On this test site, I'm having issues with getting hackers. I know my clients can just click on Add a Post on their site.
Most the time I try to disguise where they login to add a new Horse or New Dog on the submissions page. But I don't feel like that is secure either. Do you have it so they login with a password before they add to the submission form?
Hello,
Please elaborate the question with more details:
Do you have it so they login with a password before they add to the submission form?
I assume you are going to let users to log into your website before submitting Toolset forms.
If it is, yes, it is possible with Access plugin, see our document:
https://toolset.com/documentation/user-guides/access-control-for-cred-forms/
You can disable access to your forms for guest users.
Right now, I only let the website owner login. I have a special image for them to click on to submit their dog on the submission page. But lately I'm getting hacked. I got several emails very similar that show this below. Neither I nor my client have made any changes. (Right now there is no login with password for client to make a submission. I guess I need to set that up?)
I got this email from Securi:
Event: Post Update
Website: hidden link
IP Address: 35.175.205.111
Reverse IP: ec2-35-175-205-111.compute-1.amazonaws.com
Date/Time: May 19, 2019 6:29 pm
Message: Dog-for-sale status has been changed; details: ID: 287,Old status: new,New status: auto-draft,Title: CRED Auto Draft 940ff1b6ffa11e0bcc81d0d7c7aac06d
I assume we are talking about this URL:
hidden link
Please logout as guest and test above URL, this form displays for guest users, so it might conduct the Security problem:
Any guest can create posts in your website using above URL.
As I suggest above, you can try these:
1) Install Toolset Access plugin, you can download it here:
https://toolset.com/account/downloads/
2) Follow our document:
https://toolset.com/documentation/user-guides/access-control-for-cred-forms/
disable access to your post forms for guest users.
3) Change all user's passwords, and remove other useless users here:
hidden link
I've installed the Access plugin. I've clicked on the forms page and posts page and clicked on save.
When I go to the front end now and click on Add new submission, it says Permission Denied. where does my client login now to add her new puppie for sale on the form submission page? Not sure how to set that up.
For the new question:
where does my client login now to add her new puppie for sale on the form submission page?
I assume we are talking about this page:
hidden link
You can ask your client to create the new puppie for sale posts in above URL, I have tested it with below steps:
1) login as user "test123",
2) Open URL hidden link, I can see the post form correctly
3) fill the form, and submit, I can see the new post is created without any problem, for example:
hidden link
4) Log out as guest, open above URL again:
hidden link
I see the message: Permission denied
Is there any missing steps?
If my client just goes to her site, and clicks on Add New submission, It says permission denied.
So how do I set them up to go to that page and add their dogs for sale.
I don't want the public to be able to click on the page and add dogs. I'd rather it say permission denied to hackers.
Do I have to set them up as users like for wordpress where they login to the backend. The only reason I use Toolset is so they can login easily and add their info to the front page forms. I just don't know how to set them up as users in this new Access plugin.
For the question:
Do I have to set them up as users like for wordpress where they login to the backend.
Yes, you need to setup your clients as a wordpress user, you can try these:
1) Create a wordpress page, for example "my account"
2) In my account page, if current user is a guest, display a login form for them
hidden link
3) if current user is a logged-in user, display the link to "new-submission" page:
https://toolset.com/documentation/user-guides/access-control-texts-inside-page-content/
Then only logged-in user can see the post form and the "new-submission" page links
