Some security features needed

  • locker17

    (@locker17)


    3 months, 1 week ago

    Thanks for writing this plugin which is/was a miss on WordPress.

    I need some security improvements.
    1. I just allow users login by email. How can I set that at your plugin’s form to allow only email entries?
    2. How can I block attackers from trying hundreds of email addresses to check user logins? Do you have an API or a hook where I can block further password reset attempts?

Viewing 1 replies (of 1 total)
  • peterjabu

    (@peterjabu)

    3 months, 1 week ago

    Hi @locker17

    1. The plugin currently accepts both email addresses and usernames, not ONLY emails.
    2. No built-in rate limiting.

    I will look at adding this in the near future. In the meantime you could use our developer hooks: https://docs.wpenhanced.com/frontend-reset-password/faq/#what-hooks-are-available

    1) Something like this

    add_action( 'somfrp_post_request', 'restrict_reset_to_email_only', 40 );
    function restrict_reset_to_email_only( $action ) {
        if ( 'somfrp_lost_pass' !== $action ) {
            return;
        }
        
        $user_info = isset( $_POST['somfrp_user_info'] ) ? trim( $_POST['somfrp_user_info'] ) : '';
        
        // Check if it's NOT an email
        if ( ! empty( $user_info ) && ! is_email( $user_info ) ) {
            $_REQUEST['errors'] = array(
                'email_only' => __( 'Please enter a valid email address.', 'frontend-reset-password' )
            );
            // Prevent further processing by removing the default handler temporarily
            remove_action( 'somfrp_post_request', 'somfrp_lost_pass_handler', 50 );
        }
    }

    2) More complicated then above but we have some hooks

    somfrp_post_request, somfrp_lost_pass_action, lostpassword_post

    It is hard for me to support custom code but will look at implementing this for you

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.