Password Reset & Account Updates

  • Resolved mywebmaestro

    (@mywebmaestro)


    2 years, 7 months ago

    We’re using the plugin on two different sites, and have had some odd behavior from both in the last week. On one site, members are getting email prompts to change their password (sent by the plugin, I double checked the template used.) On the other site, they’re getting an email saying their account was updated.

    I’m wondering if there’s some update recently that would have triggered these behaviors? Or is there some security breach that is being taken advantage of by hackers who are messing with the sites? I’m not detecting any malware currently, on either site, but haven’t been able to find an explanation yet.

Viewing 6 replies - 1 through 6 (of 6 total)
  • missveronica

    (@missveronicatv)

    2 years, 7 months ago

    @mywebmaestro

    members are getting email prompts to change their password

    Can be explained by using the UM reset-password page and either guessing email addresses or using known email addresses. Can be one of your members joking if you display user email addresses at UM Profile pages.

    Confirmation text after asking for a Password reset:

    If an account matching the provided details exists, we will send a password reset link. Please check your inbox.

    In the Password reset email you should have this text:

    … If you didn’t make this request, ignore this email …

    Limit guessing email addresses by clicking the Enable the Reset Password Limit?
    and set the Reset Password Limit to a low value.
    You will find these settings at UM Settings -> Access -> Other

    an email saying their account was updated

    I don’t know.

    Thread Starter mywebmaestro

    (@mywebmaestro)

    2 years, 7 months ago

    Looks like the number was already enabled and set pretty low. But thank you for the suggestion – it’s the best explanation so far, most likely. I was more concerned about the other one, notifications about account being updated, as that would imply someone was accessing it, right?

    missveronica

    (@missveronicatv)

    2 years, 7 months ago

    @mywebmaestro

    Try to use a secure SMTP mail server instead of WP Mail and your web hosting’s mail server.

    Read this guide:

    https://docs.ultimatemember.com/article/116-not-receiving-user-emails-or-admin-notifications

    If you install the “Post SMTP” plugin you will also get logging of all your outgoing emails and you can verify fake copied emails sent from another mail server using your email address.

    https://wordpress.org/plugins/post-smtp/

    Thread Starter mywebmaestro

    (@mywebmaestro)

    2 years, 7 months ago

    I’m not sure why that’s relevant… I wasn’t asking about changing SMTP. Sending mail via an authenticated connection wouldn’t stop spoofing if that’s what the messages are, or keep anyone from triggering the system to send messages, etc.

    missveronica

    (@missveronicatv)

    2 years, 7 months ago

    @mywebmaestro

    Today you don’t know if these emails were sent from your server, no email log of sent emails. Sending emails via WP-mail is unsecure without all security functions being added with SMTP.

    Sending an email with your email address from another server is easy if the destination email server can’t verify the sender. With SMTP you get this security in verification of the real sender.

    Plugin Support andrewshu

    (@andrewshu)

    2 years, 6 months ago

    Hi @mywebmaestro

    This thread has been inactive for a while so we’re going to go ahead and mark it Resolved.

    Please feel free to re-open this thread if any other questions come up and we’d be happy to help. 🙂

    Regards

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Password Reset & Account Updates’ is closed to new replies.