WP-Members is the name of the plugin used to control registration and access to different parts of the website. By default in February 2021 when you register you are emailed a password and to perform a password reset you have to provide both your email address and username to be emailed a new password. There are two main problems with this:
- Passwords should never be sent by email
- If you know someones email address and username you can overwrite their password
In addition it is very tedious to have to discover your username which for the most part is little used.
The changed mechanism, which the author of the plugin says will become default behaviour in the future requires the addition of your chosen password when you register. Furthermore you can request a password reset using just your email or your username. This sends you an email with a link (which has a finite lifetime). Click on the link and you can enter a new password directly on the website.
There is a third place where WP-Members is involved with choosing passwords – this is when you change your password using the option which was distributed with the initial website as part of the Members menu and which takes you to profile/?a=pwdchange. This used to be highly insecure as one letter passwords were permitted. Code has been written to control the minimum quality of passwords. This code is already active as a part of the “Croquet” theme. Go to Dashboard/Settings/Password Security Settings” and you will see that you have two numbers to configure:
- The minimum length of a password
- The minimum number of characters of each type. Characters are divided into four types: Lower Case, Upper Case, Digits and other characters.
The default is 6,1 which would permit Abcd1! and the weakest setting is 4,0 which would allow then to be used as a password. I would prefer to use something like 20,3 however this does require that people use a password manager (such as LastPass). I doubt if website admins would want to be so strict so perhaps 6,1 is a reasonable compromise. For obvious reasons the first number must be not less than four times the second number.
This minimum password quality is applied any time a password is created, modified or reset.
Changing the forms
Go to Dashboard/Settings/WP-Members to get four tabs “Wp-Members Options”, “Fields”, Dialogs” and “Emails”. You may find some advertising for one or more plugins at the top of the page – click on the little “x” at the top right of any such panel if it’s in your way.
For each tab (except fields) once you have finished the changes for one tab you must go to the bottom and click on the blue “Update …” button as otherwise your changes will be lost when you go to the next tab.
In the first tab, WP-Members Options, select under “Feature Settings”: “Password Reset Link” and “Enable WP Login Error” to look like:
Then click on the blue “Update Settings” button
Click on the “Add Field” button at the top or bottom of the form then enter “Password” and “password” (lower case) into the two top boxes and select a field type of “password” and select the “Display?” and “Required? options. Then click on the blue “Add Field” button and you will be returned to “Manage Fields” and will see the field you have just added displayed near the bottom. Now repeat to add the other field “Confirm Password” with a Meta Key of “confirm_password” (lower case with an underscore). with a field type of “password” and the two boxes ticked as before. Click on the “Add Field” button to return to “Manage Fields” at which point it should look similar to:
You can tweak these to your heart’s content – however the following changes are suggested:
Registration completed →
Once the administrator has accepted you application you will be sent an email.
Password reset →
An email containing a link to reset your password has been sent to the email address on file for your account.
Click on the blue button “Update Dialogs” and go to the emails tab:
Once you have these changes remember to scroll to the bottom and click on the blue button “Update emails”
Set a custom email address – Is probably best left blank
Set a custom email name – Should be your name
Registration is Moderated, User is Approved (Body) →
Your registration for [blogname] has been approved.
You may log in here:
Please remember to keep your personal information up to date.
If you don’t already have a “Gravatar” then go to https://en.gravatar.com/ to associate you email address with a picture of yourself.
Password reset (Subject) → Request for password reset for [blogname]
Password reset (Body) → Somebody requested a password reset for your account at [blogname].
If this request was from you then click on the link below to set a new password, otherwise just ignore this email.
Admin Notification (Body) → The following user registered for [blogname]:
This user registered here:
user IP: [user-ip]
Assuming that you believe that this is genuine and you wish to activate this user then go to “Dashboard/Users/All Users”, hover over the user and click “Activate” and an email will be sent to the user.
Click on the blue button: Update Emails
Update some of your pages
Change the login page to reflect the simple password recovery procedure. For example Blewbury has:
The form below allows you to login.
If you have forgotten your password then you can use the “Click here to reset” link near the bottom of this page. This takes you to a reset form that requires either your username or email address to be entered. You will be sent an email with a link to allow you to enter a new password. The email can only be used once.
If you are still stuck then contact : email@example.com
[wpmem_form login redirect_to=”https://blewburycroquetclub.org.uk/members”]
At this point it is best to log out and see if you can perform a password reset.
Inform your users
The following may prove useful:
A number of password related changes have been made.
The first thing to note is that minimum password standards are now being enforced. Your password must have at least six characters and contain at least one lower case letter, one upper case letter, one digit and one character that is none of these.
The reason for this is that you are all permitted to write news items and we need to make it as hard as possible for a hacker wishing to promote unpleasant material.
I would recommend the use of a password manager – with my own favourite being LastPass. This is free unless you want synchronization over multiple devices. I have just under 300 passwords stored.
It is now very easy to reset your password. The reset facility no longer emails you a new password but instead emails a link that allows you to reset your own password. This is both safer and more convenient.