Hello everyone,
I tried finding a solution to my question, but I cannot find this topic anywhere. It's a serious security problem.
I was testing my ability to register to my forums. The registration email has a link to my admin-reset/set password page instead of the forum's community/password page.
How can I change the registration email to provide a link to the forum instead of my admin-password page?
Thanks
Please set "Yes" the "Replace Reset Password Page URL to Forum Reset Password Page URL" option in Dashboard > Forums > Settings > Features Tab.
I checked my settings and I already set it to "Yes". Registration emails still send links to Wordpress's password page instead of the forum password page.
Then go to Dashboard > Forums > Settings > Emails Tab and make sure these options are set "Yes":
- Overwrite WordPress New User Registration Email for Users
- Overwrite WordPress Reset Password Emails
Then make sure the "Lost Password URL" field of the "Custom Authorization URLs" option is empty in Dashboard > Forums > Settings > Members Tab.
If all is ok, then this is not wpForo issue, some plugin hooks the link generating function and changes it. You should disable other plugins and find the problem maker.
After an hour of testing, I discovered the conflict to be Titan Security's feature to hide my admin-login. I of course need it to secure my access to the site. Do you know of any security plugins that don't clash with WPforo?
After testing other plugins (one at a time) with the same feature to change my admin url, I can determine that Wpforo is the problem. It would be unreasonable to demand every security system to change or to remove a site's security.
With these security plugins, Wpforo is sending the wrong URL in registration emails and is causing a major security risk.
Ok, then you should do either:
1. Set "No" the "Replace Reset Password Page URL to Forum Reset Password Page URL" option in Dashboard > Forums > Settings > Features Tab and check it. if you still see the same link in the email go to Dashboard > Forums > Settings > Emails Tab and set "No" these options:
- Overwrite WordPress New User Registration Email for Users
- Overwrite WordPress Reset Password Emails
OR
2. Disable the "email confirmation" mode of the registration. Make it one-step registration by setting "No" the "Enable User Registration email confirmation" option in Dashboard > Forums > Settings > Features Tab. This will show password fields on the registration form and people can set their passwords with username and email.
Neither of your suggestions are solutions. May technical support fix this plugin?
The issue with 1.
It just doesn't work. It still sends admin-set/reset password link.
The issue with 2.
It will send the admin-set/reset password link if a user requests the system to reset his or her password.
This issue isn't solved. I'm not sure why it's in the title.
Ok. Then I'm really sorry but you should change wpForo user registration form and use another plugin for example: BuddyPress or Ultimate Members. Once you got a new registration/login/reset pass pages you should add those page paths in corresponding fields of Custom Authorization URLs option in Dashboard > Forums > Settings > Members Tab.
May you please provide me with the contact information for WPforo's support for they can fix the plugin? I'm not adding plugins to patch WPforo's errors.
I don't think this is a bug, so there is no fix for this. This is a simple incompatibility with your plugin "Titan Security" plugin. We cannot provide general support fix. This can only be fixed exactly for your website. You should send your website admin login details to support[at]gvectors.com, so we can login and check the incompatibility reasons. In case, if we found that the issue comes from "Titan Security" plugin you'll need to contact them as well.
Please check my previous posts. I mentioned I tried using different plugins with the same security feature. WPforo is the problem. It would be unreasonable to blame multiple security plugins for WPforo's error.
It'll not cause any problem if the options mentioned above are disabled. This is a new case, so try them again. Now all wpForo options are disabled, so this time it'll work.
It means "Titan Security" doesn't work even with other profile plugins. You can disable wpForo and see that this plugin doesn't allow other plugins to change the registration confirmation link. All plugins have no chance to send changed links via email, all links are overwritten by "Titan Security" plugin.
wpForo has not chance to send its own login/reset password link, it'll always be replaced by "Titan Security" plugin, because there are lots of hooks in WordPress registration emails and "Titan Security" uses them. Even BuddyPress and Ultimate Members plugins emails are replaced by "Titan Security", so you should consider find other admin hiding plugin or test other plugin for user registration.
Please check my previous posts. I have disabled Titan Security and tested other plugins with the same feature. I have mentioned this in previous posts. This is becoming very frustrating. I'm only repeating myself at this point.
Hi @blasterman,
Let me explain what's going and why there is point to search support or solution here.
1. First, I want to ask you to deactivate wpForo temporarily and check the new user registration email with the native WordPress user registration form or with other plugin which provide user registration option. You'll see the same result. wpForo has nothing to do with that URL and with this problem. Because all WordPress plugins uses WordPress core user registration system. When you register a new user, it generates password reset URL which MUST refer to WordPress admin system, because the function is located in WordPress admin files not in wpForo or BuddyPress files. As a result, the default URL is this:
https:// example.com /wp-login.php?action=rp&key=UKmkkTcAH2&login=WPDiscuz%20Test
This URL includes the activation key, and it MUST be referred to WordPress admin file or directory to be processed. There is not any file in any plugins that can activate the user and complete this request. That's why when you hide the admin area it still refers to your new e.g. /myx-admin/ folder:
https:// example.com /myx-admin/?action=rp&key=UKmkkTcAH2&login=WPDiscuz%20Test
2. The user activation and reset password link generator is the plugin which hides your admin page, neither wpForo nor BuddyPress has any influence on this. So they have no chance to change it. Even if you use the native WordPress registration form it'll still send the URL with hidden admin folder. So this plugin is designed for websites where the User Registration is turned off.
3. There is only one solution, which is provided by wpForo. You should disable the registration with email confirmation by disabling "Registration with Email Confirmation" option in Dashboard > Forums > Settings > Features Tab. This will add password fields in the registration form and make it one step registration. You can enable reCAPTCHA in Forums > Tools > Antispam Tab to protect the form and install Akismet plugin. It's well integrated with wpForo too.
4. Contact the "Titan Security" plugin support team, and ask them for some suggestion and advice.
@BlasterMan
did you find a workaround for this as I am also having similar issue with WP Cerber security plugin
