Recently Browsing 0 members
No registered users viewing this page.
I'm new to PW and like it a lot so far. With most WordPress and Drupal websites there are frequent updates to core & plugins, some of these are security released so I tend to install any updates ASAP. When supporting many websites this update fatigue is pretty tiresome.
What is your update strategy when maintaining PW sites? Would be interested to hear if you think it is valid to perhaps do a quarterly update or perhaps only even update yearly if there are no security announcements?
Also just to clarify, if there a security mailing list we should subscribe to just in case an urgent fix is ever released?
I posted a question on Stack and as yet not got an anwser that is something novel. I'm interested to know if this worries anyone else and whether we can do something about it.
So here goes:
If a user logins to your online sevice, let's say a job posting site, they give you an email and password to access your service later... Lets say a malicous person with access to the server could write into the template to store the passwords as plain text somewhere. Given that people generally don't use a new password for each website, now that malicious person has the potential to access other online services using these details (where there isn't any secondly security like 2-factor).
Is there anything we can do to battle this? In an ideal world, maybe setting up a zero-knowledge algorithm to log people in and out...
food for thought
I'm building a module to keep a user logged in until manual logout. I know about Login Persist, but this one stopped working for me a while ago and it might not even be compatible with pw3 (haven't tested this) as it's not being updated for 3 years
Anyways, the module works, and now I want to secure user edit screens namely ProcessPageEdit (any user template, as there might be multiple) and ProcessProfile
by requiring the current password.. I know how to add the additional input (added by hooking into ProcessProfile::execute and ProcessPageEdit::buildForm or Page::render) but I don't know how to intercept the saving and canceling the save if password doesn't match
I thought about emptying $input->post (don't even know if this works?) if not valid but would be nice not to loose the changed data but instead just notify user about a wrong password..
would love to get some thoughts and input on this