WordPress.org

Ready to get started?Download WordPress

Forums

User Deficiencies (2 posts)

  1. kingjeffrey
    Member
    Posted 8 years ago #

    I have noticed two issues in administrative management of users that could cause problems. Specifically, actions that users could take with their account that could maliciously cause issues.

    First, while users are sent a password to their email upon registration to ensure valid email address(great feature), there is nothing that prevents them from immediately changing the valid address in their profile to a fake address. Not only does the admin have no way to retreive the correct address, this could enable someone to hijack another person's identity (say by pretending to be a well recognized blogger, seemingly verified by having that blogger's same email). This could be solved by emailing a new password to the new address upon change and immediately logging the user out until retreival of that password.

    Secondly, while each user has a unique username, there is nothing that prevents multiple users from electing to be publically identified by the same name (i.e. nonunique first and last names). Perhaps a system could be developed that locks public names once in use by a user, thus preventing other users from using the same name.

  2. Kafkaesqui

    Posted 8 years ago #

    First:
    If someone is pretending to be a "famous blogger" by using their email address, wouldn't this blogger have a larger problem than being registered on various blogs?

    On requiring an authent of a sort when the email address is changed on user accounts, I'm not sure I understand the desire behind it. What's to stop me from using a free and temporary email address, register on your site, then drop the email? It's still the same effect (you don't have a valid address for me), and I don't need to change anything after registration.

    The point of mailing the initial password is merely to verify an actual person is going through the registration process and not some spam or other nefarious, automated tool.

    Secondly:
    There is a way to keep displayed names for authors (assuming this is what you meant) unique. For example, the_author() template tag can be set to display the login rather than the chosen 'display' name. It could even be combined (with multiple instances of the_author()) to show full name/login, display/nickname, or whatever.

Topic Closed

This topic has been closed to new replies.

About this Topic