IMPORTANT: Code Changes: Massive Signup BOTS attacks , CSRF, XSS

  • Resolved harrowmykel

    (@harrowmykel)


    5 years, 10 months ago

    1. Please update your Register form.
    this code causes an error when the form is copied to the theme

    Code with error [https://imgur.com/a/mWJ1FeL]

    I fixed it on my site with
    Website Fix [https://imgur.com/a/UnjvsDS]

    A better fix would have been if you define the path to the captcha as a constant in your plugin. e.g
    define("CLEAN_LOGIN_CAPTCHA_PATH", plugins_url( 'captcha', __DIR__."/content/" );

    2. Please add wp-nonce to your forms.
    The website is unprotected from bots and CSRF attacks, when the captcha is deactivated.. I had a massive Bot attack in may because of this.. Please fix asap. This is a huge security problem..

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Javier Carazo

    (@carazo)

    5 years, 10 months ago

    @harrowmykel,

    1) thanks for your tip, we have just included it with the constant to fix the problem you report.

    2) we have added nonce in the settings page, but we cannot do it in front-end forms because they calls WordPress standard forms, and all of them does not include nonces.

    Thread Starter harrowmykel

    (@harrowmykel)

    5 years, 10 months ago

    Hello,Thanks for making the change!

    Is there a github Repository?

    Also I have written the code for the wp_nonce validation.
    Please check it out here.

    [Download Zip]https://piccmaq.com.ng/foreign/downloads/clean-login.zip

    The file includes only changes and there are only 4 files in the zip.

    To find my changes easier and quicker, just search for
    @HARROWMYKEL in the each file

    Thread Starter harrowmykel

    (@harrowmykel)

    5 years, 10 months ago

    I also added some filters for the email, so that developers can add custom shortcodes like {website_link} or so in the themes/name/functions.php, without editing the plugin codes directly

    Plugin Author Javier Carazo

    (@carazo)

    5 years, 10 months ago

    Sorry for the delay but I was very busy.

    I have used your code (I have only changed some conditionals to a ternary operator) and ALL IS GREAT.

    THANK YOU VERY MUCH. Your code is out, update to 1.11.

    Thread Starter harrowmykel

    (@harrowmykel)

    5 years, 10 months ago

    It’s Okay.
    I just added a new zip code. Please check it out below.. Please let me know if there is a github for this project.
    ——————–
    I have also added some filters for the email, so that developers can add custom shortcodes like {website_link} or so in the themes/name/functions.php, without editing the plugin codes directly.
    ———————-

    Please check it out here.

    [Download Zip]https://piccmaq.com.ng/foreign/downloads/clean-login.zip

    The file includes only changes and there is only 1 file in the zip.

    To find my changes easier and quicker, just search for
    @HARROWMYKEL in the each file

    • This reply was modified 5 years, 10 months ago by harrowmykel.
    Plugin Author Javier Carazo

    (@carazo)

    5 years, 10 months ago

    Yes, @ahornero keep a GitHub of this plugin: https://github.com/ahornero/clean-login

    Anyway I have just included all the changes here and new version 1.11.1 is out with your hooks.

    Please pay attention to the new names of it. I have renamed to keep always the same naming methods.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘IMPORTANT: Code Changes: Massive Signup BOTS attacks , CSRF, XSS’ is closed to new replies.

Tags