Home › Forums › BulletProof Security Free › Login Security feature request – independent Password Reset enable/disable option
- This topic has 9 replies, 4 voices, and was last updated 9 years, 9 months ago by WayneM.
-
AuthorPosts
-
CsabaParticipant
One of my subscribers wrote to me, that she can’t change her forgotten password, because the site is returning “Password reset is not allowed for this user” error. After selectively disabling plug-ins and rechecking on an other wordpress site it became obvious that the Login Security Password Reset feature was causing the problem.
The interesting part is that the Password Reset was on Enable and the error still came up. After some trial and error I figured out that if the Login Security Feature is Turned Off then the Password Reset option is reverting to disabled. This shouldn’t be the desired behaviour for those who don’t want to use the Login Security part. If I turn the Login Security On, than the Password Reset feature is working again as expected.
The switch statment, in the includes/login-security.php file should probably be reformulated so that to take into account the case when Login Security is Turned Off and Password Reset to remain enabled.
AITpro AdminKeymasterWe will review this request shortly. Thank you.
AITpro AdminKeymasterThe best/correct approach would be to add an additional option under Turn On/Turn Off:
Turn On Login Security
Turn Off Login Security
Turn Off Login Security/Allow Independent Password Reset CapabilityThis seems like an option that will pass approval. Typically new options go through a 1 month development testing period before they are added to production version releases.
CsabaParticipantThank you.
b-catParticipant[Topic merged into this relevant topic]
On my site, when BPS Login Security is turned ON and “Enable Password Reset” is also turned on, the “Lost your password” link appears properly on the site’s login page.
However, when BPS Login Security is turned OFF (and the “Enable Password Reset” function was left unchanged), the “Lost your password” link suddently disappears from the site login page.
When I deactivate BPS entirely, the “Lost your password” link reappears on the login page, so this appears to be something that BPS is blocking by default.
Is there a way to have BPS activated but turn off BPS Login Security and still allow the “Lost your password” link to appear on the login page?
AITpro AdminKeymaster@ b-cat – this will be added as a new option in a future version of BPS/BPS Pro.
b-catParticipantGreat…glad to hear that! Thanks.
WayneMParticipantI’d like to request an escalation to get this option included ASAP. I love the free BPS, but consider this issue to be a “bug fix” not a new option. I’m pretty sure this is a new issue, unless it’s been a problem since the time that Login Security was added to the free version. I have users telling me that they can not get new passwords – which means there are most likely dozens more users who this is a problem for.
As always, thanks for the great plugin 🙂
AITpro AdminKeymasterActually there are 2 things that are going on.
1. After more testing there is a bug where the filters in the switch code are being applied even though the condition says only apply the filters if Login Security is turned On. So even if Login Security is turned Off then the password reset link is not being displayed.
2. A new independent password reset link option will be added in the next version of BPS that will allow someone to independently enable or disable the password reset link from displaying on the Login page whether Login Security is On or Off.
To fix the bug issue that is occuring now with the password reset link you can edit the /bulletproof-security/includes/login-security.php file at code lines: 596 to 670 and add the code below that is highlighted in yellow. You are adding an additional condition that if Login Security is NOT Off then proceed to process the switch code. If Login Security is Off then the script will halt and not process the switch code:
if ( $BPSoptions['bps_login_security_OnOff'] != 'Off' ) { switch ( $BPSoptions['bps_login_security_OnOff'] == 'On' ) { case $BPSoptions['bps_login_security_pw_reset'] == 'disableFrontend': if ( !is_admin() ) { function bpspro_disable_password_reset() { return false; } add_filter( 'allow_password_reset', 'bpspro_disable_password_reset' ); function bpspro_show_password_fields() { return false; } add_filter( 'show_password_fields', 'bpspro_show_password_fields' ); function bpspro_remove_pw_text($text) { return str_replace( array('Lost your password?', 'Lost your password'), '', trim($text, '?') ); } add_filter( 'gettext', 'bpspro_remove_pw_text' ); // Replace invalidcombo error - valid user account / invalid user account same exact result function bpspro_login_error_invalidcombo($text) { return str_replace( 'ERROR: Invalid username or e-mail.', 'Password reset is not allowed for this user', $text ); } add_filter ( 'login_errors', 'bpspro_login_error_invalidcombo'); // Replace invalid_email error - valid email / invalid email same exact result function bpspro_login_error_invalid_email($text) { return str_replace( 'ERROR: There is no user registered with that email address.', 'Password reset is not allowed for this user', $text ); } add_filter ( 'login_errors', 'bpspro_login_error_invalid_email'); // Removes WP Shake It so that no indication is given of good/bad value/entry function bpspro_remove_shake() { remove_action( 'login_head', 'wp_shake_js', 12 ); } add_filter ( 'shake_error_codes', 'bpspro_remove_shake'); } break; case $BPSoptions['bps_login_security_pw_reset'] == 'disable': function bpspro_disable_password_reset() { return false; } add_filter( 'allow_password_reset', 'bpspro_disable_password_reset' ); function bpspro_show_password_fields() { return false; } add_filter( 'show_password_fields', 'bpspro_show_password_fields' ); function bpspro_remove_pw_text($text) { return str_replace( array('Lost your password?', 'Lost your password'), '', trim($text, '?') ); } add_filter( 'gettext', 'bpspro_remove_pw_text' ); // Replace invalidcombo error - valid user account / invalid user account same exact result function bpspro_login_error_invalidcombo($text) { return str_replace( 'ERROR: Invalid username or e-mail.', 'Password reset is not allowed for this user', $text ); } add_filter ( 'login_errors', 'bpspro_login_error_invalidcombo'); // Replace invalid_email error - valid email / invalid email same exact result function bpspro_login_error_invalid_email($text) { return str_replace( 'ERROR: There is no user registered with that email address.', 'Password reset is not allowed for this user', $text ); } add_filter ( 'login_errors', 'bpspro_login_error_invalid_email'); // Removes WP Shake It so that no indication is given of good/bad value/entry function bpspro_remove_shake() { remove_action( 'login_head', 'wp_shake_js', 12 ); } add_filter ( 'shake_error_codes', 'bpspro_remove_shake'); break; } }
WayneMParticipantWow! You are good.
Modified login-security.php file as indicated above – users can now access the password reset feature.
And, the rest of my site still works as before 🙂
Awesome. Thanks for such great and fast support. -
AuthorPosts
- You must be logged in to reply to this topic.