Title: IMPORTANT: Code Changes: Massive Signup BOTS attacks , CSRF, XSS Last modified: June 29, 2020 --- # IMPORTANT: Code Changes: Massive Signup BOTS attacks , CSRF, XSS * Resolved [harrowmykel](https://wordpress.org/support/users/harrowmykel/) * (@harrowmykel) * [5 years, 11 months ago](https://wordpress.org/support/topic/important-code-changes-massive-signup-bots-attacks-csrf-xss/) * **1. Please update your Register form. ** this code causes an error when the form is copied to the theme * [Code with error [https://imgur.com/a/mWJ1FeL]](https://imgur.com/a/mWJ1FeL) * I fixed it on my site with [Website Fix [https://imgur.com/a/UnjvsDS]](https://imgur.com/a/UnjvsDS) * A better fix would have been if you define the path to the captcha as a constant in your plugin. e.g `define("CLEAN_LOGIN_CAPTCHA_PATH", plugins_url( 'captcha', __DIR__."/content/" );` * **2. Please add wp-nonce to your forms.** The website is unprotected from bots and CSRF attacks, when the captcha is deactivated.. I had a massive Bot attack in may because of this.. Please fix asap. This is a huge security problem.. Viewing 6 replies - 1 through 6 (of 6 total) * Plugin Author [Javier Carazo](https://wordpress.org/support/users/carazo/) * (@carazo) * [5 years, 11 months ago](https://wordpress.org/support/topic/important-code-changes-massive-signup-bots-attacks-csrf-xss/#post-13047681) * [@harrowmykel](https://wordpress.org/support/users/harrowmykel/), * 1) thanks for your tip, we have just included it with the constant to fix the problem you report. * 2) we have added nonce in the settings page, but we cannot do it in front-end forms because they calls WordPress standard forms, and all of them does not include nonces. * Thread Starter [harrowmykel](https://wordpress.org/support/users/harrowmykel/) * (@harrowmykel) * [5 years, 11 months ago](https://wordpress.org/support/topic/important-code-changes-massive-signup-bots-attacks-csrf-xss/#post-13050937) * Hello,Thanks for making the change! * Is there a github Repository? * Also I have written the code for the wp_nonce validation. Please check it out here. * [[Download Zip]https://piccmaq.com.ng/foreign/downloads/clean-login.zip](https://piccmaq.com.ng/foreign/downloads/clean-login.zip) * The file includes only changes and there are only 4 files in the zip. * To find my changes easier and quicker, just search for `@HARROWMYKEL` in the each file * Thread Starter [harrowmykel](https://wordpress.org/support/users/harrowmykel/) * (@harrowmykel) * [5 years, 11 months ago](https://wordpress.org/support/topic/important-code-changes-massive-signup-bots-attacks-csrf-xss/#post-13050983) * I also added some filters for the email, so that developers can add custom shortcodes like {website_link} or so in the themes/name/functions.php, without editing the plugin codes directly * Plugin Author [Javier Carazo](https://wordpress.org/support/users/carazo/) * (@carazo) * [5 years, 11 months ago](https://wordpress.org/support/topic/important-code-changes-massive-signup-bots-attacks-csrf-xss/#post-13069374) * Sorry for the delay but I was very busy. * I have used your code (I have only changed some conditionals to a ternary operator) and ALL IS GREAT. * THANK YOU VERY MUCH. Your code is out, update to 1.11. * Thread Starter [harrowmykel](https://wordpress.org/support/users/harrowmykel/) * (@harrowmykel) * [5 years, 11 months ago](https://wordpress.org/support/topic/important-code-changes-massive-signup-bots-attacks-csrf-xss/#post-13112292) * It’s Okay. I just added a new zip code. Please check it out below.. Please let me know if there is a github for this project. ——————– I have also added some filters for the email, so that developers can add custom shortcodes like {website_link} or so in the themes/name/functions.php, without editing the plugin codes directly.———————- * Please check it out here. * [[Download Zip]https://piccmaq.com.ng/foreign/downloads/clean-login.zip](https://piccmaq.com.ng/foreign/downloads/clean-login.zip) * The file includes only changes and there is only 1 file in the zip. * To find my changes easier and quicker, just search for `@HARROWMYKEL` in the each file - This reply was modified 5 years, 11 months ago by [harrowmykel](https://wordpress.org/support/users/harrowmykel/). * Plugin Author [Javier Carazo](https://wordpress.org/support/users/carazo/) * (@carazo) * [5 years, 11 months ago](https://wordpress.org/support/topic/important-code-changes-massive-signup-bots-attacks-csrf-xss/#post-13114809) * Yes, [@ahornero](https://wordpress.org/support/users/ahornero/) keep a GitHub of this plugin: [https://github.com/ahornero/clean-login](https://github.com/ahornero/clean-login) * Anyway I have just included all the changes here and new version 1.11.1 is out with your hooks. * Please pay attention to the new names of it. I have renamed to keep always the same naming methods. Viewing 6 replies - 1 through 6 (of 6 total) The topic ‘IMPORTANT: Code Changes: Massive Signup BOTS attacks , CSRF, XSS’ is closed to new replies. * ![](https://ps.w.org/clean-login/assets/icon-256x256.png?rev=1602118) * [Clean Login](https://wordpress.org/plugins/clean-login/) * [Frequently Asked Questions](https://wordpress.org/plugins/clean-login/#faq) * [Support Threads](https://wordpress.org/support/plugin/clean-login/) * [Active Topics](https://wordpress.org/support/plugin/clean-login/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/clean-login/unresolved/) * [Reviews](https://wordpress.org/support/plugin/clean-login/reviews/) ## Tags * [bots](https://wordpress.org/support/topic-tag/bots/) * 6 replies * 2 participants * Last reply from: [Javier Carazo](https://wordpress.org/support/users/carazo/) * Last activity: [5 years, 11 months ago](https://wordpress.org/support/topic/important-code-changes-massive-signup-bots-attacks-csrf-xss/#post-13114809) * Status: resolved