Vulnerability

Resolved cscheper
(@cscheper)

8 months, 3 weeks ago

The plugin was working until I updated. The registry form needs a correct Invite code to be introduced for the registration to send the information.

now, I’m getting literally 100’s of fake registrations (good thing I have WPapprove) from addresses (all Gmail) that are some circumventing the Invite code field.

any ideas. Ive checked with malware analysers to see if there is something funny – and tried turning off other plugins, to the point of erasing them, all to no avaiñ

The page I need help with: [log in to see the link]

Viewing 12 replies - 1 through 12 (of 12 total)

Plugin Author Stiofan
(@stiofansisland)

8 months, 3 weeks ago
Hello,

It just sounds like you have had a bot target you, it happens all the time.

I would reccommend our plugin https://wordpress.org/plugins/ayecode-connect/ it provides a free captcha by CloudFlare (your site does not need to be on CloudFlare, you simply need a free account).

If you have further issues or would like me to assign a developer to assits please open a ticket here: https://userswp.io/support/

Thanks,

Stiofan
- This reply was modified 8 months, 3 weeks ago by Stiofan. Reason: Spelling
Thread Starter cscheper
(@cscheper)

8 months, 3 weeks ago

yes. But the question is, since the registration form has an invite code that needs to be validated in order to register, how can a bot bypass it (it’s only delivered via SMS to clients and changed every 2-3, days.

a bot should not be able to bypass this restriction or am I mistaken?

Plugin Author Stiofan
(@stiofansisland)

8 months, 3 weeks ago

I can’t speak or 3rd party invite code functionality.. All I would say is, try the captcha solution I mentioned and if you still have issues then it is likely not related to our forms.

My guess would be something else is calling the register function, likely another plugin.

Thanks,

Stiofan

Thread Starter cscheper
(@cscheper)

8 months, 3 weeks ago

The InviteCode is a field in your plugins form, requiring validation

https://redjinx.net/login/

Plugin Author Stiofan
(@stiofansisland)

8 months, 3 weeks ago

ah, so you just added a filed with custom validation? The validation is html5 based, it won’t really protect against bots, they can easily bypass that. You would need a PHP snippet to also validate it in the PHP code, I assume you have not added that?

Another option might be this https://userswp.io/downloads/moderate-user-registration/

Stiofan

Thread Starter cscheper
(@cscheper)

8 months, 3 weeks ago

well if I had known👿.

can you supply the snippet?

i really don’t want to change the user plugin, and I am implementing it in a separate web with geodirectory.

cloudflsre is a hassle with my hosting provider in Spain

Thread Starter cscheper
(@cscheper)

8 months, 3 weeks ago

I really need to move forward with this. Can you supply the mentioned snippet or do I have to discard the plugin an look for another solution?

Thank you for a prompt response

Plugin Author Stiofan
(@stiofansisland)

8 months, 3 weeks ago

FYI the cloudflare captcha is standalone, u do not need to put your site on cloud flare.

I am UK based, I will have a look at a snippet when I am in the office tomorrow

Thanks,

Stiofan

Thread Starter cscheper
(@cscheper)

8 months, 3 weeks ago

without setting up cloudflare dns And confirming domain, no Api and secret….

and zu really would like to keep my domain dns entries.

so looking forward to the pho snippet
Plugin Contributor Paolo
(@paoltaia)

8 months, 3 weeks ago
without setting up cloudflare dns And confirming domain, no Api and secret….

Not correct, this is how you get the API Site Key and Secrete Key for a turnstile widget.
1. Login to https://dash.cloudflare.com/
2. On the left column, click the Turnstile link
3. Click add widget and add a widget name
4. Click add hostname and add a custom hostname (your site URL) > Select it and click the blue add button at the bottom.
5. Click Create and you will get the site key and secret key needed.
6. Add the keys to Turnstile settings on AyeCode Connect plugin and protect the UsersWP registration form
This will block bots and the HTML5 validation will work just fine for regular users.

Tomorrow the developers will look into crafting a tutorial on how to further validate data entry with PHP.

I hope this help.
Thread Starter cscheper
(@cscheper)

8 months, 3 weeks ago

correct. My bad for not reading before a ting🤣. The solution is on and seems to be working.

Thank you for the assist.

Plugin Author Stiofan
(@stiofansisland)

8 months, 3 weeks ago

Hi @cscheper,

I wrote you up a tutorial here: https://userswp.io/documentation/article/how-tos/basic-invite-code-example/

Please let me konw if you have any issues or questions.

Thanks,

Stiofan

Viewing 12 replies - 1 through 12 (of 12 total)

The topic ‘Vulnerability’ is closed to new replies.