We are building a landing page site (only 2 pages total) for a client where they are physically mailing out access codes to specific customers. Therefore, I am trying to create a login system where ideally, a user logs in with a pre-determined access code. I have been trying different hacks of a login type of but nothing is working to create a single-step, simple process. The "verification" system that this site uses is close to what I'm looking for, …

<?php ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL); global $wpdb; if($_POST){ $username = $wpdb->escape($_POST['email']); $password = $wpdb->escape($_POST['password']); $confPassword = $wpdb->escape($_POST['confirmPassword']); $fullName = $wpdb->escape($_POST['fullName']); $dateOfBirth = $wpdb->escape($_POST['dateOfBirth']); $address = $wpdb->escape($_POST['dateOfBirth']); $companyName = $wpdb->escape($_POST['companyName']); $businessType = $wpdb->escape($_POST['businessType']); $truckType = $wpdb->escape($_POST['truckType']); $phoneNumber = $wpdb->escape($_POST['phoneNumber']); $error = array(); if(strpos($username, ' ') !== FALSE){ $error['username_space'] = 'Username has a space'; } if(empty($username)){ $error['username_empty'] = 'Username is empty'; } if(username_exists($username)){ $error['username_exists'] = 'Username already exists'; } if(!is_email($username)){ $error['email_invalid'] = 'Email is invalid'; } if(email_exists($username)){ $error['email_existence'] = 'Email already …

After a site of a friend has been hacked I told him he should just clean up the mess and restart from scratch so he know that no file has been altered. I could scan the site for him with tools like grep an so on (For a start: Grep and Friends) but what I wondered about is, how to scan the database? What if some hacker has placed payload inside the database. Can be something simple like XSS or …

By default Wordpress has a email verification during registration which I plan to override. I want the users to try out the website before sharing their personal email ids. Is it possible to do an email verification at a later date automatically, say 15 days after registration? It would be a sufficient time for users to get an experience of the website.

I'm trying to add a verify author badge to my blog and i have been able to use this code function add_verification_bagdge_to_authors($current_user) { global $post; $current_user = wp_get_current_user(); $admin_role = in_array( 'administrator', (array) $current_user->roles ); $verifed_author = in_array( 'verified_author', (array) $current_user->roles ); $tnt_first_name = $current_user->first_name; $display_name = $current_user->display_name; $tnt_last_name = $current_user->last_name; $combine_names = $tnt_first_name.' '.$tnt_last_name; if ( $admin_role && $current_user->ID == $post->post_author ) { $verify_ico = $combine_names .' '. '<i title="This is a Verified Author" class="userfnt-accept"></i>'; } elseif ( $verifed_author …

I am using a plugin which makes its code publicly available. Therefore, anyone can see the $action and $name parameters used to generate the nonces. Does this make my site more vulnerable since this reduces the added security provided by these parameters? Should I thus replace these parameters with my own values for them? Thanks.

I've implemented some AJAX functionality for my plugin and it works fine as long as I'm not logged in as admin - then wp_verify_nonce fails. It works for unauthorized users and authorized regular users too. Here's my PHP class (I removed everything that is not relevant to the issue): class My_Ajax { function __construct() { add_action( 'wp_ajax_geoip_citylist', array($this, 'geoip_citylist') ); add_action( 'wp_ajax_nopriv_geoip_citylist', array($this, 'geoip_citylist') ); add_action( 'wp_enqueue_scripts', array($this, 'geoip_localize_js'), 11 ); } function geoip_citylist() { if ( ! wp_verify_nonce($_POST['geoipNonce'], 'my_geoip_nonce') …

I would like to implement a plugin that requires new users to reply to an email, to verify their email address, on registration. I am already doing extensive codex research, but I am very new and would appreciate some hints, especially regarding keeping the user inactive until they have verified their email. The rest I think I will manage on my own.

I can see that wp_nonce_field generates a value in the hidden field. <input type="hidden" id="message-send" name="message-send" value="cabfd9e42d" /> But wp_verify_nonce isn't using that value as far as I can tell, but I may be wrong. It looks like it's using a session token for verification. $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 ); if ( hash_equals( $expected, $nonce ) ) { return 1; } Then what's the …

I am having difficulty understanding why user security and validation is so vague in WP (4.0).. Surely email verification should come as default? Anyway I have been trying to find a solution to user security. All I can seem to find are plugins that send email validation links on registration. This is great, however a user can the log in and just change the email to [email protected] no questions asked. Either a) I now have an unverified user; or b) …

I'm making a plugin administration page with the settings API. I'd like to know a way to display a warning message when the user submits an invalid value. For example, with the below code, if the user sends an empty value for Option A, the first input field, I'd like to show a message that says it's invalid and please fill the form. And the other submitted option values should not be saved to the database but remain in the …

Is there a way to check verified members phone numbers by sending code to their mobile phones just like Facebook does? This would be very handy to stop spammers and allows only one user per phone number.