My JPress WordPress Site uses a custom Login/Register Page because of the following:
-I can’t send E-Mails from the servers
-I believe in E-mail-Free Registry, where a user of my Site doesn’t have to share any personal information to the owner of the site.
How it works:
-If user is registering, User inputs UserName and their Password. Both are stored in the Site’s WordPress Database, along with a “Dummy E-Mail” to comply with WordPress registry. [Example is [email protected]]
-If user is Logging In, User inputs UserName and their Password, which is checked with the Database for authentication.
I was planning on adding a Password Recovery System, where an Admin like Me sets a User’s password to a Reset Password detected in the Login Page, and allows the user to set a new password, but before I continue with that, I ask:
Am I violating any TOS with my Custom Login/Register Page on my WordPress Site?
After reading various Topics on your Forums, I became worried that my Account would be suspended, and since I am a new user, I don’t want to experience this.
If I am violating any TOS, I am willing to resolve the issue without a fight. I would like to stay in good standing with your Services, and if I am not, I am willing to perform any actions to return my position to good standing.
I believe in a web environment that involves sharing as little data as possible. Thank you for your support. For passwords, these passwords are encrypted by my WordPress Installation. Since I don’t require User E-mails, I don’t have to worry about that.
I can see some practical downsides of your registration system (I don’t understand how your recovery system works), but ToS-wise I don’t see any problem with it.
Please note that mail.com is an actual email service, and [email protected] might be someone’s email address. Using a dummy email is fine, but I strongly recommend to pick something that you can be absolutely sure can never be used as a real email address. Because if this became known, and somehow email sending from your website would work, you’d have a massive account takeover exploit in your site.
Again, not a ToS issue, but something you may want to be careful with.
Thank You! So, if I was setting a Dummy E-mail, I shoud set something like [email protected] ?
Also, with the recovery system, A Site Admin (like Me) would goto a locked WordPress Page visible to only Admins, Enter a UserName into the reset field, then it sets the password to a reset one. When the Login PHP detects this reset password, then the User would be asked for the New Password, which would then be set in the database.
This is a form of account protection in my opinion. No one could (theoretically) steal a User Account, and since I prefer a Personal-Info-Free environment, it’s the most secure. I ensure that the reset is done right, if it need to be done.
The downside to that is if somebody figured that out and registered that domain. I would recommend you create a subdomain of your own site’s hostname (such as nothing.jpress.ct.ws) and then never configure it to receive email. That way you know it will never be a valid email hostname (unless of course you ever change the URL of your site, but you can reconfigure it at that point).
Also I found this WordPress plugin that can disable sending emails entirely, though I’m not 100% sure if it meets your use case or not.
If I understand it correctly, I think the idea is that OP or another site admin could manually reset a user’s password by changing it to a dummy password, which the user could then use to change their password to a new one. I don’t know how OP would go about verifying a user’s identity without email, but considering they’ve come this far with the custom registration system, I would guess they’ve figured something out.