Never think you are sooooo on top of your code game…
Within hours of posting of the features in the updated DS106 Bank theme, including using WordPress accounts for organizing content and sharing the link to a demo site, BAM! SPAM!
Not so shiny.
So in the theme options allowing WordPress accounts to be used, I had set it up to put a registration form up to make one’s own account, and set the WordPress option to allow registration.
Then overnight, like 20 some accounts, many from the same domain for baby products, and other obvious non-educator accounts, it dawned on me IT IS A VERY BAD IDEA TO ALLOW UNMODERATED ACCOUNT CREATION ON SITES WHERE YOU GIVE AUTHORING ACCESS! How did I forget that the openness which begat the web leaves open the opportunistic infestation of SEO hungry rats.
So quick action. Turn off self registration.
Then update the theme- instead of the button going to a WordPress self registration form, I created a new theme option where a URL could be entered that a Register button should go to (as well as a label, might as well add flexibility while here).
This way, the button could go to a WordPress page that explains how to get an account or maybe to a form to register. Then a site owner could manage who gets accounts (if done via a system that can generate data exports, the Import Users From CSV With Meta plugin works great to batch create accounts).
Leaving the # in for the link will just make the button spawn a JavaScript alert saying registration is not currently available.
Never underestimate the potential for any open web form to be exploited, even if you think no one is looking at your little site. People out there spend all day looking for web forms to poop in. That is the internet of 2019.
Anyhow, I proudly wear my rookie card.
Featured Image: Some Photoshop mods to Wikimedia Commons image Circus Rookies lobby card 3.jpg claimed as public domain because it’s old and lacks a copyright notice. Good enough for me.
Good article Alan.
I’ve been messing my head up with registration stuff since we implemented Tom Woodward’s work late summer. We’ve started using the white/black lists to regulate our self-serve signups and then found that those lists regulated manual user registrations by site/super admins as well (these admins were not all that happy about that).
I would up writing some code to fix it and, following in your footsteps (mind you with a fraction of the reach) wrote it. https://troy.trubox.ca/wordpress-whitelist-blacklist-and-the-unit-testing-rabbit-hole/
There is so much of your writing that is on my read again list and I must thank you for taking the time to write as you do. It quite frankly has enable me and others to see how problems are solved in WordPress and has proved invaluable along the road to learning.
t
Thanks so much Troy, you are overly kind and gracious, even beyond the above average Canadian average. Your writeup is superb!