Tag: registration

Email Verification and Unsubscribing
If you follow me on Twitter (no you probably don’t want to), you know I’ve been dealing with the messy technical side of death for around 2 years now. My father died, unexpectedly, and I picked up his digital life and dropped it on my laptop in order to untangle things. While my father had shared his login information with me before, I did run into a number of technical issues like needing the phone for an SMS confirmation when I logged in from a new location.

Now all that said… Here’s the technical problem a LOT of companies created for themselves.
1. They don’t require you to verify an email before sending you advertisements
2. Those emails do not have unsubscribe links
Yeah, those two things are killing me, smalls.

Why not delete the account?

Someone’s thinking this…

Because the last time someone emailed it, legit looking for my Dad to tell him something funny/relatable/personal, was December 2020.

Dad was in his 70s. He had a lot of sporadic friends over that time, and sometimes they would randomly think about him and reach out. Many were long-standing friends, some I knew and hadn’t seen since I was in elementary school. He lived in a lot of places. Those people needed to be told he was dead.

Maybe one day I’ll delete his account and his website, but it won’t be any time soon.

How to Fix This

The good news here is all this is fixable if people start caring about data properly.

See the problem here stems from companies wanting your data. They want it so much that they use any excuse to grab it and never let go. But this is wrong both legally and morally.

It’s not their data. It is YOUR data, and you should have a right to it. Per the GDPR, UK’s Right of Removal, and even California’s new laws, my data belongs to me, and I have a right (in most cases) to get it off their system. In the case of my dead father? That data is as useful for you as wings on a mongoose. But as his estate’s legal representative, I legally own Dad’s data, which means I should have control.

Check The Email First

Anyone who’s signed up for anything online lately knows that you have to opt-in to getting ads. That’s just how the world works now. But you also have to confirm your email before you can use your account fully.

At the outset, that sounds great, right? It forces people to confirm! The reality though is that by letting people make an account, with or without verification of the email, those companies add the email to their mailing lists. That means that when some moron uses my father’s email to ‘test’ (or because they’re some idiot in the midwest who regularly thinks it’s his email even though Dad made it in the 1990s and has used it since then, seriously buddy, stop it), I get the email. And when they correct the email in the account, they retain access and I keep getting emails that I cannot unsubscribe from.

We’ll get to the lack of links in a minute.

The obvious thought process here is “People wouldn’t put in the wrong email!” but the reality? They do. They totally do. There’s a guy who bought a Ford, has a credit line, and a loan from a bank, and I know a whole lot about all this because he is a total idiot who keeps using the email that was my father’s. Seriously. It’s never been his email. The first owner of the domain was Dad. The second is me. The email he used has been in use, by my father, since March 2, 1995. Not joking.

Now, if you keep along with the (incorrect) thought train, you’d think “Once someone enters their email, I can add it to my mailing lists as I have their consent.” And again, sure. IF the email is actually theirs. And what’s happening is all these sites add in your email to their lists before they confirm (if they confirm at all) that it’s really your email. This means my poor Dad’s email is not just added to an account, it’s added to all their lists as well.

Let Us Unsubscribe

The other (related) issue is there’s no unsubscribe link.

Look, I get it. There are emails that are not unsubscribeable for as long as you have an active account. There are legal reasons why you have to be mailed some things. However all those emails must have a way you can actually close/remove your account. A link would be great, but even an explanation “Hey, we cannot unsubscribe you unless you close your account, here’s how to do that.” would be better than the message from a certain ISP who told me I had to log in to the account… but were unable to provide me with the login info.

In the case of two separate companies, if you do have to legally send out emails to people because they have an active account, you should be including some information like ‘Your account name is X’ or even ‘Your account number is X’ so that we can have a place to start. Instead, I have a bunch of emails that all say they can’t unsubscribe me while I have an active account, please log in …

And what do you think happens when I go to log in? Of course ‘There is no account with this email…’

Which brings me to…

Let Us Recover Accounts

It needs to be ‘easier’ to recover account. Especially if someone’s dead.

Now, I’m not talking about Facebook’s idiocy on locking people out and requiring them to have someone else verify them, only to send another email that bounces and you can never log in. Although that was certainly fun to do with my Dad’s stuff.

