strangerstudios / pmpro-strong-passwords Goto Github PK
View Code? Open in Web Editor NEWRequire members to use “Strong” passwords based on required characters.
Home Page: https://www.paidmembershipspro.com/add-ons/require-strong-passwords/
Require members to use “Strong” passwords based on required characters.
Home Page: https://www.paidmembershipspro.com/add-ons/require-strong-passwords/
=== Paid Memberships Pro - Require Strong Passwords === Contributors: strangerstudios, scottsousa Tags: password, security, strong password Requires at least: 5.2 Tested up to: 6.6 Requires PHP: 7.2 Stable tag: 0.5.0 License: GPL 2.0 License URI: https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html Force users to submit strong passwords on checkout. == Description == Require members to use strong passwords on their initial checkout. This makes use of the default WordPress password strength calculation (the same functionality when changing your default WordPress password.) Improve security on your WordPress membership site. == Installation == 1. Upload the ‘pmpro-strong-passwords’ directory to the ‘/wp-content/plugins/’ directory of your site. 2. Activate the plugin through the ‘Plugins’ menu in WordPress. == Frequently Asked Questions == = I need help with this plugin = Please post support topics to [https://www.paidmembershipspro.com](https://www.paidmembershipspro.com) == Changelog == = 0.5 - 2021-09-28 = * ENHANCEMENT: Added new filter to allow less required characters for site's using the custom password checker `pmprosp_minimum_password_length`. #41 (@mircobabini) * ENHANCEMENT: Update the Zxcvbn library to support PHP 8.0. #43 (@mircobabini) * BUG FIX/ENHANCEMENT: Fixed JavaScript warning for WordPress sites on 5.5.0+, support the newer method `userInputDisallowedList`. #37 (@andrewlimaza) * BUG FIX/ENHANCEMENT: Fixed issue for sites running PHP 7.2 or lower. New requirements for the Zxcvbn library requires PHP 7.2+, older PHP versions will run our custom checker. #35 (@andrewlimaza) = 0.4 = * BUG FIX: Fixed an issue where site's running PHP 5.6 would fatal error. This uses a custom password checker for sites on PHP 5.6. Recommended PHP version is 7.2+ = 0.3 = * BUG FIX: Fixed bug where a warning was shown if the $post global was empty. (Thanks, Mirco Babini) * ENHANCEMENT: Updated to use the same "Zxcvbn" library that core WordPress and PMPro use for checking password strength. = 0.2.2 = * Bug Fix: Remove warning for logged-in users. Skip logic for checking password. = 0.2.1 = * Bug Fix/Enhancement: Added in a hint under Confirm Password. * Enhancement: Add PHP check for password strength that was removed in 0.2. * Enhancement: Improved Javascript password checker. = 0.2 = * Bug Fix/Enhancement: Adjust priority of \'pmpro_checkout_after_password\' filter to avoid conflicts with other Add Ons hooking in on this. * Enhancement: Using WordPress built-in password strength meter. * Enhancement: Additional filters added, please see https://www.paidmembershipspro.com/add-ons/require-strong-passwords/ for available filters. * Enhancement: Implement Internationalization. * Enhancement: Translation for German and German (Formal) - Thanks to 00travelgirl00 * Deprecated: Temporarily commented out functionality from initial release. To restore custom password checks, please add "add_filter( 'pmpro_checkout_after_password', 'pmprosp_pmpro_checkout_after_password', 1 );" to your PMPro Customizations Plugin. = 0.1 = * Initial commit == Upgrade Notice == = 0.2.2 = Please upgrade to version 0.2.2 for minor bug fixes. = 0.2 = Please upgrade to receive nifty new features and improved functionality with the default WordPress password strength calculator.
You have already checked the password strength on password field, then you just have to check the match/mismatch on password2, not re-calculating the progress bar. It doesn't make any sense and it's confusing.
For those on older versions of PHP, this ZIP should work for you while we patch the plugin.
