WooCommerce lost password, exclude admin sync and admin security

  • Resolved b2cdev

    (@bits2c)


    4 years, 5 months ago

    Hi Alexandre,

    First of all thanks a lot for this awesome plugin. Works very well and feels very well coded.

    I have three questions;
    – When a customer changes their password by requesting a link through WooCommerce ‘Lost Password’ it doesn’t get updated on the other site. I saw something in a post by you about after_password_reset which WooCommerce doesn’t use. Is there anything I can do about this? Use a custom hook or something to make this work?

    – Can I excluded admins from every sync? Right now I only ticked customer and subscriber, but my own admin accounts gets synced aswel between sites. I thought the ‘List of roles to transfer’ was meant to be able to exclude roles, but apparently it doesn’t skip Administrator roles. I also only accept customer and subscriber on the receiving site, but still my admin account gets synced.

    – I’m using WordFence 2FA on both sites, but the login/logout bypasses this on the other site. So if I disable 2FA on one site and login as admin, I automatically get logged in on the other site which does use 2FA. This would be solved if my question above is possible, but for now I’m wondering how safe this is. Will this make my sites more vulnerable?

    Thanks a lot in advance!

    Best,

    • This topic was modified 4 years, 5 months ago by b2cdev.
Viewing 4 replies - 1 through 4 (of 4 total)

  • Hi Bits2C

    Did you manage to solve your woocommerce “lost password” issue? We are having same problem.

    Thread Starter b2cdev

    (@bits2c)

    Hey trademark2k6,

    Manage to solve it with a workaround. The WordPress password reset function page does work with this plugin. So in WooCommerce I removed the password reset link by going to WooCommerce -> Settings -> Advanced tab. Your website will then automatically switch to WordPress build in password reset page.

    Unfortunately not the best solution for our customers, but for now it works. I applied some custom CSS to the page to make it fit our design a bit more.

    It should be fixed in the future by WooCommerce I think. There is currently an open issue on Github about this. So for now I use this workaround and switch when WooCommerce does hook into the after password change.

    https://github.com/woocommerce/woocommerce/issues/27795

    Hi bits2c,

    Thanks for the reply. I actually just booked someone on upwork to help tackle this.

    I am also having another issue – the woocommerce meta fields such as first name, last name, phone number etc is not being synced across. Did you experience this at all?

    Plugin Author Alexandre Froger

    (@frogerme)

    Hello,

    Apologies for the late reply, I have kept my involvement to bug fixes lately due to a lack of free time.

    Answering the original questions:

    • your assumptions are right: it’s a matter of leveraging WooCommerce-specific hooks. This 3rd party plugin doesn’t use standard hooks in several instances, and Lost Passwords is one of them. It is at this moment an unsupported feature, and contributions are welcome on Github to speed things up.
    • The Roles action is there to control whether role synchronisation is active or not – not to include/exclude the users themselves. There is at this stage no feature in core allowing to do that: all users are synchronised. To be part of WPRUS core, this feature would involve significant work on both interface and logic. It is at this moment an unsupported feature, and contributions are welcome on Github to speed things up.
    • Sharing authentication between multiple sites increases vulnerability only in the case 1 site is more vulnerable than the others. With this taken into account, it is indeed a risk, but no bigger than, say, the popular plugin MainWP.

      • I will close the topic for now because these are general enquiries/feature requests.

      Now, if you @trademark2k6 are willing to contribute with the source code of your solution, I can consider to include it to the core integrations some time in a future release, and ensure its future maintenance.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘WooCommerce lost password, exclude admin sync and admin security’ is closed to new replies.