Pre-Sales Questions, Pay-to-Post/Publish

First, I have been reviewing your plugin documentation, codex, forums and FAQ for quite some time. Very impressed with the amount of development and support your team has put into this plugin. It seems to be absolutely wonderful and your user base seems to love you for it.

I can appreciate the amount of time and effort put into this work and am interested in utilizing it for an upcoming site build I am beginning to scope out.

My questions mostly concern two areas: Pay to Post & Publish content within Multisite/BuddyPress and Security.

1) The site I am going to be building will delivery 90% of its content free to the public for viewing, however members will be required to join, make a payment and agree to various TOS details prior to publishing content. Curious if s2member supports this in either the free or PRO version. Will it allow me to specify that users can post (1) or any other entered quantity of posts within a specific category. Imagine if you will that each user has a profile and they can publish an article about their pet (though this is not the actual content of the scope ;).) I want to allow each user to publish 1 post (pet) for $X.xx USD as well as publish (X) qty of posts (pets).

2) I noticed when I subscribed/joined your forums it mailed me the password. This concerns me. Are the passwords being stored, even temporarily in plain-text for the email then being hashed+salted? I imagine you’re using bbPress for this forum and it very well could be the overall functionality of it.

Do you have any enhanced security considerations you’d like to share that are potential risks associated with s2Member? Do you regularly check it with XSS/CSRF and SQL injection vectors? I just want to know how many new mod_security rules I might be writing during this implementation.

I appreciate your time and cooperation with my questions in advance.

Hi Justin.

First, I have been reviewing your plugin documentation, codex, forums and FAQ for quite some time. Very impressed with the amount of development and support your team has put into this plugin. It seems to be absolutely wonderful and your user base seems to love you for it.

I can appreciate the amount of time and effort put into this work and am interested in utilizing it for an upcoming site build I am beginning to scope out.

Thank you so much for the kudos! We appreciate that, and are glad you like s2Member. :)

1) The site I am going to be building will delivery 90% of its content free to the public for viewing, however members will be required to join, make a payment and agree to various TOS details prior to publishing content. Curious if s2member supports this in either the free or PRO version. Will it allow me to specify that users can post (1) or any other entered quantity of posts within a specific category. Imagine if you will that each user has a profile and they can publish an article about their pet (though this is not the actual content of the scope ;).) I want to allow each user to publish 1 post (pet) for $X.xx USD as well as publish (X) qty of posts (pets).

No, s2Member doesn’t deal with this at all. It only manages access to content, not the admin side to post anything. That said, you could customize your installation, even with the free s2Member, and add to the s2Member role for the Level you’re selling, the WP capabilities needed to post. For that you’d use a plugin like the User Role Editor. http://wordpress.org/extend/plugins/user-role-editor/

That won’t check the number of posts or anything like that, you’ll need to customize your installation further with a hack that’d check this and remove the user’s capabilities once he reaches his liimit. Or change him to another role that doesn’t have the capabilities. Knowledge Base » Changing Roles/Capabilities via PHP

2) I noticed when I subscribed/joined your forums it mailed me the password. This concerns me. Are the passwords being stored, even temporarily in plain-text for the email then being hashed+salted? I imagine you’re using bbPress for this forum and it very well could be the overall functionality of it.

This is something WordPress does when a user registers. s2Member makes it easy to edit the New User email, if desired. [hilite path]Dashboard -› s2Member® -› General Options -› Email Configuration -> New User[/hilite].

The password, though available in plain text when the email gets sent, is never stored that way. WordPress encrypts it and it can’t be reversed again. Lost passwords can’t be recovered, only replaced with a new one. This is how WordPress works, s2Member doesn’t alter it.

Do you have any enhanced security considerations you’d like to share that are potential risks associated with s2Member? Do you regularly check it with XSS/CSRF and SQL injection vectors? I just want to know how many new mod_security rules I might be writing during this implementation.

Jason is very careful to make s2Member secure as much as possible. I’ll email him asking if he wants to add a comment here regarding this. About mod_security, here’s an article that talks about it in relationship with s2Member: Knowledge Base » Mod Security, Random 503/403 Errors.

I hope that helps. :)

Thanks for the heads up on this request for support.

Do you have any enhanced security considerations you’d like to share that are potential risks associated with s2Member? Do you regularly check it with XSS/CSRF and SQL injection vectors? I just want to know how many new mod_security rules I might be writing during this implementation.

We recommend that you establish a Security Encryption Key for your s2Member installation, in order to make your installation unique among others that exist globally, on other WordPress installs.

See: Dashboard -› s2Member® -› General Options -› Security Encryption Key

Also, I recommend that you qualify your installation of s2Member, to receive our Security Badge. By doing this, you’ll not only build trust with your customers, but you’ll also learn more about enhanced security features provided by s2Member. Please follow the checklist we’ve posted here: http://www.primothemes.com/forums/viewtopic.php?f=4&t=15600&p=48551#p48550

See also: Dashboard -› s2Member® -› General Options -› Security Badge

Regarding XSS and SQL injections.

We’re not aware of any vulnerabilities that exist in the current releases of s2Member/s2Member Pro. We make it a point to properly sanitize, encapsulate, and escape all data used in SQL queries. XSS attacks are prevented with built-in WordPress® core functionality, such as esc_html().

Regarding CSRF (Cross-Site Request Forgery)

I’m not aware of any vulnerability in s2Member that would expose it to an attack like this. s2Member uses wp_verify_nonce() to avoid some variations of these types of attacks, and it also refuses to allow browser caching.

You can help yourself to further avoid the possibility of this type of attack, by carefully configuring any caching plugins that you might intend to use. For example, a caching plugin (if not properly configured), can lead to unforseen issues that might be classified as CSRF in some circles. Generally speaking, be sure that your caching plugin does NOT cache pages/objects/etc, for any user that is logged into the site. We recommend our own Quick Cache plugin, as it comes this way by default, and is tightly integrated with s2Member.

Security In General (and PCI compliance)

We have many PCI compliant installations of s2Member, which are constantly scanned for security issues. Should you employ a populate scanning service, and should it report any security vulnerabilities, please notify us immediately, and we’ll work to resolve them for you.