What are the best practices to achieve cross-domain interoperability and transparency in aggregate data through a uniform, hashed user naming schema?

The following plugin was just presented at the special session on data provenance to amend NSA's hard problems during the Hot Topics on Science of Security (HoTSoS) symposium.

I'm looking for peer review regarding best practices prior to submission to the WordPress repository. It's fairly self-explanatory and a surprisingly simple way to achieve cross domain interoperability through the hashing of usernames.

Other open source networks persist around this concept but Wordpress is a much larger medium with a potential for serious impact on future comms. Commentary involving specific improvements to code as well as cogent peripheral considerations are welcome.

ABSTRACT: Open-source publishing platforms lack necessary interoperability to counterbalance the security risks of network centralization. The objective aims to bridge the gap between decentralized installs, mixed data and uniform identity verification across multiple domains. Incorporating an optional hashed passphrase into the username with future software updates could resolve these immediate challenges.

For additional background on the project, you can see that at sha3.org.

Components of this plugin have been modified and sourced from the following Questions: Pre-login and pre-registration actions, Invalid username special charachters issue, Add action that returns modified value.


Plugin Name: SHA3 Secure SignOn
Plugin URI: https://www.sha3.org/
Description: Updates native wp-login.php with cross-platform SHA3 and DES Secure SignOn.
Version: 1.0
Author: SHA3.org
Author URI: https://www.sha3.org/
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

// Add jquery for placeholder text and radio deselect
add_action('login_enqueue_scripts', 'wpse_login_enqueue_scripts', 10);
function wpse_login_enqueue_scripts()
    wp_enqueue_script('sha3.js', plugin_dir_url(__FILE__) . 'js/sha3-secure-signon.js', array(
    ) , 1.0);

add_action('register_form', 'use_des_tripcode_login');

//Allow hash sign on register and disallow !username
function wscu_sanitize_user($username, $raw_username, $strict)

    if (isset($_POST['user_login']))

        //if hash selected
        if (($_POST['hash'] == des_tripcode) || ($_POST['hash'] == sha3_hash))
            //sanitize_text_field may limit functionality but necessary for database security
            //not sure if we need to sanitize here or if fine with the next action. also possible sanitize_user( $username, false );
            $username = sanitize_text_field($raw_username);
    return $username;
add_filter('sanitize_user', 'wscu_sanitize_user', 10, 3);

add_action('login_form_register', 'custom_user_login');
function custom_user_login()

    // make sure regisration form is submitted
    if ($_SERVER['REQUEST_METHOD'] != 'POST') return;

    // base of user_login
    $ulogin = $_POST['user_login'];

    //For DES Tripcode
    if (isset($_POST['user_login'])  ($_POST['hash'] == des_tripcode))
        //if hash sign, capture nickname
        if (strpos($ulogin, '#') !== false)
            $trippassword = explode('#', $ulogin);
            $tripcoded = $trippassword[1];
            $name = $trippassword[0];
            $salt = substr($tripcoded . H., 1, 2);
            $salt = preg_replace([^\.-z], ., $salt);
            $salt = strtr($salt, :;=?@[\\]^_`, ABCDEFGabcdef);
            $tripusername = substr(crypt($tripcoded, $salt) , -10);
            $ulogin = $name . '!' . $tripusername;
            //sanitize_text_field may limit functionality but necessary for database security
            $_POST['user_login'] = sanitize_text_field($ulogin);
         (strpos($ulogin, '#') !== true)
            $tripcoded = $ulogin;
            $salt = substr($tripcoded . H., 1, 2);
            $salt = preg_replace([^\.-z], ., $salt);
            $salt = strtr($salt, :;=?@[\\]^_`, ABCDEFGabcdef);
            $tripusername = substr(crypt($tripcoded, $salt) , -10);
            $ulogin = '!' . $tripusername;
            $_POST['user_login'] = sanitize_text_field($ulogin);

    //For SHA3 hash
    if (isset($_POST['user_login'])  ($_POST['hash'] == sha3_hash))
        $ulogin = hash('sha3-224', $ulogin);
        $ulogin = '!!' . $ulogin;
        $_POST['user_login'] = sanitize_text_field($ulogin);


//adds DES option on login and register
add_action('login_form', 'use_des_tripcode_login');
function use_des_tripcode_login()

    echo 'pinput type=radio name=hash class=no_option value=des_tripcodelabel for=des_tripcodenbsp;DES Tripcode/label/p';
    echo 'pinput type=radio name=hash class=no_option value=sha3_hashlabel for=sha3_hashnbsp;SHA3 Hash/label/p';
    echo 'input type=radio name=hash class=no_option value=null style=display:none';

remove_action('authenticate', 'wp_authenticate_username_password', 20);
add_filter('authenticate', 'des_tripcode_login', 10, 3);
function des_tripcode_login($user, $username, $password)

    if (isset($_POST['hash'])  ($_POST['hash'] == des_tripcode))
        //pound sign
        if (strpos($username, '#') !== false)
            $trippassword = explode('#', $username);
            $tripcoded = $trippassword[1];
            $name = $trippassword[0];
            $salt = substr($tripcoded . H., 1, 2);
            $salt = preg_replace([^\.-z], ., $salt);
            $salt = strtr($salt, :;=?@[\\]^_`, ABCDEFGabcdef);
            $tripusername = substr(crypt($tripcoded, $salt) , -10);
            $username = $name . '!' . $tripusername;;
            $username = sanitize_text_field($username);
        //no pound sign
        elseif (strpos($username, '#') !== true)
            $tripcoded = $username;
            $salt = substr($tripcoded . H., 1, 2);
            $salt = preg_replace([^\.-z], ., $salt);
            $salt = strtr($salt, :;=?@[\\]^_`, ABCDEFGabcdef);
            $tripusername = substr(crypt($tripcoded, $salt) , -10);
            $username = '!' . $tripusername;
            $username = sanitize_text_field($username);



