• Hi there,

    Been using WP Members on a site for a while and it’s working fine. We got a request from the client to tighten up security with specific password rules. We found that while we could do this and that WP Members created and emailed perfectly secure passwords, users who know the path to the change password form, can create a password that’s only one character long.

    I can’t seem to find any way to link this page and the form into the WP requirements. Can you give me some guidance on this?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter arekibo

    (@arekibo)

    I’ve had to heavily modify the plugin to get it to follow even the most basic of wordpress security expectations on the changed password. Highly recommend updating the plugin so that it taps into the user role password expectations and tests fully the password against the default wordpress protocols. It’s FAR too easy to create a massively insecure password.

    Plugin Author Chad Butler

    (@cbutlerjr)

    Let me start by saying that you should never modify the plugin directly as it renders you unable to update without the headache of reapplying your hacks (but you probably new that already). The obvious caveat being that the plugin developer would need to have provided you the ability to change things via filter and action hooks. But that happens to be the case here. WP-Members has filter and action hooks throughout the plugin so that you can customize as needed without touching the plugin’s code itself.

    All of the plugin’s filters are documented inline in the code following the WP coding standards for hook documentation so you would likely have looked directly at the one you need to incorporate custom validation to the password change process by changing the password change error (of course that assumes you’re using a current version of the plugin – the filter I’m thinking of was introduced in 3.1.5). This may not have been readily apparent, but it’s there none-the-less.

    The wpmem_pwd_change_error filter hook is in the password_change() method of the WP_Members_User class. It passes any error message for filtering (including a null value), along with the user’s ID and the password value they are changing to.

    A function hooked to wpmem_pwd_change_error would allow you to validate the password based on any criteria you build into your function and return an error if necessary. (Since the user ID is also passed, this could be utilized as well if you did things like log password changes to require that a user’s password not be something they’ve used before – or whatever your imagination comes up with.)

    That part is pretty simple. The only hitch is the message dialog as the plugin currently lacks an error message container in the main object (although it WILL have one in the upcoming 3.2.0 release – $wpmem->error). So the way around that is to use a global variable in your filter function so you can also filter the message dialog if the error is based on your custom password validation. I’ve incorporated that into my example framework below:

    add_filter( 'wpmem_pwd_change_error', 'my_pwd_change_validation', 10, 3 );
    function my_pwd_change_validation( $is_error, $user_id, $password ) {
    
    	// This is used to let the wpmem_msg_dialog filter know if there is an error or not.
    	global $pwdcriteria;
    	$pwdcriteria = false;
    
    	// If there's already an error, no need to continue.
    	if ( $is_error ) {
    		return $is_error;
    	} else {
    		// Do your validation. If there's an error, make sure that
    		// $is_error = "pwdchangerr"  and set $pwdcriteria = true
    	}
    	return $is_error;
    }
    
    add_filter( 'wpmem_msg_dialog', 'pwd_criteria_error' );
    function pwd_criteria_error( $str ) {
    	// If the global $pwdcriteria is true from the previous
    	// function, a custom validation error exists so filter
    	// the error message.
    	global $pwdcriteria;
    	if ( $pwdcriteria ){
    		$old = "Passwords did not match.";
    		$new = "Your password did not meet the criteria 
    			whatever your custom function was checking for.";
    		$str = str_replace( $old, $new, $str );
    	}
    	return $str;
    }

    There are more specific examples of this on the plugin’s premium support site for support subscribers:
    https://rocketgeek.com/filter-hooks/create-a-rule-for-updated-passwords-to-meet-certain-requirements/

    Also, the plugin’s Security extension (also available to premium support subscribers) incorporates a number of password elements, such as requiring random passwords be changed on first use, requiring strong passwords (based on WP’s algo), or requiring the current password be provided when changing a password.
    https://rocketgeek.com/plugins/wp-members/extensions/security-extension/

    Hope that helps.

    • This reply was modified 8 years, 7 months ago by Chad Butler.
    • This reply was modified 8 years, 7 months ago by Chad Butler. Reason: clarification in code example
Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Change password ignores default WP password rules’ is closed to new replies.