Take a hard look around. People are dying by the thousands per day, and those are not ‘expected’ deaths by any means. This means the number of humans who were unprepared and unorganized are stuck trying to find things like account numbers, and have no clue where to start. If we’re lucky, we can get into their email and change the passwords so we can keep it but…

This is not actually very easy! The only reason I had Dad’s email was because I was his email admin. If I wasn’t, I’d have to have logged in while I was still in Japan, from his laptop, and then hoped beyond reason that I was able to change the passwords without knowing the current one.

Think about that for a second. My father lived in Japan, had a Japanese number. He’s dead, the phone number was closed, and I can’t get it back as I’m not a Japanese resident. Which means the methods to recover are … email. But that isn’t enough for some companies.

My ‘favourite’ is someone telling me that there was no way to know what account used my Dad’s email. Yeah, they had no way to connect an email to any account, and required me to provide a local phone number to call me about it. I blocked their emails because I literally have no other solution. They can’t tell me what email uses the address I own, and they can’t help me except by a local-to-them phone call.

Summary? Let People Own Their Data

Okay, here’s your summary:
1. Require email confirmation in all cases where an account is being made. No verification? No account.
2. Allow people to correct the emails if they can’t verify. If someone put in stevejobs@appl.com and forgot that E, they should be able to fix this.
3. Allow people to unsubscribe from all emails with an easy to find method. A link, some explanations, whatever. Make it obvious.
4. If people cannot legally unsubscribe while having an account, then you need to make it possible to cancel accounts when a user DO NOT KNOW the account name. If you’ve verified emails, yo, magic. “I forgot my account name…” — And again, this needs to be easy to find information.
5. If someone sends you a damn death certificate, you should honour it.
This is not going to fix everything, but it would certainly make us hate a couple companies a lot less.
27 January, 2021
Multisite Emails and Redirects
I wrote a plugin that allows people to Join A Multisite on a Per-Site Basis.

There are some things it doesn’t do that I have no intention of adding into the plugin, but people often ask me how to do them. Personally, I think people should always know they’re on a network, and hiding this will only lead to complaints later one, but my way is not the only way.

That said. I am aware of things people try to do that my plugin won’t. All of these snippets should go in a file in mu-plugins. I’d name it multisite-registration.php personally. That way I know what it is right away.

Emails By Site

When you register for a network site, you always get emailed from the network. This means even if I go to halfelf.org to reset my password, the email always comes from ipstenu.org. To change the password reset emails to be from the one where you’ve actually pressed the reset link is pretty easy:
```
add_filter( 'retrieve_password_message', function ($message, $key) {
  	return str_replace(get_site_url(1), get_site_url(), $message);
}, 10, 2);

add_filter( 'retrieve_password_title', function($title) {
	return "[" . wp_specialchars_decode(get_option('blogname'), ENT_QUOTES) . "] Password Reset";
});
```
But when we talk about the activation it’s a little messier. If you’re using my plugin, you can have users sign up on a specific site. You probably want to have new user activations come from that site and if you do, you need to do this:
```
add_filter( 'wpmu_signup_blog_notification_subject', function($subject) {
	return "[" . wp_specialchars_decode(get_option('blogname'), ENT_QUOTES) . "] Activate Your Account";
});

add_filter( 'wpmu_signup_blog_notification_subject', function($subject) {
	return "[" . wp_specialchars_decode(get_option('blogname'), ENT_QUOTES) . "] Activate Your Account";
});
```
That subject can, obviously, be changed.

Redirect Lost Password Pages

So you may have noticed that the lost password page on a network always points to the network and never the site you’re on.

That can actually be fixed by doing this:
```
add_filter( 'lostpassword_url', function ($url, $redirect) {	
	
	$args = array( 'action' => 'lostpassword' );
	
	if ( !empty($redirect) )
		$args['redirect_to'] = $redirect;
	return add_query_arg( $args, site_url('wp-login.php') );
}, 10, 2);

add_filter( 'network_site_url', function($url, $path, $scheme) {
  
  	if (stripos($url, "action=lostpassword") !== false)
		return site_url('wp-login.php?action=lostpassword', $scheme);
  
   	if (stripos($url, "action=resetpass") !== false)
		return site_url('wp-login.php?action=resetpass', $scheme);
  
	return $url;
}, 10, 3 );
```
This simply filters the URL and if you’re on a site’s login page, use that site for the URL.

