Ultimate Members - Users Awaiting E-mail Confirmation can login

Maverick87Shaka
User w
User w
Posts: 7
Joined: Thu Mar 25, 2021 2:14 pm

Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by Maverick87Shaka »

On our website, we've created a some code around the usage of Ultimate Members plugin. It's works great and help us to manage user experience around the website. After this integration, we've add to our website a phpbb forum in the /forum subfodler.

Everything works almost as expected, but we have something like a security breach preventing the BOT activity, since after activating the Wp_w3all plugin, users can login and operate on website and forum without click on verification link.

We've tested using the:
Add users in phpBB only after first successful login in WordPress and Deactivate phpBB user account until WP confirmation but nothing helps to prevent this. users can still login in if this plugin is active.
If we deactivate the WP_w3all plugin, the activation email behavior start to works normally again
User avatar
axew3
w3all User
w3all User
Posts: 2677
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by axew3 »

Hello!
Everything works almost as expected, but we have something like a security breach preventing the BOT activity, since after activating the Wp_w3all plugin, users can login and operate on website and forum without click on verification link.
So, what happen, the user register into WordPress, then result to be active into phpBB, even with option add into phpBB as deactivated until confirmation? Or it happen because the password is provided/can be choose on registration step, so that the user can login without email confirmation?
Maverick87Shaka
User w
User w
Posts: 7
Joined: Thu Mar 25, 2021 2:14 pm

Re: Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by Maverick87Shaka »

The user register themselves by Ultimate Member form, in the Wordpress dashboard admin can see the new users is in the Awaiting E-mail Confirmation status, but all the new user can LOG IN directly from Wordpress even without click on email activation link. After the first login they can also go on phpbb and make post etc.

If you keep the Add users in phpBB only after first successful login in WordPress option on yes, you can notice that the users it will be present only on Wordpress initially, but can still make the login. And after first login the user has the account "transferred" also to phpbb. All this steps without even open the email with the activation link.
Maverick87Shaka
User w
User w
Posts: 7
Joined: Thu Mar 25, 2021 2:14 pm

Re: Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by Maverick87Shaka »

Any idea on that?
Unfortunately since the website appear to be getting more known by bots agent, the problem is getting more annoying than usual.
We've also moved the registration page from standard /register url to another custom url trying to mitigate the problem, but it takes us safe just for a couple of hours
User avatar
axew3
w3all User
w3all User
Posts: 2677
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by axew3 »

I will give it a test, in the hope i have understand the flow:
user's register into wp, via Ultimate Member frontend, and they can login even without confirm their email? Is this the problem?
I assume that this is the problem, because they choose their password when they fill the registration form.
This is the problem, isn't it?
Let me know please so i can go in short to fix the issue (i will look by the way if this is the problem but if you confirm it is better to know we are on same line)

[EDITED]
Maverick87Shaka
User w
User w
Posts: 7
Joined: Thu Mar 25, 2021 2:14 pm

Re: Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by Maverick87Shaka »

Yes,
It's the flow to reproduce the problem, just a note it's not the memberpress frontend but the log in form of Ultimate Member ( free plugin version @ https://wordpress.org/plugins/ultimate-member/ )
Post Reply