Wordpress Use Email as Username & hidden default password for all new users on registration form

0
votes

I would like to edit my PHP registration form on my wordpress site so that all new users have the following:

  1. They only enter their email address (user_email) on the registration form, and this field is duplicated and used/entered as their username (user_login)
  2. The same identical password is assigned to all new users. Literally a password of "password" could be pre-entered on the form.

I know this sounds like a huge security mess, but for my particular site, it's fine since I don't use Wordpress as a typical blog, and instead just need it for CMS and my newsletter. New users can do nothing. Comments are not allowed, they are defaulted as "Subscribers" anyway.

The only reason I want them to register/login at all is so that I can have:

A. Conditional menus that will change based on those who are 'logged in' and those who are not. B. User registration so I can have users sign up for my email newsletter and register all at the same time by simply entering in their email address to a single registration email field.

The default identical password is only established because for my site needs, the login is only for conditional menus. Thus, if someone logs out, I want the login menu to have the password field pre-enter the default "password" so that users don't even need to remember anything besides their email address.

I'm using the standard wordpress form:

<form name="registerform" id="registerform" action="<?php echo esc_url( site_url('wp-login.php?action=register', 'login_post') ); ?>" method="post">
<p>
    <label for="user_login"><?php _e('Username') ?><br />
    <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr(wp_unslash($user_login)); ?>" size="20" /></label>
</p>
<p>
    <label for="user_email"><?php _e('E-mail') ?><br />
    <input type="text" name="user_email" id="user_email" class="input" value="<?php echo esc_attr(wp_unslash($user_email)); ?>" size="25" /></label>
</p>
<?php
/**
 * Fires following the 'E-mail' field in the user registration form.
 *
 * @since 2.1.0
 */
do_action( 'register_form' );
?>
<p id="reg_passmail"><?php _e('A password will be e-mailed to you.') ?></p>
<br class="clear" />
<input type="hidden" name="redirect_to" value="<?php echo esc_attr( $redirect_to ); ?>" />
<p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="<?php esc_attr_e('Register'); ?>" /></p>
</form>

I guess an alternate option is just to hack the wordpress_logged_in_[hash] cookie so when users visit so that when they click a "login" and enter their email address, it really just adds them to my newsletter and then places a cookie as if they are logged in. Either way works so any help is appreciated, thanks.

I'm a bit new to this, so any help is appreciated, thanks.

1
phpwordpressformsvalidation

1 Answers

0
votes

Please understand I'm only trying to help you. Both as an individual who will, without a doubt, be the target of an attack one day and as a developer. Lastly, of course, to enlighten future users looking for quick tricks and easy hacks.

This is a terrible idea on so many fronts, allow me expand on this. First and foremost, Wordpress is the most commonly used content management system in the world. For every 100 persons on this planet, there is 1 Wordpress installation.

Furthermore, there are hundreds of thousands of infected Wordpress websites that exist on servers all across the globe that participate in zombie attacks. These websites are remotely controlled through infectious scripts uploaded through easily guessed FTP passwords, out of date WP installations with known vulnerabilities, and my personal favorite, Poorly Built Forms. The This page has been reported as an attack page exists for a reason, because of how common malicious websites are.

The purpose of these bots is to test the security and integrity of your website. The 2 simplest ways to get information about a site that you want to attack all occur within 1 page request.

  • Parse & Evaluate the Header response from a GET request. You can get the PHP version(4.x, 5.x), Server type & Version(apache, nginx), CORS headers (origin allowance), and a whole host of other information that is generally available in a typical page request.

  • Scrape the DOM for incredibly common occurrences in string patterns; for instance, wp-, /templates/system/, /sites/default/. This is essentially saying, Let's find Wordpress, Joomla, or Drupal!

By now, the bot has complete understanding of the target and whether to proceed, or not waste it's time and move on. Once decided to execute, it will flag a remote server (also likely an infected server), that pings other remote scripts to tell them to focus their attacks

Now this isn't some movie, this is every day, 24/7/365, these bots do not rest. Once you're behind the game, it's going to hurt. When you're infected, they come back. Once they're removed and they can't ping the script anymore, they'll come back and try again, and again.

You may think to yourself, But I've had 3 Wordpress sites up for 2 years, I've never had any issues!. This may be true and it may not be now, it may not be tomorrow, but it will happen, I can promise you this.

So please, rethink the method you've chosen for this. When it comes to server-code execution (especially that which requires parsing user inputed data), think security first.

Side note

If you ask another / edit this question to request assistance with a more secure method, I will edit this post and address your request in fairness.