Guest login password security

  • Hi.

    I’ve set-up the plugin how I like it and it seems to be working well in testing.
    However, I have a concern and this involves the Guest Booking/Create an Account feature on the front end to complete the booking.

    Although this works as expected in that it creates an account etc. my concern lies in the fact that using this form to create the account, it doesnt allow for strong passwords to be forced nor a honeypot/captcha or similar function to protect the new user registration? (The customer also receives the wordpress email to create password, even though you created one already – allbeit insecure.)

    As an example of setting the password from this form, I can decide my password is a single letter…and sure enough – I can log in with a single letter. That really isn’t great is it?

    From the back end, at least, this works after a fashion. When you create a new customer, the customer receives an email to “reset” their password (as one hasn’t been set already). This allows the use of the proper WordPress function where strong passwords can be enforced and the form protected – “resetting” isn’t an elegant solution and can be confusing. But it does work to set a strong password.

    Site security is clearly important…and spam registrations can be a real pain. Is this something that should be addressed? Being able to set very weak passwords can’t really be by design, surely?

    Thanks again for your excellent work on this plugin though.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Dimitri Grassi

    (@wordpresschef)

    Hi,

    thank you for your feedback, for sure we’ll improve the password creation process in the upcoming releases.

    Thank you.

    Thread Starter wpconvert

    (@wpconvert)

    I also notice that if you create a booking/new user in the back end – on the calendar for example – the user gets 2 emails. One confirms the booking made and one asks the user to set a password

    it appears there is no need to set a password. if the user clicks on the email to manage the booking, they can do this without having set a password.

    It would great to see these issue addressed in the next update very soon!

    Thanks for your swift response – and thanks again for your work on this plugin. If these important security/password issues are resolved then it will be a great platform.

    Thread Starter wpconvert

    (@wpconvert)

    Any update on implementing strong passwords? Thanks

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Guest login password security’ is closed to new replies.