May 23, 2017 at 8:20 pm #8310Cole GeissingerMember
So I recently set the username field into my registration process because I noticed that email addresses were being set as the username. This is a security issue as the email and password is all that is needed for login. Setting the username field fixed future accounts exposing the email address in the username.
However, a user took over a user’s account because there is no way to set the Username to being unique… this should just always be set. This is a HUGE security issue.
I see you used to offer the option to set fields as unique but removed it?? Or is it just buried somewhere I’m not seeing it?
Let’s say I have a user that has existed since 2015 with a username “johnsmith”. Now if I have the username field in my registration form, any one can now take that account and all content associated to that account by registering a new account with that same username!
Any support in fixing this whether through filters or a new update (I recommend username should ALWAYS check for a unique fields because that’s how WordPress works or else you get this result).May 23, 2017 at 8:56 pm #8311Cole GeissingerMember
For now I built a work around that let’s me remove the username field and generate a username based on the first and last name.
By hooking into the filter user_meta_pre_user_register I can add to the userData array with user_login and this works great. In this I also use username_exists() and generate a unique ID at the endso this issue is avoided.June 11, 2017 at 12:13 pm #8331KhaledMember
In the case of email only registration, we used to generate username based on email (trimming everything after @). But lots of our users need to generate username same as email. So with the recent version, email and username are same. However, you can achieve different username by using filter hook.
add_filter( 'user_meta_username_without_domain', '__return_true' );
We are not checking username existence because for registration, we use built-in WordPress function which itself check duplicate username while registering user. The only reason that behaviour could be changed is using another plugin that manipulates this.
Please check again if you can register a user with the existing username. If you can, please try to deactivate related plugins.
- You must be logged in to reply to this topic.