WordPress.org

Ready to get started?Download WordPress

Forums

WP-Members and Login with AJAX (23 posts)

  1. Wombo55
    Member
    Posted 1 year ago #

    I have a members only site utilising the WP-Members plugin which is great. I also have Login with Ajax and Theme my Login plugin (among many others).

    I prefer the login widget from Login with Ajax and want to use it exclusively for logging into the site. How can I achieve this (ie how can remove the WP-Members login box, without removing the plugin's functionality?

    I have no expertise with .php

    Thanks in advance for any help you can give

  2. Wombo55
    Member
    Posted 1 year ago #

    I now have a problem with what appears to be a conflict between Login with Ajax and the BulletProof Security plugin which I recently installed. Users are unable to reset their passwords because when they click on "Get New Password" in the Login with Ajax widget it doesn't load properly. It just "hangs" with the wheel going around incessantly.

    I have deactivated BulletProof Security, but the problem still exists.

    If I delete the plugin will that remove all the files that were created during its installation or will I have to try to isolate all of those files and delete them manually?

  3. AITpro
    Member
    Posted 1 year ago #

    If 2 or more plugins have the same features/are doing the exact or similar things then you would want to choose which feature to use. If plugin features are doing the same or similar things then there is most likely going to be some sort of a conflict.

  4. Wombo55
    Member
    Posted 1 year ago #

    Thanks AITpro. Actually I deactivated Theme my Login and BulletProof Security (and a few others) just after I made that last post and the login conflict seems to have been resolved.

    However I still have the issue of the login boxes. As I initially said I prefer the Login with Ajax sidebar widget, but I can't seem to work out how to have it as the only login facility. The WP-Members login still appears in the body of the page but I don't want the WP-Members login to appear at all. I want to deactivate that part of the plugin.

    I love the user control that WP-Members give me with the site, but I would like to know if it is even possible for the plugin to work with the login box deactivated.

    Hopefully someone will be able to steer me in the right direction.

  5. Marcus
    NetWebLogic Support
    Posted 1 year ago #

    already aware of BulletProof security as well as Theme my login, will check out WP-Memebers as well when time permits (please bear in mind it may take a couple of weeks due to time constraints)

    btw, i check the support forum for the plugins themselves, not just the tags. hence my lack of reply.

  6. AITpro
    Member
    Posted 1 year ago #

    You do not need to deactivate BPS to turn BPS Login Security Off. You can turn BPS Login Security Off on the BPS Login Security page. I believe that you can also turn TML Login Security Off too, but I am not totally sure about that.

    Activate BPS again and check your BPS Security Log. If BPS is blocking something then you will see that error logged in the BPS Security Log. If you see an error logged then post it.

    As of BPS .47.8 Security Logging / HTTP Error Logging has been added. If you are experiencing a possible plugin conflict or some other issue or problem on your website check the BPS Security Log tab page for any errors related to the issue/problem. Create a new Topic and post the error message that is related to the issue/problem.

    If you think that BulletProof Security is causing a plugin conflict or any other issue on your website that is causing something not to work, then please use these steps below to take BulletProof Security out of the equation completely for testing. There is no need to deactivate BulletProof Security because it has a built-in Default Mode that allows you to put WordPress in a default state without deactivating BulletProof Security.

    1. Make a backup of your .htaccess files using BulletProof Security built-in Backup.
    2. Activate Default Mode on the Security Modes page.
    3. Use the Delete wp-admin .htaccess feature on the Security Modes page.
    4. If the issue/problem is related to Login Security turn Off Login Security on the Login Security & Monitoring page.
    5. Test your plugin or theme.
    6. Restore your .htaccess files using BulletProof Security built-in Restore.

    To completely uninstall BulletProof Security you would do steps 2 and 3 above and then just delete the BulletProof Security plugin on the WP Plugins page.

  7. Marcus
    NetWebLogic Support
    Posted 1 year ago #

    @AITpro didn't realize you were the author of BPS, thx for chipping in :)

    will keep this in mind when testing BPS

  8. AITpro
    Member
    Posted 1 year ago #

    @Marcus - yep we are trying to follow more of a standard App model/method of built-in troubleshooting capability with error logging to make troubleshooting simpler/accurate/definite (ie no guesswork).

    BPS does block admin-ajax.php by default so my guess is that if BPS is causing this issue then most likely it is because admin-ajax.php is being blocked. We have debated for a very long time whether or not to whitelist admin-ajax.php by default. Some folks want admin-ajax.php blocked by default so what we are planning on doing is something like this.