Developers:
The issue is the library dropped PHP < 7.3 support in this release: https://github.com/bjeavons/zxcvbn-php/releases/tag/1.0.0
The latest is: https://github.com/bjeavons/zxcvbn-php/releases/tag/1.1.0
If the PHP version is older than 7.2 the password strength check is done with the function pmpro_strong_password_custom_checker
pmpro-strong-passwords/pmpro-strong-passwords.php
Lines 82 to 84 in cb0591e
When the password does not meet the required length during a check using this function an error is logged:
PHP Notice: Undefined variable: password_min_length in /path/wp-content/plugins/pmpro-strong-passwords/pmpro-strong-passwords.php on line 143
We should use the variable $minimum_password_length
as the parameter for the localized test string from here:
There may be other strings shown to users, but there are a couple in here:
https://github.com/strangerstudios/pmpro-strong-passwords/blob/4c683441d04fe52f7690a916fcbbde630a0c842b/vendor/bjeavons/zxcvbn-php/src/Feedback.php
If the WP site running this add on is not in English, these words will show up untranslated.
Wrapping these strings in __()/etc for WP could work, but then it would be hard to update this library without having to redo that work. (That might be worth it. I don't know how often this library is updated.)
Another option would be to update the plugin to get the responses from the library and then compare them and swap them with localized versions. This way, translations would still work if the library was updated... unless new strings were introduced somehow. Then we'd have to update our code to handle them.
So it would be like:
$suggestions = $password_strength['feedback']['suggestions']; foreach( $suggestions as $key => $text ) { if( $text === 'Add another word or two. Uncommon words are better.' ) { $suggestions[$key] = __( 'Add another word or two. Uncommon words are better.', 'pmpro-strong-passwords' ); } }
Here is where the message is set: https://github.com/strangerstudios/pmpro-strong-passwords/blob/dev/pmpro-strong-passwords.php#L112
There is a filter there already (pmprosp_minimum_password_score_message). But it would be good to not require custom code for these translations.
When a password tooltip contains a double quotation mark ("
) the JavaScript rendered tooltip breaks from the point where the double quotation is encountered.
To Recreate
?
after the Password field label.A temporary workaround is to filter the password hint:
function my_pmprosp_password_hint( $password_hint ) {
if ( function_exists( 'pmpro_strong_password_check' ) ) {
$password_hint = str_replace( '"', '', $password_hint ); // remove double quote that causes issues with javascript tooltip.
}
return $password_hint;
}
add_filter( 'password_hint', 'my_pmprosp_password_hint' );
Found on a client site:
wp.passwordStrength.userInputBlacklist() is deprecated since version 5.5.0! Use wp.passwordStrength.userInputDisallowedList() instead. Please consider writing more inclusive code.
Logging this now and will add environment details when I have them ready.
The minimum required characters for a strong password is set at 8 characters. It could be beneficial to consider adding a filter allowing to set a custom required password length.
As a workaround, this is currently possible replacing the existing filter here:
pmpro-strong-passwords/pmpro-strong-passwords.php
Lines 63 to 127 in cf6ea50
Because match
is a reserved word in PHP 8, the bjeavons/zxcvbn-php
library used by this plugin throws syntax errors due to its Match
class.
Example of the kind of errors from the site PHP error_log
:
PHP Parse error: syntax error, unexpected token "match", expecting variable in /home/SITE_ROOT/public_html/wp-content/plugins/pmpro-strong-passwords/vendor/bjeavons/zxcvbn-php/src/Matcher.php on line 92
Release 1.2.0 fixes this incompatibility, while still being compatible with the same minimum PHP version as this plugin (7.2).
and this is a huge drawback. People get tried of trying or adding new characters at the end. It keeps asking for a special character though it is already added. Strangely, in several attempts it says medium for a 9 letter password and when you add one more it goes back to weak and no matter how many characters you add it stays there.
Improve password strength requirements to match WordPress default password strength validator.
I may do a PR kind of soon.
The error is the following:
`PHP Parse error: syntax error, unexpected 'const' (T_CONST), expecting variable (T_VARIABLE) in wp-content/plugins/pmpro-strong-passwords/vendor/bjeavons/zxcvbn-php/src/Matcher.php on line 10
My server config:
Linux Debian
PHP 7.0
MySQL 5.5.62
Once the pmpro-strong-passwords extension is deactivated, the error is gone and the sign up process completes smoothly.
We should allow developer's to filter the length of required password, some site owners may want passwords with a length of 9 characters for example.
