New to the community? Start here

[Defender Pro] Dynamic settings in plugin configs

2

I’m posting this relative to Defender but it’s really feedback for all the plugins: It would be super helpful if settings that would obviously (or probably) be unique on each site could have dynamic defaults, so that we could apply configs without having to go change one or two things on all sites.

For example, in Defender:

– The “App Title” field in the 2FA settings should default to the site name.

– The Sender name in the one-time password fallback email should also default to the site name, or there should be a placeholder available for it.

– The Login protection settings recommend banning the hostname as a username, whatever that may be. Perhaps a placeholder for that as well? Or perhaps checkboxes for the recommended ones, separate from the textarea?

This would make the configs much more useful since we’d be able to update them from any site, apply them to the others, and know that the site-specific settings will still work.

Additionally, as a separate bit of feedback specific to Defender, the custom message in the Password Reset settings doesn’t seem to be included in the configs.

Sun, 1 Oct 2023 20:34:56
More Defender Pro discussions
Defender Pro
  • Greg
    • The Crimson Coder

    Also as a sidebar to this, it might be helpful to note somewhere that notification recipients must be INVITED BY EMAIL in order for them to be included in configs. It does not work to add your USER as the recipient if you want it to be included in configs.

  • Nithin Ramdas
    • Support Wizard

    Hi Greg ,

    – The “App Title” field in the 2FA settings should default to the site name.

    This is the default behaviour, the “App Title” uses the site title which is configured under Settings > General > Site Title. I suppose you want to change this via configs? If yes, we already have a plan to implement this down the roadmap.

    – The Sender name in the one-time password fallback email should also default to the site name, or there should be a placeholder available for it.

    The 2FA fallback emails are meant to be sent specifically to each user with a unique temporary passcode. The template only mentions the username which will be dynamic for each user and the temporary passcode.

    However, our team is already working on a feature to allow adding more dynamic placeholders like home or site title etc. at the moment, I’m afraid the username and the passcode are the only dynamic placeholders which is supported.

    The Login protection settings recommend banning the hostname as a username, whatever that may be. Perhaps a placeholder for that as well? Or perhaps checkboxes for the recommended ones, separate from the textarea?

    I’m afraid, I’m not sure whether I fully get the use case for having a checkbox. The setting would be similar to what is implemented in the text area. The usernames aren’t added by default, as it would prevent an account which uses these default usernames from getting blocked and hence providing the admin with the choice on whether they should add it or not.

    However, if you are referring to implementing these using Defender Configs then I do see that allowing you to add the banned usernames via Defender Config under “Banned usernames
    ” textarea would be helpful.

    Please advise if you are looking for more features regarding the above.

    it might be helpful to note somewhere that notification recipients must be INVITED BY EMAIL in order for them to be included in configs. It does not work to add your USER as the recipient if you want it to be included in configs.

    By default, it isn’t an invite but more of a confirmation which is required from the recipient when they are added. You should see the plugin mention about confirmation when enabling Notifications in general too:
    [attachments are only viewable by logged-in members]

    Doesn’t the above help in covering the above use case?

    Please advise so that we can check further if needed to improve the workflow.

    Kind Regards,
    Nithin

  • Greg
    • The Crimson Coder

    This is the default behaviour, the “App Title” uses the site title which is configured under Settings > General > Site Title.

    Ah okay. It’s blank the in settings so I didn’t know if I needed to enter something. Maybe the field could be pre-populated to make that clearer?

    The template only mentions the username which will be dynamic for each user and the temporary passcode.

    Yes, I only meant the sender name. If it’s blank then the email the user receives comes from “WordPress” in their inbox, but I’d rather set it as the site name to improve credibility for something sensitive like login codes.

    The usernames aren’t added by default

    Yes I didn’t mean they should blocked by default. But if they are added then they already get saved in the configs anyway, so it’d be helpful if they were dynamic because right now they get overwritten by the source site’s list on all sites when the config is applied. The plugin recommends blocking “admin,” “administrator,” and whatever the hostname is, but then the hostname of whatever site created the config ends up everywhere. So if I save a new config from “mycoolsite.com” and have “mycoolsite” in the banned usernames, then “mycoolsite” is suddenly a banned username on all of my sites. It would be nicer if there was some kind of {{hostname}} placeholder we could use in there, or a “Block hostname?” checkbox, so that if we do choose to block the hostname, it would automatically match the site.

    By default, it isn’t an invite but more of a confirmation which is required from the recipient when they are added.

    Yes the confirmation aspect is fine, I just meant that if I add myself as the the notification recipient by choosing my user account, then it doesn’t work when I apply the config to other sites. But if I invite myself via email, then it saves me as the recipient in the config and I don’t have to go re-add myself as the recipient on every site manually. I know this now and it’s working, I only mentioned because it was a huge pain until I figured it out, so it would’ve been nice to know.

    Anyway, hope all this makes sense. The configs feel very cumbersome and in some cases even less convenient because if I apply one, I still have to go log into 30+ sites to update one or two little settings that are site-specific like those mentioned above, so the feedback I wanted to mention was that it’d be helpful to know that all of the settings in all of the plugins either.

    I suppose another potential option would be to include some way to choose whether exclude certain settings from the config if they are or might be site-specific. Then I could update the banned usernames on each site, for example, and choose that they wouldn’t be overwritten when I apply new configs later. The notifications example above would be another use case that might benefit from something like that.

  • Nithin Ramdas
    • Support Wizard

    Hi Greg ,

    Ah okay. It’s blank the in settings so I didn’t know if I needed to enter something. Maybe the field could be pre-populated to make that clearer?

    I’m not able to replicate such an issue where the field is blank. By default, it should auto-fill the Site Title out of the box when the plugin is installed for the 1st time. The only use case the field will be blank if it when manually saved. Are you able to replicate such behaviour on a new site where the plugin is installed for the 1st time?

    We’ll be implementing improving to update the field via Configs, however, at the moment I’m afraid there isn’t any exact ETA we could provide.

    Yes, I only meant the sender name. If it’s blank then the email the user receives comes from “WordPress” in their inbox, but I’d rather set it as the site name to improve credibility for something sensitive like login codes.

    At the moment, I’m afraid there isn’t such a feature. We’ll be looking to improve this workflow down the roadmap as mentioned before. It’ll require manually editing the email template to change it according to your needs for now.

    It would be nicer if there was some kind of {{hostname}} placeholder we could use in there, or a “Block hostname?” checkbox, so that if we do choose to block the hostname, it would automatically match the site.

    Thanks for explaining further. I do get you and will make sure to bring this further to our Defender team’s attention to check how the workflow could be improved further.

    I just meant that if I add myself as the notification recipient by choosing my user account, then it doesn’t work when I apply the config to other sites.

    The default settings depend upon the user account, so the configs will only work based on the existing usernames when applied from one site to another.

    As you have stated using “Invite By Email” would be the better option to prevent such instances from occurring. I’ll check with our Defender team to see if there are any improvements within the plugin side to make its usage much clearer.

    Thanks for your feedback we really appreciate it.

    Best Regards,
    Nithin