Blog

WP-Members 2.8.10 released

Chad Butler · Jan 6, 2014 ·

This article is provided free. Find out how you can get full access to premium content, including how-to articles and support forums, as well as priority email support and member exclusive plugin extensions..

WP-Members 2.8.10 was released today. This was an unexpected, but important security update.

Some of you may have noticed that for a period of time today, WP-Members was unavailable in the wordpress.org repository. This was because there was a security vulnerability discovered in the plugin. It is the policy of wordpress.org to remove any plugin that has a vulnerability until that issue is resolved.

I was notified of this issue at approximately 10:40 central time today. By 12:30, I had created a patch which was tested and loaded to the repository by 2:00. The plugin team at wordpress.org tested this new version and restored the plugin to the repository by 8:00.

I appreciate the prompt communication from the wordpress.org team. We all take security seriously and their prompt contact with me allowed for a very quick turnaround in getting this fix out the door.

You might be wondering if you are affected by the vulnerability. The issue actually only affects those users that use the WP-Members custom fields on the WordPress default backend registration (wp-login.php?action=register) instead of the plugin’s default frontside registration. Since this is a feature that was only recently added specifically for users who did not read the plugin’s installation instructions, I suspect that this is only used by a small number of users (especially since the plugin’s default installation gives you a message to turn this off).

Regardless, I still recommend the update.

If you have any questions, please contact me.

WP-Members 2.8.9 release

Chad Butler · Dec 31, 2013 ·

I had initially expected that 2.8.8 would wrap up 2.8.x and the next release would be begin 2.9. But it looks like we need one more update to get through the period before 2.9 will be ready.

2.8.9 contains a couple of fixes, some updates to deal with the new Twenty Fourteen theme, and some updates that will help users transition to 2.9 (which will be rebuilding the form building functions). Continue Reading →

Workaround for WP-Members front end login when using a CAPTCHA device on the WP login form

Chad Butler · Dec 20, 2013 ·

If you using a plugin to implement a CAPTCHA on the WordPress login form (the backend login, wp-login.php), you will find that this is not always compatible with the WP-Members front end login.

WP-Members includes WP’s native hooks such as login_form for broad compatibility with plugins that may add additional authentication to the login. But these are not always compatible with WP-Members or with front-end logins in general.

If the third party plugin does not load its scripts on the front end, it will not be compatible. If you are getting failed logins with strange error messages (such as “human verification incorrect” or something like that), then the issue is likely that a third party CAPTCHA is being used, but cannot authenticate on the front end of the site.

What happens is that in order to implement the CAPTCHA, the plugin must remove the function wp_authenticate_username_password from the authenticate process with remove_filter. This allows the plugin to implement its own authentication that includes not only username and password, but also will validate the CAPTCHA.

This creates a problem since WP-Members also uses WP’s authentication to log a user in. Because the WP-Members form will only be passing two parameters, username and password, and the authentication is now requiring the addition of a third parameter (the CAPTCHA) that is not included in that form, the login will fail.

There are ways to work around this.

Continue Reading →

Restrict Post or Page Access to a Specific User

Chad Butler · Dec 20, 2013 ·

Every once in awhile, I get a question about restricting content (either page or post) to a specific user. There is a limited way to do that with the wpmem_securify filter, similar to the method for blocking content by category and user level.

This process is actually easier than blocking by levels or categories because you only need to determine three things:

Is the user logged in? If not, then it is blocked regardless.
If the user is logged in, but not the specified user, it is blocked and an error message is given.
If the user is logged in and is the specified user, then the content is delivered.

This example will make use of a couple of new action hooks that will allow us to add a dropdown selector of users to the WP-Members post meta box. Continue Reading →

WP-Members 2.9 Project: wpmem_login_form function

Chad Butler · Dec 5, 2013 ·

This post documents the new wpmem_login_form function updates for the upcoming 2.9 release. This content is currently only available to premium members. If you are not currently a member, find out more here. Continue Reading →