Subscription via URL – security issue?

  • Resolved ahojdane

    (@ahojdane)


    9 months ago

    Hello,

    I’m considering to use Acymailing on my page. I tested it on localhost and I have a big security question about:

    Subscription via URL:
    https://docs.acymailing.com/setup/subscription-to-your-lists/external-subscription

    How can I secure this function? Because there is no security key, EVERYONE FROM THE OUTSIDE CAN ADD E-MAIL ADDRESSES to my list. Or I’m wrong?

    I tried this on localhost, used this part:

    MYWEBPAGEURL/index.php?page=acymailing_front&ctrl=frontusers&task=subscribe&hiddenlists=1&user[email][email protected]&action=acymailing_frontrouter&noheader=1

    And it is working, the users are added to the list, the confirmation e-mails are send to them. This function is very useful, but can be also a harmfull. Or I’m wrong?

    Thank you very much!

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support jeremyacy

    (@jeremyacy)

    Hello,

    There are two ways to secure this subscription method:

    • you can activate the captcha protection in the AcyMailing configuration page, tab “Security”. Only the URLs containing your security key will be “approved”.
    • you can change the “Allow non-logged in users” option under the “Subscription” tab, to only allow subscriptions from logged-in users.
    Thread Starter ahojdane

    (@ahojdane)

    Hello Jeremy, thank you very much.

    If I understand your answer correctly:

    1. Captcha protection in your first part of answer is avaliable only for paying customers, it is not available in free version, right?
    2. If I turn off the option mentioned in the second part of your answer, only the users, which have also an account (and are logged in) in my WordPress have the possibility to add themselves to the list, right?

    Thank you ??

    Plugin Support jeremyacy

    (@jeremyacy)

    You’re right, the captcha feature is only available starting from AcyMailing Essential, I forgot to ask if you had the starter version. This only leaves the other option.

    The second option is active for the subscription via URL and the submission of subscription forms.

    One other solution would be to modify the file wp-content/plugins/acymailing/front/controllers/frontusers.php and near the line 291, add a custom test based on an additional parameter for example.

    Thread Starter ahojdane

    (@ahojdane)

    OK, thank you very much!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Subscription via URL – security issue?’ is closed to new replies.