    //For SHA3 hash
    if (isset($_POST['hash'])  $_POST['hash'] == sha3_hash)
        $username = hash('sha3-224', $username);
        $username = '!!' . $username;
        $username = sanitize_text_field($username);

    if (is_a($user, 'WP_User'))
        return $user;

    if (empty($username) || empty($password))
        $error = new WP_Error();

        if (empty($username)) $error-add('empty_username', __('strongERROR/strong: The username field is empty.'));

        if (empty($password)) $error-add('empty_password', __('strongERROR/strong: The password field is empty.'));

        return $error;

    $user = get_user_by('login', $username);

    if (!$user) return new WP_Error('invalid_username', sprintf(__('strongERROR/strong: Invalid username. a href=%s title=Password Lost and FoundLost your password/a?') , wp_lostpassword_url()));

    if (is_multisite())
        // Is user marked as spam?
        if (1 == $user-spam) return new WP_Error('spammer_account', __('strongERROR/strong: Your account has been marked as a spammer.'));

        // Is a user's blog marked as spam?
        if (!is_super_admin($user-ID)  isset($user-primary_blog))
            $details = get_blog_details($user-primary_blog);
            if (is_object($details)  $details-spam == 1) return new WP_Error('blog_suspended', __('Site Suspended.'));

    $user = apply_filters('wp_authenticate_user', $user, $password);
    if (is_wp_error($user)) return $user;

    if (!wp_check_password($password, $user-user_pass, $user-ID)) return new WP_Error('incorrect_password', sprintf(__('strongERROR/strong: The password you entered for the username strong%1$s/strong is incorrect. a href=%2$s title=Password Lost and FoundLost your password/a?') , $username, wp_lostpassword_url()));

    return $user;

//Reserve exclamations to identify hash - nicknames
add_filter('pre_user_display_name', 'my_displayname_block');

function my_displayname_block($user_display_name)

    $current_user = wp_get_current_user();
    //buddypress optional name filter for exclamation
    //if (strpos($_POST['field_1'], !) !== false)
    //    {
    //        wp_die(sprintf(__('strongERROR/strong: Exclamation points are reserved to identify SHA3 and DES hashes.nbsp;a href=%2$s title=Go BackGo back to profile/a.') , $username, wp_get_referer()));
    //    }
    $current_usernick = $current_user-nickname;

    if (strpos($_POST['nickname'], !) !== false  ($_POST['nickname'] != $current_usernick))
        wp_die(sprintf(__('strongERROR/strong: Exclamation points are reserved to identify SHA3 and DES hashes.nbsp;a href=%2$s title=Go BackGo back to profile/a.') , $username, wp_get_referer()));
    return $user_display_name;


//Reserve exclamations to identify hash - first/last names
add_filter('insert_user_meta', function ($meta, $user, $update)

    if ($update)
        if (strpos($_POST['first_name'], !) !== false)
            wp_die(sprintf(__('strongERROR/strong: Exclamation points are reserved to identify SHA3 and DES hashes.nbsp;a href=%2$s title=Go BackGo back to profile/a.') , $username, wp_get_referer()));
        if (strpos($_POST['last_name'], !) !== false)
            wp_die(sprintf(__('strongERROR/strong: Exclamation points are reserved to identify SHA3 and DES hashes.nbsp;a href=%2$s title=Go BackGo back to profile/a.') , $username, wp_get_referer()));


    return $meta;
, 10, 3);

//edit login text
add_filter('gettext', 'sha3_text');
add_filter('ngettext', 'sha3_text');
function sha3_text($translated)
    $translated = str_ireplace('Username', 'Secure SignOn', $translated);
    return $translated;

//add usage info to footer
add_action('login_footer', 'sha3_footer');

function sha3_footer()
    echo 'div id=loginp id=navFor Secure SignOn usage, visit a href=https://www.sha3.orgsha3.org/a./p/div';

//disable registration bp
function my_disable_bp_registration() {
  remove_action( 'bp_init',    'bp_core_wpsignup_redirect' );
  remove_action( 'bp_screens', 'bp_core_screen_signup' );
add_action( 'bp_loaded', 'my_disable_bp_registration' );

add_filter( 'bp_get_signup_page', firmasite_redirect_bp_signup_page);
    function firmasite_redirect_bp_signup_page($page ){
        return bp_get_root_domain() . '/wp-login.php?action=register'; 

//disallow editing of bp name field since
function bpfr_hide_profile_field_group( $retval ) {
    if ( bp_is_active( 'xprofile' ) ) : 
    // hide profile group/field to all except admin 
    if ( !is_super_admin() ) {      
        //exlude fields, separated by comma
        $retval['exclude_fields'] = '1';  
        //exlude groups, separated by comma
        $retval['exclude_groups'] = '1';            
    return $retval;     
add_filter( 'bp_after_has_profile_parse_args', 'bpfr_hide_profile_field_group' );

 * Custom js file.
jQuery(document).ready(function() {
    jQuery('#user_login').attr('placeholder', 'User#Passphrase');
    jQuery('#user_email').attr('placeholder', 'User Email');
    jQuery('#user_pass').attr('placeholder', 'Site Password');

    var checked_val = null;
    jQuery(.no_option).on(click, function() {
        if (jQuery(this).val() == checked_val) {
            jQuery('input[name=hash][value=null]').prop(checked, true);
            checked_val = null;
        } else {
            checked_val = jQuery(this).val();


Topic social-connect privacy username security login Wordpress

Category Web


Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.