Redirect Logins to Their Site

This one is messier. If you always want a user to be redirected to ‘their’ site, you have to know what their primary blog is on the network. You can do this, and for the most part, this works:
```
add_filter('login_redirect', function ( $redirect_to, $request_redirect_to, $user ) {
    if ($user->ID != 0) {
        $user_info = get_userdata($user->ID);
        if ($user_info->primary_blog) {
            $primary_url = get_blogaddress_by_id($user_info->primary_blog) . 'wp-admin/';
            if ($primary_url) {
                wp_redirect($primary_url);
                die();
            }
        }
    }
    return $redirect_to;
}, 100, 3);
```
If they don’t have a primary_blog, they’ll be punted to the main for the network, as it should be.
27 June, 2016
Mailbag: I Lost My Site
Don from Worcestershire started an email in a way that normally would result in a quick delete:

Before you cut me off I am a 78 year old gambling historian, specializing in horse racing between 1850 and 2015.the age alone will convince you that my knowledge of this topic is limited.

It’s not the age, Don, it’s that the email starts with a long, dramatic, kind of non-essential story about your life, your ideas, your dreams, your goals, and your son. By the way, I’m sorry for your loss.

Yes, I read the whole email.

It took a long time to sift through the drama to sort out the issues.
1. Spam – He had a lot of spam and used Akismet (yay!) to deal with it.
2. Bandwidth – The spam made his site hit the overages on his hosting.
3. Domain suspension – Due to circumstances, he was late in paying his feeds and the domain was sniped.
I feel bad. I really do. But here’s the thing, Don. Your domain is like your rent. If you don’t pay for it, you lose your home. And while this sucks a lot, and yes there were mitigating circumstances, you didn’t pay in time, and the company is legally within their rights to sell. It’s the same as your phone. No pay, no phone. It’s just that simple.

Now I have good news.

According to whois records, you still own your domain! So you actually didn’t lose the domain you lost the hosting plan.

These are different things. They’re very easy to get confused.

There isn’t a great analogy to all this, I’m afraid, but as it works, you’re paying for two things.

First you pay for the domain. This reserves your ‘name’ on the internet. I recommend paying for it first for a year and then, if you like how things are going, pay for as long as you possibly can. I did mine for a decade at one point in time. I knew I wanted the domains and I knew I was using them.

Once you have the domain, you need to pay for webhosting. The host is where you data is stored.

Now I need to take a digression.

BACK UP YOUR WEBSITE OFFLINE.

If the backup tool you use only lets you backup to your webserver, it’s a shitty backup tool. Stop using it unless you are automatically downloading that backup somewhere else.

Because you see, Don, what happened was that you didn’t pay for your webhosting. You didn’t pay for the storage unit that housed your data. And they can auction that off like they do on shitty shows like Storage Wars.

So what do you do when this happens?

If it’s just the webhost, it’s easy. Contact the webhost. http://www.whoishostingthis.com/ is a great resource to find out who your host is. Be honest but keep it short. “I’m sorry, I wasn’t able to pay on time and my site was suspended. Is there any way I can get it back?” That’s it! That’s all you have to do. If you’re lucky, they may still have all your data. You pay, they flip a switch, it’s back.

The worst case … that’s why you need backups.

If it’s the domain registration, though, that can be a mess. If you bought the domain through your webhost, it may surprise you to find out that the host doesn’t have control over your domain registration. The host is an intermediary. That means, if you go to your site and see a placeholder page owned by a domain registrar, it may or may not be a cybersquatter.

You may have heard about domain hijacking or domain theft. That’s when someone changes the registration of your domain name without your permission. A hijacking is not the same as when you’ve failed to pay for your domain and the registrar slaps up a placeholder. A great many hosts put up a branded placeholder if you’ve registered a domain and not yet updated content. Sometimes it says “This domain has been registered at…”

If it says “This domain is suspended” then the issue is with the webhost. If it says “This domain has expired” then it’s likely to be the registrar. You need to figure out who the registrar is, log in with your info, pay the fine, and get the site back.

