Which membership plugin for a simple sign in? Personal areas for customers

Most of the membership plugins I have found seemingly operate on the logic of the website having paying subscribers. I am not looking to make a publishing/blogging website with restricted access to articles. I am not interested in a plugin that I must continually pay for. I won’t be billing my customers on a monthly basis.

Imagine a company website with a small login section.

I am looking for something that’ll allow me to restrict access to certain areas, each individual area restricted to the specific customer. Within this area, they might have access to reports or statistics or links that are personal.

I need a plugin that’ll assist me in maintaining a number of users, to which I myself have created their accounts (no sign-up procedure) and set the perimeters of access.

Is this doable with WordPress or should I be looking at an entirely different solution?

Does Mailgun seriously offer “Detailed Documentation” only for paying customers?


Detailed Documentation

Source: https://www.mailgun.com/pricing

The quoted text is a bullet point/"feature checkmark" for their $ 35 USD/month plan (the cheapest paid one).

Does this actually mean that they have a lesser manual for the "freeloaders", and a better written one for their paying customers?

If so, this is a new level of sadism which I never thought any company would admit to openly. None of the points are explained further from what I can tell.

Coronavirus, you and hosting company important updates for hosting customers 2020.

Corona-virus, you and hosting company important updates for hosting customers 2020.

Corona-virus created problems in almost all countries and maybe you are facing the same also. Please take care and stay safe. If your are hosting customer please support hosting industry if anything urgent or important then contact provider because most of the employees working from home and few facing health issues. So it is time to help each other. If any hosting provider was not able to provide you support then maybe they are facing big problems so please trust them and don’t cancel your services.

If any customer looking for a web hosting plan for any startup idea in this situation and we provide free of cost hosting and support. Also logo designing. We are ready to help you and make your business successful.
Many thanks for your valuable time.

Below are Free Hosting for a lifetime, host without cost details:

FREE Startup-$0 /Lifetime

>> Single Domain Hosting
>> 200MB Web Space
>> 200MB Bandwidth
>> 2 Email Accounts
>> 2 Sub Domains
>> FREE Auto SSL
>> DDOS Protection
>> 99.99% uptime
>> Softacolous Supported
>> Tier 1 Technical Support

Order Now >> https://hostpoco.com/free-hosting.php

Thank you.

Is it more secure to encrypt separate customers’ data with separate keys?

If I am storing multiple customers’ data in cloud-based file storage such as an AWS S3 bucket, and I use an encryption service such as AWS KMS to achieve encryption at rest, does it add any extra security for me to store each customer’s data in a separate bucket and use a separate encryption key for each customer?

Or is it just as secure to encrypt all customer data with the same encryption key (provided the key is rotated regularly of course)?

How can we let customers upload filled-out forms on our website? [closed]

I’m not sure if this is the right place for this question, but here goes:

We have a website where customers can login, and see some safety forms as PDF documents.

The idea is that they need to fill out these forms, and send them to us somehow.

Right now, there are 2 choices:

  1. We can let the customer print the form, fill it out with a pencil/pen, scan it, and upload it to us as a file
  2. We can convert the form into HTML, and have them fill out a regular HTML form

Both would work, but:

  • Option 1 is incredibly inconvenient for the customer
    • They need a printer and scanner
    • They need to go through the effort of printing and scanning potentially dozens of pages per day
  • Option 2 is incredibly inconvenient for us
    • For every Safety Form we want to show the customer, which could be dozens, each one made up of dozens of pages, we would need to spend time converting it to HTML
    • The managers running our website that have new safety forms to show the customer don’t know HTML, so they’ll constantly be bugging web developers to convert PDF files to HTML. Our web developers have better things to do than convert PDFs to HTML all day long

The only thing I can think of to make it easy for everyone is to use some sort of javascript based PDF annotation library. The customers would be able to add text directly overtop of a PDF, and hit a button to send it to us. The managers would just upload the PDF they want the customer to fill out, without needing to do anything else.

There are a few libraries that can do this that I have come across, but they all seem to be insanely expensive. pdfjs.express is $ 375/month. My boss would be unlikely to pay 1/10th of that as a one time fee…

Is there a free library to let someone use their browser to write text overtop of a PDF file, and send it to the server when they are done?

Failing that, are there any other ideas?

Edit: We can also do something like convert each PDF uploaded by the managers to a set of images (one image per page), show them to the customer as images, and use something like marker.js to let them modify the images. It may be a bit of work to get working, but right now, that’s my best option

How might we help customers get back on track from a connection timeout message

I’m designing ‘sad path’ scenarios for checkout and I’m trying to design for helping customers when a connection timeout occurs when the checkout hangs trying to connect to our 3rd party credit card payment form.

When this happens the credit payment form could not get loaded in our checkout environment.

A simple solution is to reload the page.

The UX/UI solution I’m putting forward is an alert message that appears on the page and asks the customer to reload the page.

This is my attempt at making the error message more ‘user-friendly’:


A connection error occurred

An error occurred when we were trying to connect to the system.

Please reload the page to try connecting again.

[ Reload page ] <— button


How do people feel about the above message? Any other solutions you can think of?

Thanks.

Enable CORS for multiple customers

We use .htaccess file for controlling access:

Currently, we have the following code to allow CORS to our developer APIs:

<If "%{REQUEST_URI} =~ m#^/api/v1/#">             Header always add Access-Control-Allow-Origin "*"             Header always add Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"             Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT" </If> 

Now, we don’t want iframes or other 3rd parties to be able to call our APIs.

How can we maintain the whitelisted origins to be allowed for CORS. Maintaining manually .htaccess file by adding removing origins for every new customer sounds complicated. What would be the recommended way to maintain list of whitelisted origins.

How should I use the target’s customers in penetration tests? [on hold]

This question concerns both physical and non-physical pentests.


Should I used customers’ accounts to pwn? (Assuming I’m not given an account by the employer/target for the engagement)

I may somehow manage to grab credentials of a customer of the target. The customer may not be mentioned in the scope. Using their account/credentials may negatively affect them personally so I think it should be avoided. However, I believe adversaries usually would directly target the customers to either just steal the customers’ credentials and assets or (somehow) use a customer account to get more information on the target or as an attack vector (a customer may be a VIP with extra functions).


In a physical pentest, we may come in contact with the employer/target’s customer (i.e. normal people in a company building, people touring the place, shoppers in a mall). Should we attempt to extract information from them or even social engineer them to use them as a help (get some people to swarm in front of a door) without them knowing?


This, I believe, mainly depends on ethics (we probably shouldn’t use patients in hospitals) and collateral damage (people having their data touched even just from us logging in as them).

(Please simple don’t say “it depends on the scope”. That’s always a big element but I’d like to learn about pentesting in general – rules that can apply to most engagements, or at least specified details on how the scope may greatly change this aspect of a pentest)