VWFeature

Did that, BROKE my site!! Oops.

I put
CACHEHOME =/home/<Admin name>/public_html/wp-content/plugins/wp-super-cache/ right at the top-

# WP SUPER CACHE 1.2
CACHEHOME =/home/<Admin name>/public_html/wp-content/plugins/wp-super-cache/

function wpcache_broken_message() {
	global $wp_cache_config_file;

did that, then got this error:

WP_CACHE constant set to false

The WP_CACHE constant is used by WordPress to load the code that serves cached pages. Unfortunately, it is set to false. Please edit your wp-config.php and add or edit the following line above the final require_once command:

define(‘WP_CACHE’, true);

((Ok, I can do that.))
I put

/** This was set to run WP Super Cache- */
define('WP_CACHE', true);

<strong>((HERE))</strong>
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
	define('ABSPATH', dirname(__FILE__) . '/');

<strong>((HERE))</strong>

/** Sets up WordPress vars and included files. */

<strong>((HERE))</strong>
require_once(ABSPATH . 'wp-settings.php');

One at a time, of course.
All gave me

HTTP ERROR 500

I looked in
/public_html/wp-content/wp-cache-config.php

and found
define( 'WPCACHEHOME', WP_CONTENT_DIR . "/plugins/wp-super-cache/" );

Removed the

/** This was set to run WP Super Cache- */
define('WP_CACHE', true);

STILL got the 500 error, flushed browser cache, still;
a few min later, site went back to

WP_CACHE constant set to false

The WP_CACHE constant is used by WordPress to load the code that serves cached pages. Unfortunately, it is set to false. Please edit your wp-config.php and add or edit the following line above the final require_once command:

define(‘WP_CACHE’, true);

((I’m stumped. How and exactly where do I put ))

/** This was set to run WP Super Cache- */
define('WP_CACHE', true);

Thanks for your help!!

Emailing a password is horribly insecure.
The email corpi go through many servers before arriving at the user’s door. Any of those could retain the email and use it to breach sites later.

In contrast, a reset link is only good for a limited time, so if someone came across an old email it wouldn’t breach the site.

This is an absolute deal-killer. Sorry.

I see you don’t understand continuous improvement. Or how to deal with customers.

Um- I can put the text in the image title-
But if I use infopopup, can I change the formatting of the text?

The link is in the “Tools” menu.

I agree

The link is in the “Tools” menu.
This is NOWHERE!! in the documentation. I found it in a support thread.

Again, does this have anything to do with MEMBERS? If the spams aren’t coming from members, then you need to prevent spam in general. Install Apache SpamAssassin in CPanel, to protect your website mailserver.

You may want to change the addresses you use on the website and delete the ones spam emails are being sent to.
What addresses are getting spam? (Just the username, not the domain name.) Do you you expose those email addresses on your site? Elsewhere on the web? (Scraper bots find and copy email addresses.)

If you expose emails on your site,you may want to install a plugin: Email Address Encoder.
(As far as I can tell based on what you’ve said, the spams have nothing to do with ultimate member.)

Emails?
Where are they getting your email address?
What makes you think it’s related to UM? Are these folks members? If you had spam COMMENTS or POSTS, then you could require email confirmation when people become members.
Look for a different spam solution- there’s many (Cerber, Wordfence, etc., etc..)

You need to give some more details of your installation. Describe your to/from email addresses
Is the email being sent from your domain? ([email protected]) or an outside SMTP server? Many email services, including Google and Yahoo bounce emails if not.

You need SSL. Look at “LetsEncrypt”(free SSL)-not all webhosts allow you to use it easily (it cuts out their reselling SSL services.) ZeroSSL allows you to use it manually.
Cloudflare can also give you SSL. It’s a CDN.

You may want to make sure your ‘canonical’ is “www.yourWebsite.com”, not “yourwebsite.com” It seems to prevent some problems, but too complex for me.

??IIUC, The native WordPress ‘nonces’ expire in 12-24 hours, and I think that’s what gets put in a reset password link. Does the plugin eliminate that feature?

Hi makemake,
The whitelist overrides the blacklist. When you set it up, Cerber automatically whitelists your IP adddress range. That means you COULD get attackers from your ISP, but that’s a small slice of the whole world. IMHO, it makes sense to disable the “admin” and “administrator” accounts, because they’re an obvious attack vector. Change your admin name to ‘your own Name plus some nonsense’ like George554, to reduce that vulnerability.

Read ArsTechnica’s articles on cracking.

And use a password manager (KeePass) and strong passwords https://makemeapassword.org/generate/ReadablePassphrase

If they’re attacking wp-admin, then yes, using the IP blacklist will help, as will blacklisting ISPs that use the forbidden “admin” or “administrator” user names.

As does having a 100+ bit password (https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html)
It’s called a layered defense.

Hi Gioni,

Thanks for explaining this, and…good thinking!!
I was going to ask if the whitelist overrides the blacklist or vice versa, for exactly the reason the poster was thinking. If I change to an alternate login, then blacklist every IP that uses wp-login.php, bots only get one chance (besides, I have a 150 bit password) but if something glitches w the alternate login, I can still get in. Brilliant!!

Admin panel, > settings, > permalinks. Open cPanel, file manager, find .htaccess (dot means hidden-s et to see all) and check permissions on the file. Google for meaning of 0444, etc.