I strongly urge you to put a reminder in your to-do list or whatever you use to keep track of things. “Domain name renewal due on day X.” It’s like paying your rent. Don’t forget. Make reminders. Do it.

By the way, no matter whom you talk to, don’t give them the sob story. While they do care, in as much as any human does, it rarely changes the reality of what’s going on. Shit happened, you couldn’t pay. Your personal drama is not their problem. I know how harsh that sounds, but it’s not. And the more you make it how you need an exception because you’re a special case, the more people hear it as an excuse.

I know it’s not. You know it’s not. Except sometimes, Don, for a lot of people, it is. If I told you how many idiots complain they couldn’t pay for $4/month hosting, while stilly buying a top of the line iPhone, you’d understand why it’s draining.

And as someone who’s fucked up before, I find that being honest where it’s my fault gets better results. “I’m sorry. I screwed up and didn’t pay. Is there anything I can do to get my content back? It matters a lot to me, and I’d appreciate anything you can do to help me.”

Works great.

By the way, Don, I see that you have your site back right now. You should upgrade. You’re running WordPress 2.6.1 and that’s really old and vulnerable.
17 July, 2015
Multisite Per Site Registration
This post is dedicated to TJ List, who donated to help me get to WCSF. He’s the last post of this ilk, so I’ll stop having these announcements, but I wanted to say thank you all, one more time. My new job starts the 27th, and you all helped!

Edit: If you want a plugin, see Join My Multisite

Sometimes people want a way to sign up for the network on specific sites, and not go back to the main site. And I often tell people ‘You need to make a custom page template with the code from the signup page in it.’

But how? There’s going to be a lot of code in this post, so at the end I’ll give you a link to the whole file you can download and play with. We’re going to go through the steps, however, since we may not be using the same theme, and you’ll need to understand the process.

Make your Page Template

First you make a new page template. I always call mine page-template-signup.php because well named files/code don’t need as much inline documentation.

Since I wanted to build this off of TwentyTwelve, I grabbed the full page template, and pulled that over:
```
<?php
/*
Template Name: Signup
*/

get_header(); ?>

        <div id="primary" class="site-content">
                <div id="content" role="main">

                        My Content Here

                </div>
        </div>

<?php get_footer(); ?>
```
Obviously on a first pass, nothing much is going on here. The next step is to open up wp-signup.php and take a look. There’s a lot going on here, but we don’t need all of it.

First let’s look at what we need to add to the header area. Most of this is just styling and a little tweakage to stop search engines from thinking people need to really find this page, so let’s add the following right above get_header();
```
add_action( 'wp_head', 'wp_no_robots' );

// Fix for page title
$wp_query->is_404 = false;

function wpmu_signup_stylesheet() {
	?>
	<style type="text/css">
		.mu_register { width: 90%; margin:0 auto; }
		.mu_register form { margin-top: 2em; }
		.mu_register .error { font-weight:700; padding:10px; color:#333333; background:#FFEBE8; border:1px solid #CC0000; }
		.mu_register input[type="submit"],
			.mu_register #blog_title,
			.mu_register #user_email,
			.mu_register #blogname,
			.mu_register #user_name { width:100%; font-size: 24px; margin:5px 0; }
		.mu_register .prefix_address,
			.mu_register .suffix_address {font-size: 18px;display:inline; }
		.mu_register label { font-weight:700; font-size:15px; display:block; margin:10px 0; }
		.mu_register label.checkbox { display:inline; }
		.mu_register .mu_alert { font-weight:700; padding:10px; color:#333333; background:#ffffe0; border:1px solid #e6db55; }
	</style>
	<?php
}

add_action( 'wp_head', 'wpmu_signup_stylesheet' );
&#91;/php&#93;

Just below <code>get_header();</code> we're going to add <code>do_action( 'before_signup_form' );</code>

Then in the 'My Content Here' section, you're going to copy everything from <code><div id="content" class="widecolumn"></code> down to <code><?php do_action( 'after_signup_form' ); ?></code> and put it in there. It's a lot of code, I know. I'm not including it here because of that. Again, check the attached file.

Finally search your file for all instances of <code>wp-signup.php</code> and change them. To what? To whatever you're going to name your page in the next section. I knew I wanted to name my page signup, so I replaced it with that.

<h2>Make Your Page</h2>

<a href="https://halfelf.org/wp-content/uploads/sites/2/2012/08/page-template.jpg"><img src="https://halfelf.org/wp-content/uploads/sites/2/2012/08/page-template-300x222.jpg" alt="Picking Page Template" title="Picking Page Template" width="300" height="222" class="alignleft size-medium wp-image-2509" /></a>Next you make a page. This is easy. You go in to your site, you make a page (I called mine Signup) and you put in <em>no</em> content. Pick the page template called 'signup' and save. I always opt to turn off comments and pingbacks on this page for what I hope are obvious reasons. Don't bother putting in any content to the post. Because we didn't leave in the loop, it wouldn't display.

If that's something you want, then you would leave the loop info in where I had 'My Content Here'
[php]

                        <?php while ( have_posts() ) : the_post(); ?>
                                <?php get_template_part( 'content', 'page' ); ?>
                                <?php comments_template( '', true ); ?>
                        <?php endwhile; // end of the loop. ?>
```
That’s an ‘as you like it’ sort of thing. If you need to leave messages, etc, it’s great.