Code Ref: https://github.com/strangerstudios/pmpro-strong-passwords/blob/dev/pmpro-strong-passwords.php#L141
The password strength note below the password field(s) are changeable through the language files (*.mo, *.po) but not using a gettext filter to change the string.
Currently removing the existing filter and replacing it with a custom filter can be used as a workaround.
function switch_my_pmpro_password_notice() {
if ( has_filter( 'pmpro_checkout_after_password', 'pmprosp_pmpro_checkout_after_password' ) ) {
remove_filter( 'pmpro_checkout_after_password', 'pmprosp_pmpro_checkout_after_password', 1 );
add_filter( 'pmpro_checkout_after_password', 'my_pmprosp_pmpro_checkout_after_password', 1 );
}
}
function my_pmprosp_pmpro_checkout_after_password() {
?>
<div id="pmprosp-container"></div>
<?php
echo '<small id="pmprosp-password-notice">Custom note goes here</small>';
}
PMPro strong passwords add on disables the Submit button if the password entered was less than “Strong”.
There should be a notification letting the user know the reason the Submit button is disabled is because of the weak password
When using pmpro-addname-to-checkout, the name fields are displayed before the password strength message and as such the password strength message is wrongly displayed after the name fields instead of after password fields.
A workaround would be to add a priority here
add_filter( "pmpro_checkout_after_password", "pmprosp_pmpro_checkout_after_password", 1 );
Describe the bug
When hovering over the ?
to display the password hint tooltip, the tooltip text string in the data-tooltip
attribute ends with the first occurrence of a double quote and the remaining characters thereafter are rendered as attributes, e.g. symbols like ! " ?="" $="" %="" ^="" &="" )."="">?</span>
Original string:
Hint: The password should be at least twelve characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! " ? $ % ^ & ).
Rendered HTML:
<span class="pmprosp-tooltip__password" data-tooltip-location="right" data-tooltip="Hint: The password should be at least twelve characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! " ?="" $="" %="" ^="" &="" )."="">?</span>
Displayed string:
Hint: The password should be at least twelve characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like !
Additional Notes
The password hint is obtained using the wp_get_password_hint()
and passed to the JavaScript using the wp_localize_script
here:
Using the password_hint
filter available for the wp_get_password_hint()
function to replace a double quote "
with either the equivalent name or hex HTML entity does not resolve this while replacing any variant of the double quote with two single quotes does.
For example:
function password_hint_replace_double_quotes( $password_hint ) {
return str_replace( array( '"', '"', '"' ), "''", $password_hint );
}
add_filter( 'password_hint', 'password_hint_replace_double_quotes' );
As an alternative method, one can look at correcting this in the javascript file by adding a replace(/"/g, '"')
call to pwsL10n.password_tooltip
.
jQuery('.pmpro_checkout-field-password label').append('<span class="pmprosp-tooltip__password" data-tooltip-location="right" data-tooltip="' + pwsL10n.password_tooltip.replace(/"/g, '"') + '">?</span>');
To Reproduce
Steps to reproduce the behavior:
?
next to password label.span
element with class pmprosp-tooltip__password
.Screenshots
Expected behavior
The tooltip HTML is rendered correctly and the text string is displayed in full.
Isolating the problem (mark completed items with an [x]):
I am trying to translate the sequential messages: <div id="pmpro_message" class="pmpro_message pmpro_error">Password Error: Add another word or two. Uncommon words are better. Avoid sequences</div>
Using the Loco Translate plugin, I have already translated all the terms but this message simply does not exist for translation and I could not even launch a script then to force translation by means of the .pmpro_message .pmpro_error classes because they are used for other feedbacks. How can I solve this?
Overall this plugin works great! I have ran into one issue though since deploying it: Users who try to register are not sure what "special characters" are when creating their passwords. A lot of my users have been trying to use underscores as that 1 required special character, but this plugin and WordPress do not consider that to be "special" enough.
According to WP, the actual special characters that it requires are as follows: !@#$%^&*()
source: http://codex.wordpress.org/Function_Reference/wp_generate_password
My request is to include the list of special characters in the "A strong password requires..." text that gets added to the sign-up forms. This way people who are signing-up don't have to guess multiple times until they hit the right special character.
I know how to custom code this in myself since I'm a programmer, but have this pre-built into the code will definitely help a lot of non-programmers in the future!
Thanks,
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.