• Content count

  • Joined

  • Last visited

Community Reputation

19 Good

About modifiedcontent

  • Rank
    Sr. Member

Recent Profile Visitors

1,042 profile views
  1. Thanks bernhard and Juergen. I have implemented a very basic version of a honeypot. It has so far cut the dumb "hack" attacks to zero. There are plenty of ways to make the honeypots more difficult to pass. Great approach. Happy I don't have to resort to captchas etc. Turned autofill off as follows, also prevented tabbing to the hidden field: <input name=some_name class=some_class value='' tabindex='-1' autocomplete=off> Hidden via css; dozens of options to do that, make it harder for bots to figure out. Then in the process: if($input->post->some_name) { ... foad ...} I couldn't figure out Juergen's "Honeypot class" - still confused about composer, should I use it? - but see it also checks for minFormCompletionTime. Bots fill out forms inhumanly fast. That is another way to recognize them and block them.
  2. I have my own register-login-profile/account page system. I know that Ryan recently released an official module for this, but there may be an advantage to having my own custom solution. Anyway, it seems to work well. But, I have been getting annoying Russian hack attempt accounts, mostly as 'guests' that don't bother to use the activation link. Most if not all of these accounts have this in the name field: No Subscription Detected Not Recognized ...which makes them relatively easy to filter out from real name accounts. Where do these "strings" come from? I can't find them in Processwire's source. Are the hackers using some kind of tool that inserts these for some reason? Or is it a PHP thing? Does anyone recognize them? Does it mean they are using some kind of backdoor instead of the registration form? In general, what are the best practices to secure my registration form, prevent spam accounts, etc.? I'll start with adding a check to block IP addresses that try to register with 'Not Recognized' etc. in the name field I guess.
  3. Thanks adrian. Your module has been very effective in deleting users; I wouldn't mess with it too much. The spam/hack accounts usually have some string in a name field in common that allows me to select them as batch. It would be nice if some kind of batch delete was built in to Lister. And I am curious how 'using the API' would work for something like this; write a function and somehow add it to admin? Thanks for the code suggestion fbg13. I am mostly confused about where you would put this. In a template file? A setting page in the admin area? Would it have to be a module? And I have to figure out how to prevent bogus guest accounts. Could you make unverified guest accounts self-delete after 3 days?
  4. Thanks dragan. But how would you use the API for something like this? Write a function? And add it to the admin area somehow?
  5. Thanks! Where could I find user creation date? Lister only gives very imprecise 'three months ago' etc. It would help if you could delete by role, like delete all 'guests' who are not 'member' or 'superuser'. Are there any plans to build batch management of users into the core? Or make it easier? How would batch deleting users by 'using the API' work?
  6. I was looking for this for this use case: home - news (news template) - - local (news template) - - - news item 1 (post template) - - - news item 2 (post template) - - - news item 3 (post template) Posts under 'local' should use the 'post' template; 'news' template should not be allowed as an option. kixe's solution looked promising, but disables any new child page creation. Is there a way to limit the number of page levels by template - still allowing new pages with another template? Or is there a way to set a default child template at the page level? Edit: Or is the way to do this to temporarily allow 'news' to be used as child template, create those subsections, then lock those pages and allow only 'post' template to be used for next levels? Changing the allowed template settings doesn't seem to affect previously created pages, which would be good. They stay on the selected template. Correct? Is that how it works? And/or you create the sections and subsections on the 'news' template and then set 'Can this template be used for new pages' to 'no'? Or can you control the template options via access control? What is the difference between 'create pages' and 'add children' in access settings on the template?
  7. I have 100+ spam/Russian user accounts on a semi-test site. Is deleting them one by one the only option? Is there no way to select a whole page of spam user accounts and batch delete them?
  8. I am trying to install Processwire + an exported custom profile and keep getting this error: Does anyone recognize this? What could cause this? I have installed Processwire + exported profiles many times before, never had problems. I have reuploaded fresh downloads for this, both regular master and dev, but keep getting the same thing. I am probably doing something dumb. Probably not a structural PW issue. I am out of ideas, so any feedback appreciated. Edit: Finally got something to install using the standard blank profile, instead of an exported profile. I am now manually reconstructing my custom site, using the new import/export functions - hit or miss so far. Did those break the ProcessProfileExport module?
  9. rick, yeah, well, you know, that's just, like, your opinion, man. Leaving out quotes where they are not necessary is following the html specs by the letter and makes the html a lot cleaner and easier to read than the common quotes within double-quotes within single quotes mess - my text editor gives the classes and ids their own fun colors. So I guess something in PW somehow interpreted 'new password (confirm)' as code that it has to do something with, instead of plain placeholder text? That bit was inside quotes btw.
  10. fbg13, nothing wrong with the missing quotes. That is valid html and does not explain where the "/processwire/" insert comes from.
  11. I have a simple front-end password update form like this: In the browser the label of the second field shows up as follows: WTH?! I can't figure out what is changing the label, what is inserting /processwire/ and reformatting the thing. Is this something in PW? A "helpful" thing that browsers do? Edit: The problem disappears if I simply rename the second field to 'Confirm Password'. So my problem is solved, but I'll leave this here in case this is some kind of bug.
  12. Thanks Alxndre' This seems to work: If anyone can spot mistakes or knows a better way, let me know.
  13. I am trying to rewrite Soma's suggestion here to export fields from the users database to a cvs file, with variations like this: $array = $users->explode(function($item){ ...etc. And $array = $users->find('start=0')->explode(function($item){ ... But keep getting 'Call to a member function ... on a non-object' errors. I guess $users is the non-object? I am trying to use this within a function, that is called with a button click. Is $users not available within a function? I see there are new export/import features coming up - great! - but it is all about $pages. Should $users work the exact same way? This works as demo starting point. Now I just have to replace the $list with something from $users:
  14. How do you get the same 'set password' form/input fields on the front-end as in the admin area? I have a working front-end version, but the admin version has some nifty stuff around it. Should be easy to get the same on the front-end, right?
  15. I am not 100% sure if or to what degree my issue is related. Apologies if this turns out to be thread hijacking: I get logged out constantly at certain wifi locations; '_The Cloud' wifi point that many pubs in London have and, I think, all similar public wifi systems that open a browser where you have to leave your email or click on a connect button if you are a returning customer. Does that sound familiar to anyone? Is there a way to make my PW sites work at these locations? Is the solution somewhere in the previous posts here? I have trouble following the thread. 'Enabling SessionHandlerDatabase should instantly get rid of the problem'? How would I do that? 'session fingerprint config setting'?