hidden backend breaks password-reset mails

Matthias Baier
(@ma_wordpressorg)

2 years, 10 months ago

I hava a hidden backend, with ithemes-security combined with welcome email editor and was just about to launch my user-area until I found out, the password-reset feature is broken. As described in this post https://wordpress.org/support/topic/reset_pass_link-issue-with-itheme-security/.

Login url Parameters are in the wrong order.

Has anyone solved this problem? Any insights in how I can control login url creation would be helpful.

Viewing 4 replies - 1 through 4 (of 4 total)

nlpro
(@nlpro)

2 years, 10 months ago
This is not an iTSec plugin issue.

Have a look at the retrieve_password_message() method in the welcome-email-editor/modules/settings/class-settings-output.php file (lines #155 and #156):
```
// $reset_url = network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login');
$reset_url = wp_login_url() . '?action=rp&key=' . $key . '&login=' . rawurlencode( $user_login );
```
Try and uncomment the comment line (#155) and comment the active line (#156).

To prevent any confusion, I’m not iThemes.
- This reply was modified 2 years, 10 months ago by nlpro.
- This reply was modified 2 years, 10 months ago by nlpro.
nlpro
(@nlpro)

2 years, 10 months ago
A closer look reveals that there are 2 improvements to be made:

1. The Welcome Email Editor plugin does not support multisite. So it does not make sense to use the network_site_url() function. Instead use the site_url() function (the iTSec plugin Hide Backend feature hooks into both filters, network_site_url and site_url, while using the same callback).

2. As of the 5.8 release WordPress core will generate the same reset password URL like below:

network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . '&wp_lang=' . $locale;

Notice there is an additional wp_lang url parameter being added.

So IMHO the end result should look like this:
```
$reset_url = site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . '&wp_lang=' . $locale;
// $reset_url = wp_login_url() . '?action=rp&key=' . $key . '&login=' . rawurlencode( $user_login );
```
As a bonus this improvement should be backwards compatible. Do note the code snippet is untested. Use it at your own risk 😉
Thread Starter Matthias Baier
(@ma_wordpressorg)

2 years, 10 months ago

Thanks a lot.

For now I used the former snippet with network_site_url. It works in my tests. Let’s hope the plugin author adds this code.
I’ll try your snippet with the language parameter soon. Will probably need this with a woocommerce-polylang-combo.

nlpro
(@nlpro)

2 years, 10 months ago

Ok, no problem.

Do note the $locale variable needs to be defined and populated with the right value prior to generating the URL (missed that in my previous post).

Something like:

$locale = get_user_locale( $user_data );

Alternatively simply replace $locale with get_user_locale( $user_data ) in the line generating the URL.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘hidden backend breaks password-reset mails’ is closed to new replies.