Looking For Ideas -- Require User Password Protect Content WordPress
- SOLVED
Does anyone know of solutions for requiring users to re-login or re-enter their password to view pages?
If you want to write a coded solution I will raise the prize.
For some of my more sensitive pages/ or functions on the frontend I would like to require the user to enter their password to proceed.
For example:
-To change credit card info
-To change their password
-To update an order status
etc.
For all of those I would like a password requirement to proceed to stay secure as possible. Any plugins or solutions for this would be appreciated.
My thought on the code would be a pre-post check on desired pages for some kind of nonce or encoded validation, if not it redirects to a page for current user password input, and on correct submission it redirects to the previous page.
Answers (6)
Arnav Joy answers:
see these two plugins:-
http://wordpress.org/extend/plugins/exclusive-content-password-protect/
http://wordpress.org/extend/plugins/password-protected/
Kyle comments:
Hi, thanks for the reply
Both of those use a global password. I am looking something that uses the User's Password
Dbranes answers:
Hi, there is a Wordpress function called <strong>wp_check_password()</strong>.
Here is an example to play with, using this function:
add_action('template_redirect','pwd_check');
function pwd_check(){
if(is_page('some_page_slug')){
global $current_user;
get_currentuserinfo();
if ( isset($_POST['resubmit']) && wp_verify_nonce($_POST['repass_nonce'],'retypepasswd') && $current_user && wp_check_password( esc_html($_POST['repassword']),$current_user->user_pass, $current_user->ID) ){
}else{
get_header();
echo"<h1>Please retype your password:</h1>";
echo "<form action='' method='post'>";
wp_nonce_field('retypepasswd','repass_nonce');
echo "Password:<input type='password' name='repassword'>";
echo "<input type='submit' name='resubmit' value='submit'/>";
echo "</form>";
get_footer();
exit();
}
}
}
Kyle comments:
Thanks for the reply, this is very cool let me see what I can do with this.
Kyle comments:
That worked perfectly, thank you - didn't expect such a neat and quick solution :)
Daniel Yoen answers:
try this :
http://en.support.wordpress.com/security/two-step-authentication/
http://www.wpbeginner.com/plugins/improve-wordpress-security-with-google-authenticator/
hope this help :-)
Daniel Yoen comments:
just idea :
1. use a token that is sent via email to confirm
2. create user meta for 2nd password
I can make this code, but it took more time. :-)
Kyle comments:
Hi, thanks for the reply
Two step authentication is a good idea for some extra security, thank you. This doesn't solve the problem I'm looking for though, of forcing the user to re-enter a password at certain points.
Vasif Mustafayev answers:
When I worked on my one project we done this like as following:
When user register we force him to set pincode which is consist of 6 digits, and when he want access Secure page we show him Security Gate which ask user to type password and PinCode.
I think this is simple and secure solution for this problem.
Thanks.
Kyle comments:
This would be perfect. Is there a plugin or code snippet that can help with this?
Gabriel Reguly answers:
Hi Kyle,
Add this code to a page template
if( isset( $_GET['my_logout_flag'] ) ) {
wp_logout();
$redirect = 'your-page-slug';
wp_redirect( wp_login_url( $redirect ) );
}
Regards,
Gabriel
Kyle comments:
Thanks for the reply, I'll give this a shot
Gabriel Reguly comments:
Hi Kyle,
Do you understand that code is just a starting point,right?
Basic idea is
1. log out user;
2. ask for login again, redirecting to current page after login;
Regards,
Gabriel
Gabriel Reguly comments:
Me again...
Forgot to mention that you should set a flag to make sure the user has not to login again.
It could be some session variable, a unique query string or even a transient.
Regards,
Gabriel
daas answers:
Hi, I have created similar plugin. It uses PasswordHash class which is build in wordpress.
Here's the example:
$user_info = get_userdata( get_current_user_id() );
$wp_hasher = new PasswordHash( 8, TRUE );
$current_pass = $_POST['cp'];
if ($wp_hasher->CheckPassword($current_pass, $user_info->user_pass)) {
return true;
}
return false;
After checking the password it is possible to store extra data in session.
global $session;
$session->set_flashdata( 'double_auth', 1 );
Flashdata is stored only for the next server request.
Kyle comments:
Awesome, I like it. I will give this a shot and see how I do. If I need some help I'll raise the prize and come back