First off let me link to the WordPress Plugin page for Profile Builder.
You can find all the documentation there, but if you still want to know how I use it then please read on.
Now a list of the key features of this plugin:
- *Minimum password length/strength
- *Enable/disable user login with email and/or username
- *Content restriction
- User Role editor
- Email Confirm on new user registration
- Show/hide the admin bar by user role
- Profile Form Field Editor
- Shortcodes
You may have noticed that I placed an asterisk by a few features, these are the ones that I use most often. That doesn’t mean they are the best or anything, just that they are probably the features that help out with the most types of websites (ie. not every website needs user role editing).
Minimum Password Length and Strength
Adding a minimum length is probably the single greatest password parameter you can enforce in order to strengthen the security of a website without running head on into AviD’s Rule of usability “Security at the expense of usability, comes at the expense of security.” That is, once you enforce rules that the user does not like they will begin to shoot themselves in the foot by inventing the stupidest ways of technically following the rules. Password length probably has the least effect on this. That being said, I know that some users when told to write a 12 character password will still simply write “Password1234”. That would be a problem, however the plugin also includes a setting for password strength and they use the build in WP password strength meter which does not follow such harsh rules.
The built in WP password strength meter uses the “zxcvbn” codebase for finding the complexity of a password without using hard rules like “capital, lowercase, number, and special character, can’t start with a number, can’t have a dictionary word in it, can’t be the same password used in the last 10 times, can’t have the same letter 3 times in a row, can’t have any portion of your username in it, etc”.
Instead zxcvbn does something similar to what a hacker would do when confronted with cracking a password has a list of common passwords and common patterns used like leet speak alternatives and placing a single special character at the end of your password. So with the added password strength meter set to medium, that should find a happy medium (see what I did there) so the users aren’t annoyed by all the previously mentioned password rules.
Enable user login with username and/or email
WordPress has evolved a lot over the years and one thing I think should evolve with it is the end of the username in favor of simply using an email address to login. That’s how to login to everything else, isn’t it? I understand having a username or a nickname for display purposes, but that doesn’t need to be the thing you use to actually log in. Disabling the username login also adds some level of security to a WordPress website because usernames are by design not kept secret. There are plugins that block username enumeration, but by default this information is easily available to even very low level hackers or script-kiddies. Profile Builder gives us a simply solution by allowing users to login with their email only, and not with their username. The only downside to the way they implement this is that the login form still has the instructions for the user to login via their username or email.
For this I have a somewhat brute force solution:
/**
* Custom login form/page
*
*/
if ( ! function_exists( 'version_7_login_head' ) ) :
function version_7_login_head()
{
/**
* Changes 'Username' to 'Email Address' on wp-admin login form
* and the forgotten password form
*
*/
if ( ! function_exists( 'version_7_username_label' ) ) :
function version_7_username_label( $translated_text, $text, $domain )
{
if ( 'Username or E-mail:' === $text || 'Username' === $text || 'Username or Email Address' === $text)
{
$translated_text = __( 'Email Address' , 'version_7' );
}
return $translated_text;
}
add_filter( 'gettext', 'version_7_username_label', 20, 3 );
add_filter( 'ngettext', 'version_7_username_label', 20, 3 );
endif;
}
add_action( 'login_head', 'version_7_login_head' );
endif;
Yes, this is not elegant. It is a function inside of a function, but that’s a very simple way of forcing it to only be included in the login page instead of running the filter everywhere on the entire website. I know that once the outer function is called the inner function will be in the global scope, however this will only happen on the login page (the only page that will call the outer function) and that’s exactly what I want to happen.
You may want this simple text changer function to run on every page though if you are using one the the shortcodes down below that allows you to place the login form anywhere you want instead of only on the WP default login page.
Content Restriction
This is a nice feature. It works on an individual post basis (or page). You can restrict a single post or page to be available to users by role and by their login status. There is a default setting for the action taken when a post is restricted. And this can be overridden on an individual post basis if desired. The actions are to redirect to a given URL or to simple show a message in place of the post content.
Very simple to use although it may not be as robust as some dedicated alternatives. You can enable/disable the entire feature though in the event that you want to go with a bigger, dedicated plugin.
User Role Editor
This feature allows you to add/edit user roles. Fairly self explanatory. I would recommend against editing the stock WP roles and instead creating new roles if needed. This pairs quite well with the content restriction feature since you can restrict content by user role. After reading the changelog I found that the role editor came first, then the content restriction feature shortly after.
Email Confirmation on User Registration
Sending out an email confirmation when a new user registers is a good way to ensure that they have input a true email. This not only helps fight against simple typos by legitimate users, but also helps fight against bots taking over your registration. Anyone who does not confirm their address in some amount of time can safely be removed from your website. I personally give it a couple or few days just in case any legit users are slow to check their email. If you are noticing too many bots, or other fraudulent registrations I would look into some further security like a Google re-captcha on the registration page (something you are already doing, right?).
Show/Hide Admin Bar by User Role
At first glance this doesn’t seem to be very useful, but if you have created any custom user roles then this becomes a necessity. Are your custom user roles going to have access to the WP admin or not? You decide.
Profile Form Field Editor
If you have users logging in they will be using their profile editor. By default WordPress includes some odd fields, some of which have been removed over time. But depending on what your website does your users may or may not have a use for all the available fields like a user bio or their own website URL. You can add/edit/remove/re-order these fields. Be aware that some of the are indeed required in order to have a working account and you should be removing those.
Shortcodes
Place a login form basically anywhere on any post or page
[ wppb-login ]
Place a registration form on any post or page
[ wppb-register ]
Place a profile form on any post or page
[ wppb-edit-profile ]
Conclusion
The three things I most frequently use form this plugin are the password settings, login with email, and sometimes the content restriction. Basically I use this as a security plugin. The security features present here are ( to paraphrase Dr Strange) simple yet very effective.
Also it’s worth it to mention that I am in no way affiliated with the Profile Builder plugin or its creators. I simply like the plugin. Also worth noting that they have a free and paid version, To date I have only used the free version as the features in the paid version are heavily geared toward the custom user roles. Admittedly I am only using a fraction of the available power here and I’m fine with that.