    Admin notice w/usermeta Dismiss button - when a 403 error is triggered/logged due to admin-ajax.php being blocked then display an Admin notice w/dismiss button so that users can decide what they want to do next.

    To whitelist admin-ajax.php in the wp-admin .htaccess file this skip/bypass rule can be added to the wp-admin .htaccess file.

    # admin-ajax.php skip/bypass rule
    RewriteCond %{REQUEST_URI} (admin-ajax\.php) [NC]
    RewriteRule . - [S=2]
  9. Marcus
    NetWebLogic Support
    Posted 1 year ago #

    Troubleshooting tools are a great idea.

    r.e. admin-ajax.php - My opinion - I would advocate profusely NOT blocking it by default, and warning users of the potential consequences on the setting page.

    My other plugin, Events Manager uses admin-ajax.php heavily, and so does any plugin that follows the wp recommended way to use ajax.

    http://codex.wordpress.org/AJAX_in_Plugins

    Blocking it by default is asking for more frustrated users with plugin conflicts (for you and us) and more time troubleshooting :)

    we don't use admin-ajax.php here afaik but we may well resort to it too... some plugins have custom registration pages and so intercepting ajax calls at wp-login.php can cause problems when they redirect to the custom pages, or the form already points to the page which we don't have ajax hooks for.

  10. AITpro
    Member
    Posted 1 year ago #

    Yep, we completely understand the pitfalls of blocking admin-ajax.php generally by default. Another approach would be to create .htaccess conditions that look at/check for the typical attack/exploit/hacking patterns that we see regularly that are trying to exploit admin-ajax.php

    ie

    RewriteCond %{REQUEST_METHOD} ^POST
    RewriteCond %{REQUEST_URI} X something with admin-ajax.php
    RewriteCond %{HTTP_REFERER} !^.*add-your-domain-name-here.com.* [OR]
    RewriteCond if hacker/spammer/dummy X is doing this
    RewriteCond if hacker/spammer/dummy Y is doing this
    RewriteCond if hacker/spammer/dummy Z is doing this

    something along the lines of this BuddyPress Anti-spam registration code that stops/prevents over 45,000 spam registrations per month and saves us countless hours of cleaning up the mess these dummies make.

    # BuddyPress Anti-Spam Registration
    RewriteCond %{REQUEST_METHOD} ^POST
    # only match the register page URI
    RewriteCond %{REQUEST_URI} ^/register/$
    # domain referer is better than IP - allows for subdomains
    RewriteCond %{HTTP_REFERER} !^.*add-your-domain-name-here.com.* [OR]
    # Blank or single hyphen user-agent spoofers or curl
    RewriteCond %{HTTP_USER_AGENT} ^(|-?|curl)$ [NC,OR]
    # HTTP request header
    RewriteCond %{THE_REQUEST} HTTP/1\.0$
    RewriteRule ^(.*)$ /spam-prevention [R=301,L]
  11. AITpro
    Member
    Posted 1 year ago #

    What makes this difficult to do is the errors do not give away the exact method of attack since typically the attacks are not directly at admin-ajax.php, but instead are involving admin-ajax.php in the method of the attack/exploit. ;)

    Important NOTE: admin-ajax.php is very secure in itself. What would make the call or use of admin-ajax.php exploitable would of course depend on what a plugin or theme is doing after calling admin-ajax.php. So to be 100% technically correct admin-ajax.php in itself is not exploitable and it would be the code in a plugin or theme that would be the exploitable code.

  12. AITpro
    Member
    Posted 1 year ago #

    Just saw an interesting attack on our BuddyPress Forum that involved admin-ajax.php and this serves as a neat example:

    This only causes a temporary nuisance and of course does not go any further than that.
    At the top left section of the BuddyPress site you will see the hackers code displayed during the attack. It is of course stripped out and is only a temporary nuisance.

    hacker (or bonehead) posts javascript into the TinyMCE WYSIWYG editor, which creates a temporary nuisance.

    targets: admin-ajax.php (vicariously), tinymce, BuddyPress and WordPress Admin bar.

  13. Marcus
    NetWebLogic Support
    Posted 1 year ago #

    @AITpro thx for your input

    do you have a recommended constant or similar to check if BPS is loaded? I could just add a notice ot the LWA settings page advising them about this potential problem if both our plugins are active.

    if it's a setting issue then that could be the best approach.