And that’s kind of it. Oh, you’ll want to mess with your CSS, but that’s all you need to get started! It even keeps you on the page.

How it looks…

Since there are multiple registration options, here’s how they look:

With Registration Disabled

User accounts may be registered

Logged in users may register new sites

Both sites and user accounts can be registered

Adding Users to Sites

I know, I said we were done. There’s one more thing. What happens if you want that per site registration to automatically add people to the site they’re on? That is, if someone goes to halfelf.org/signup/ I want them to be added to halfelf.org as a user. The problem with this is when you register for a user account, you may have noticed there’s an ‘extra’ step to confirm. This is where you get that email that says ‘click here…’

The ‘good’ thing is the URL you get looks like this https://halfelf.org/wp-activate.php?key=0ef92965187a50be and it will take you back to the right site to login! The ‘bad’ thing is it doesn’t actually add you to the site. It will add you any time you create a site, but if you just make a login ID, you get this:

As you can see from that URL, it’s sending me back to wp-activate.php, which is something we can’t change in our signup template. If you know you want to add all users to all sites, then you want Multisite User Management, but that isn’t always the case. So what do we do? Option one is to grab a plugin that makes us approve all users, then we can add them as they’re requested. But you don’t want to do manual work, I’d guess.

The trick is to add an action onto user registration, but only run it per site. So you’d want this in an mu-plugin, and since halfelf happens to be blog #2, I do this:
```
<?php
global $blog_id;
if ( $blog_id == 2 ) {

  function helf_activate_user( $user_id, $password, $meta )
  {add_user_to_blog( '2', $user_id, get_site_option( 'default_user_role', 'subscriber' ) );}
  add_action( 'wpmu_activate_user', 'helf_activate_user', 10, 3 );
}
?>
```
That says ‘Hey, if I’m on blog ID 2, when people register, kick them to be a subscriber on this blog. I have mine in a plugin called halfelf-autoregistration.php and it works rather nicely. If someone registers on ipstenu.org, even if they try to login to halfelf, they can’t login because their registration process was on the other site.(I suppose if someone was clever, they could take https://halfelf.org/wp-activate.php?key=0ef92965187a50be and change it to https://ipstenu.org/wp-activate.php?key=0ef92965187a50be to register there, but there’s no change in ‘risk’ between being a network psudeo subscriber and a real subscriber. If I was adding in editors, I’d probably change my mind here and manually validate every new user. I’m trusting in the fact that most people aren’t that clever.)

Do you have any tricks that help you do this?

Oh and here’s the file to download. It’s in .txt for security reasons.

Download Here
17 August, 2012
Stop SOPA And Change Your Registrar

If you have no idea what’s wrong with SOPA, just Google it.

