0

I'm building a Membership site using wordpress and Membership Plugin .

The site is still on my localhost. I did some trial sign ups and it worked perfectly well. But I noticed that, I can use even a fake email address such as xyz@gmail.com or something to sign up and create an account. So that's the problem. I don't know how this will work when I moved the site to my server.

But do you guys think this is a security hole ?

And what can I do for this as a solution ?

Paulo Boaventura
  • 1,365
  • 1
  • 9
  • 29
Tharindulucky
  • 65
  • 1
  • 12
  • 1
    does it require you to respond to an email before you become a full member? – Charles380 Aug 07 '13 at 20:35
  • 1
    I'd get a two-step validation if you want them to verify their email address. – SMacFadyen Aug 07 '13 at 20:36
  • @Charles, thanks for replying. Currently I don't see such process here. Once a user fill the registration form (Username, Email, Password) then immediately creates an account and redirects to the account/profile page. And then I check admin dashboard and I can see a new account has been added. I think, it'd be more better if a user needs to go to their email account to get login details and then he can finish sign up process on my site. – Tharindulucky Aug 07 '13 at 20:58
  • @SMacFadyen thanks for replying. Yes, that's a good idea, but I don't know how to do it with this plugin – Tharindulucky Aug 07 '13 at 21:02
  • Try searching for authentication? http://wordpress.org/plugins/tags/authentication – SMacFadyen Aug 08 '13 at 11:36

1 Answers1

2

Here's what I suggest:

On the registration page, add a field where users need to enter a special code to complete registration and make the code as an image (or at least as something robots cannot process easy). This will prevent robots from constantly signing up to new accounts with bogus information.

Next, perform basic email validation to make sure the format is correct.

Next, strip the email address the user entered and verify the domain part is correct and if it is, have your server automatically send an email to the new account holder asking him/her to return to a special section of the site where he/she enters a special registration code assigned to him/her to complete registration.

Also, to save database space (I'm assuming registration info will be stored in one), ask users to complete registration within a limited time period or they will have to start over. If the time is up then relevant data from the database can be removed. I suggest setting the time period to at least one day.

If you are unable to do this, then you may need to find a better plugin that has the functionality I described.

And whatever you do, play with the website on localhost and make as few modifications on the live server as possible. This means make all changes at once on localhost if you can then upload everything at once to the live server.