Unfortunately, it breaks the XHTML validity, because the links are not encoded (e.g. & are not &s; in register links).

In addition I would have one security suggestion, which I've already posted in trac:

"as i have a public authors list on my blog, an attacker could easily use this list to bother my users with password-reset mails.

fortunately, we have the lostpassword_post hook, thus i'm able to redirect all lost-password request, which are not based on registered e-mail addresses, to wp-login.php?action=lostpassword. nevertheless, to avoid confusing my users, i still need to manually change the messages in wp-login.php from '*username or e-mail*' to only '*e-mail*'."

This also applies for the message in your plugin and it would be great if you could include the necessary filters/options to harden password resets.

Cheers,
Berny

http://wordpress.org/extend/plugins/theme-my-login/

I've just figured out, that you can actually already set a customized message for password resets. - Just missing that 'Username or E-mail:' can be changed to 'E-Mail' only...

I have to say, I really like your plugin. Took a few years to find a plugin that smoothly integrates the login into the front-end...

Though, I've figured out two more things:

- I also use the plugin Sabre (anti-bot registration engine). - It works together with TML, but does not include username and e-mail address in its table when new users are registered. The reason is that TML does not use the original form field names (user_login instead of user_login-tml-main and user_email instead of user_email-tml-main). I adopted the code in Sabre to accept the input from these field names. - Do you think there is a chance that you could revert to the original WP field names?

- I use wp_register and wp_loginout in my sidebar (with redirects to the current page). - If I click on Lost Password or Register in the TML div and subsequently use the Log In link in the sidebar, TML will redirect me again to the Lost Password or Register page instead of showing up the Log In page. Only after a second click the registration page opens as intended. - I know, a minor thing, but I also wanted to provide you with feedback in that case.

From a performance/overhead point of view the loading time could also be reduced in case login_head would only be included on the /login/ page. I solved that by commenting out the code in your plugin and calling do_action in my login template. Maybe you could add a condition which restricts the wp_head > login_head calls to the /login/ page or serve it globally if the widget is enabled. An option like the css-include would also be awesome.

The work-around/patch to the XHTML bug I've mentioned before is so far two-folded:

• wp_register() -> use static link (no idea yet why it works with wp_loginout() and not with wp_register()
• class.wp-login.php, function GuessURL() add htmlentities(); so it becomes $url = htmlentities(add_query_arg($args, $url))

Thanks again for your work! :)
Berny

Berny,

I actually plan on re-writing a majority of the plugin with version 4.4. I have just been too busy with paid work. I will try to get started on it as soon as possible because I also see people ahev voted it "broken" with the new compatibility rating feature here.

Hi Jeff,

Thanks for the update! - Unfortunately I now get even more errors when doing the XHTML validity check (errors as mentioned before + an orphaned