强制用户在第一次登录时更改其在前端的密码和密码策略

时间:2020-05-23 作者:Samuel

我的平台上有3个用户角色,无法访问WordPress backoffice"external_user1" , "external_user2", "external_user3".

我需要强制每个具有此角色的用户在第一次登录时更改其密码。顺便说一下,我使用WordPress登录表单。

因此,如果用户输入正确的ID和密码,他将被重定向到:wp-login.php?action=lostpassword 用于重置密码。如下图所示:enter image description here

此时,他再次输入ID,并向用户发送重置邮件。

当用户单击邮件链接时,他将被重定向到重置页面。当他试图更改密码时,我需要他在键盘上键入旧密码。之后,他可以访问。

最后一个是关于密码策略:8个字符,最后1个大写1个小写1个数字1个特殊字符

谢谢

2 个回复
SO网友:Daniel Simmons

这是一个多方面的问题,一开始可能看起来(至少对我来说)很容易。不确定代码是否有效,但是,它已接近有效but most importantly, showcases the flow of how things need to happen:

/**
 * First of all, hook up to the login process.
 */
add_action( \'wp_login\', function( $user_login, $user ) {
    //Let\'s see if the user that just logged in has a proper password, meaning, he reset his default one to a custom one.
    $has_proper_password = get_user_meta( $user->ID, \'has_proper_password\', True );

    //If he doesn\'t
    if( $has_proper_password === \'0\' ) {
        //Always redirect him to that password panel.
        wp_safe_redirect( wp_login_url( \'?action=lostpassword\' ) );
    }
});
因此,首先,您要连接到登录过程。我假设您正在为用户生成一个默认密码并将其邮寄给他们,而您想要更改密码的原因是,如果攻击者访问了发送到的媒体,则纯文本永远无效。回到主题,the core of this sub-system will be an user_meta with the flag has_proper_password, 您将在此处存储一个标志,告诉我们给定用户是否重置了默认密码。无论何时登录,如果他们没有更改默认密码,他们只会被重定向到您的屏幕。继续。

然后,当用户尝试重置时,您需要获取其当前哈希密码。钩子password_reset 在这之前开火:

//Let\'s store the old password, before the reset happened.
$old_password_hash = \'\';

//We\'ll grab it from the \'password_reset\' hook which fires right before the password is updated.
add_action( \'password_reset\', function( $user, $new_pass ) {
    $old_password_hash = $user->user_pass;
});
很好,现在我们有了用户的哈希。让我们假设发生了成功的密码更改。总而言之,你想回到那一点上user_meta 如果用户的默认密码没有更改,请遵循以下逻辑:

新密码与旧密码相同吗?如果是的话,用一条新消息或类似的东西重定向回更改密码屏幕。如果没有,请继续user_meta 告诉系统,当用户再次登录时,它不应该阻止他并要求提供有效密码,因为密码已经存在所有这些,在代码中:

//Second of all, hook up to the change password process.
add_action( \'after_password_reset\', function( $user, $new_pass ) {
    $has_proper_password = get_user_meta( $user->ID, \'has_proper_password\', True );

    /**
     * If, before this reset happened, the user still didn\'t have a proper password and now
     * he supposedly does
     */
    if( $has_proper_password === \'0\' ) {

        //First of all, is the password that was just updated the same as the one that we gave to them?
        if( wp_check_password( $new_pass, $old_password_hash ) === False ) {
            //Redirect back to that reset page? I don\'t know.
        }

        //But if it isn\'t and therefore the newly picked password is a different one, let the system know by attaching some data to the user.
        $update = add_user_meta(
            $user->ID,
            \'has_proper_password\',
            \'1\'
        );

        //If the update failed, no worries, next time the user will just be prompted to reset again, however, this is an issue you\'ll have to solve.
        if( $update === False ) {
            return;
        }
    }
});

SO网友:Steven Green

有许多有用的插件可以做到这一点。他们甚至有你没有提到的额外功能,比如双因素身份验证。

iThemes安全(https://wordpress.org/plugins/better-wp-security/)https://wordpress.org/plugins/wp-simple-firewall/)https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/)

标签: users   security   front-end   password   小码农  

相关推荐

I can't recover my password

你能解释一下下面这行代码是什么意思吗?if ( isset( $_COOKIE[ $rp_cookie ] ) && 0 < strpos( $_COOKIE[ $rp_cookie ], \':\' ) ) { 这是因为我发现这就是我的代码发现故障的地方,并且无法正确设置密码。UPDATE:电子邮件发送到页面后,下面的选择将置为False,然后以$user=False;?结束,这是正常的?if(isset($\\u COOKIE[$rp\\u COOKIE])&&a