  14. AITpro
    Member
    Posted 1 year ago #

    You can do a standard WP "is plugin activated" check and also check for the "admin-ajax" string in the wp-admin .htaccess file w/ Admin Dismiss button.

    function example_simple_active_plugin_check_with_dimiss_admin_notice() {
    $plugin_var = 'bulletproof-security/bulletproof-security.php';
    $return_var = in_array( $plugin_var, apply_filters('active_plugins', get_option('active_plugins')));
    $filename = ABSPATH . 'wp-admin/.htaccess';
    $check_string = @file_get_contents($filename);
    
    	// Check if BPS plugin is active and the admin-ajax.php skip/bypass rule does not already exist in the wp-admin .htaccess file
    	if ( $return_var == 1 && !strpos($check_string, "admin-ajax") ) { // 1 equals active plugin
    		$text = '<div class="update-nag"><li><strong><font color="red">'.__('Your Message here with Dismiss button', 'bulletproof-security').'</font><br>'.__('To Dismiss this Notice click the Dismiss Notice link below. To Reset Dismiss Notices click the Reset/Recheck Dismiss Notices button on the S-Monitor page.', 'bulletproof-security').'<br><a href="index.php?bps_example_nag_ignore=0">'.__('Dismiss Notice', 'bulletproof-security').'</a></strong></li></div>';
    		echo $text;
    	}
    }
    add_action('admin_notices', 'example_simple_active_plugin_check_with_dimiss_admin_notice');
    
    add_action('admin_init', 'bps_example_nag_ignore');
    
    function bps_example_nag_ignore() {
    global $current_user;
    $user_id = $current_user->ID;
    
    	if ( isset($_GET['bps_example_nag_ignore']) && '0' == $_GET['bps_example_nag_ignore'] ) {
    		add_user_meta($user_id, 'bps_example_notice', 'true', true);
    	}
    }
  15. AITpro
    Member
    Posted 1 year ago #

    And yes I dream in code - took 10 minutes to whip together. ;)

  16. AITpro
    Member
    Posted 1 year ago #

    If you want extra insurance add
    current_user_can('manage_options');

  17. AITpro
    Member
    Posted 1 year ago #

    Here's the Reset/Recheck Dismiss button code. Create your HTML form of course.

    // Reset/Recheck Dismiss Notices
    function example_reset_dismiss_notice() {
    	if (isset($_POST['Example-Submit']) && current_user_can('manage_options')) {
    	check_admin_referer( 'example_reset_dismiss_notices' );	  
    
    	global $current_user;
    	$user_id = $current_user->ID;
    
    	if ( !delete_user_meta($user_id, 'bps_example_notice') ) {
    		$text = '<div id="message" class="updated fade" style="color:#000000; font-weight:bold; border:1px solid #999999; margin-left:220px; margin-top:9px;"><p>'.__('The X Notice is NOT set. Nothing to reset.', 'bulletproof-security').'</p></div>';
    		echo $text;
    	} else {
    		$text = '<div id="message" class="updated fade" style="color:#008000; font-weight:bold; border:1px solid #999999; margin-left:220px; margin-top:9px;"><p>'.__('Success! The X check is reset.', 'bulletproof-security').'</p><div class="bps-message-button" style="width:90px;margin-bottom:9px;"><a href="admin.php?page=bulletproof-security/admin/monitor/monitor.php">'.__('Refresh Status', 'bulletproof-security').'</a></div></div>';
    		echo $text;
    	}
    	}
    }
  18. Marcus
    NetWebLogic Support
    Posted 1 year ago #

    damn... above and beyond you go :=) thanks!

    I think there probably should be an is_network_activated() or similar but this is very helpful.

  19. AITpro
    Member
    Posted 1 year ago #

    You probably already have/ have implemented dismiss notices before, but I have gotten in the habit when posting in the WP Forums of thinking about the "who else/bigger picture" (thanks to Otto) aspect of who is going to see this stuff. ;)

    Yep, you are right that an additional check for Network/Multisite should probably be added. ;)

  20. AITpro
    Member
    Posted 1 year ago #

    BPS is not designed to be Network Activated due to the way .htaccess files work so you would not need to add that additional check for checking the BPS plugin, but yeah if you were checking for another plugin that does do Network Activation then yep that check would be needed.

    Using W3TC as an example:

    if ($return_var == 1 || is_plugin_active_for_network( 'w3-total-cache/w3-total-cache.php' )) { // checks if W3TC is active for Single site or Network
    ...
    ...
    ...
  21. Marcus
    NetWebLogic Support
    Posted 1 year ago #

    Thanks for that, and the comprehensive replies!

  22. mrppp
    Member
    Posted 11 months ago #

    I use both plugins and not had any issues, is this something that has been over come in recent updates?

  23. AITpro
    Member
    Posted 11 months ago #

    Things change fast in the coding world so probably yes things have changed.

Topic Closed

This topic has been closed to new replies.

About this Topic