Bad Security

  • Resolved DannyCarlton

    (@dannycarlton)


    6 years, 3 months ago

    I added the plugins and the first test told me that registration was turned off. I really didn’t want to turn on registration because spammer will clutter it up, but this is only a development site, so I turned it on. I was able to create a user using the API, but I wanted to test the security, so I opened a different browser, one that wasn’t logged in. I was able to get the nonce and create a user with that browser. Serious security flaw. I read through what little documentation you have and can’t find how to limit registration to only admins or a script.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter DannyCarlton

    (@dannycarlton)

    I solved the problem by making a hard to guess API link (part of the plugin). Then I added a plugin that moved the login to a hard to guess location (I plan to login users in via the front-end site, which isn’t WordPress, but I’m still trying to figure out how to do that.)

    Plugin Author Ali Qureshi

    (@parorrey)

    Hello Danny,

    In the User Plus version settings panel,

    1. you get api key protection that resolves this issue.
    2. you can also bypass user registration restriction check for register endpoint while keeping website registration check intact
    3. you can disable nonce requirement

    Regards,
    Ali

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Bad Security’ is closed to new replies.