GoDaddy, a pretty well known domain registrar, not only supports SOPA but helped write it. While in recent days they’d stepped back, it got me thinking. I left GoDaddy years ago, when one of my domains was almost up for renewal. I switched it to NetworkSolutions, which was where my other two domains were.

History. When I first purchased ipstenu.org (08-Sep-1999 00:09:50 UTC) we got domains by filling out a web form, getting an email with a PDF, printing it up, singing it, photocopying our drivers license and faxing that back in. Then, if you didn’t actually have a drivers license, you got a phone call and a fun chat with a woman about what was going on, yes, the state ID was fine, the domain will be set up in five days. A year later I bought another domain, and since I had an account with NetSol, it was as simple as ‘I want that one,’ and I was done.

When I got my third domain, I used GoDaddy since it was cheap, easy and fast. Click, click done. In 2008 or so, all the news about GoDaddy’s rampant sexism and general asshattery ended up with me transferring off GoDaddy and onto NetworkSolutions. Except I didn’t. I had a friend do it, since he and I were trading favors. So up until December 27th, 2011, I’d never actually transferred a domain name!

It’s still weird, and reminds me of the fax days, but it’s pretty easy.

It’s not that I was having any issues with NetworkSolutions. But their statement on SOPA, while anti-SOPA, still sat in my craw a little. Basically they were chickening out, and while I was pretty sure my domains were fine (and my relationship with NetSol), it was one of those days when I felt like I needed to make a change.

Namecheap has been on my radar for years. I’ve had an account with them, and no domains, for most of 2011, since the last time GoDaddy got stupid. See, I raise a lot of money for charity, and one of the things I raise money for is elephants. I want them out of zoos and I want them out of circuses. So when I saw GoDaddy’s founder hunted elephants, I had no choice. I couldn’t be a hypocrite and I had to turn my back on GoDaddy. When I decided I should move from NetSol to someone a little friendlier, whom I felt I trusted as people (that’s a huge deciding factor for me) and who had a good rep, I decided to turn to the people taking ruthless advantage of GoDaddy.

Like Namecheap.

See, they hate SOPA. A lot. Enough that between the $20 credit I had from them (for playing Internet games) and the $7 SOPASucks discount they were offering, it would cost me a grand total of $1.01 to move my domains over. The only time I’d ever worry about moving my domain names is if my DNS (i.e. the nameservers) were run by them. They’re not, they’re run by me, which means a transfer like this is all paperwork. No downtime, nothing to fuss about except the waiting.

All the politics aside, if you have no problems with where you registered your domain, and can do everything you want, then there’s no reason to move. I mean that sincerely. I feel that way about webhosts, and all things computer related. If there’s no compelling case for you to move, stay. If there is, though, moving your domain registrar is actually a lot less scary than moving hosts!

There are a few rules about moving domains. Like you can’t make a bunch of edits to your registry info and then move (it looks ‘suspicious’), and there are date ‘blocks’ on certain things that make you wait 45 days. But assuming, like me, you’ve had the same registrar since the dawn of dinosaurs…

Step 1) Turn off domain protection from your existing host.

Makes sense, you’re now setting it up for people to ask if they can have your domain. In the case of NetworkSolutions, you have to check a box to get an EPP Key (Authorization Key). Save that Key, you’ll need it in a minute.

Step 2) Turn off any WHOIS protection you have.

If the transfer company can’t see who you are, they can’t add you.

Step 3) Go and request the domains be transferred over at your new registrar.

Dead simple. You add the domains, the new guys send an email. You read the email, visit the webpage and click “Yes, please. I want you to be my boss.” This is ‘Fax Number 1’ in the old day.

Then you get another email, this time it’s the old domain register. “Oh noez! Why you leave me?” they wail. Or rather ‘Are you sure?’ Click yes again. This is Fax Number 2.

Step 4) Wait up to 5 days.

And write a blog post.

My move isn’t done yet, but it’s ‘in transfer.’ While I understand why we have the back and forth’s of the emails (faxes) to make sure I’m really me and I really requested this (remember, I work at a bank in my day job), it’s still odd that after the approval is done, it’s a 5-day wait.

But there you are. That’s how (and why) you should switch your registrar.

29 December, 2011