Enabling Local Auth Only will direct Memberium to store passwords only in WordPress and not in Infusionsoft. This is more secure as passwords stored in WordPress are hashed (learn more) unlike how they are stored in Infusionsoft/Keap.
At the time of writing, this setting defaults to NO/OFF meaning Memberium uses the password stored in Infusionsoft to verify logins. i.e. when a user tries to log in, Memberium sees if the password they typed is the same one that is stored in Infusionsoft.
The downside to storing the password in Infusionsoft is that it is not encrypted or hashed – it is stored in plaintext meaning anyone can see the actual password. With people becoming more security conscious about their online accounts, it is important to make sure your membership site meets new standards. This post will show you how to enable Local Auth Only along with important considerations.
How Do I Enable Local Auth Only?
Enabling Local Auth Only is simple – in the WordPress Admin Dashboard, go to Memberium > Settings > Logins:
Look for the setting labeled “Secure Passwords / Local Auth Only” and switch it to YES.
You’ve now enabled the Local Auth Only feature. At this point, Memberium is no longer using Infusionsoft to authenticate members during login.
Remove the Existing Passwords in Infusionsoft
With the setting turned on, Memberium no longer uses the password field in Infusoinsoft for authentication. The field is still used when Memberium generates a password (for a new user through a campaign) this way you can email the password to the user. However, if a member changes their password, it won’t be updated in Infusionsoft.
Turning the setting on does not automatically delete the passwords out of Infusionsoft. Instead, you will need to run an update to clear that field for your members.
First, go to your Infusionsoft contacts page and select all of your contacts:
Next, click the “Actions” dropdown and select “Mass Update Contacts”
On the page, you will look for your password field. If you’re using the default field, it will be named “Password” – just click the checkbox and leave the text field next to it blank…
If you’re using a custom password field, it will be located at the bottom of the list. For example, mine is called “Memberium Password” – just click the checkbox and leave the text field next to it blank…
Lastly, at the very bottom, click the checkbox to allow blank values to clear the field and then process the update.
Once this has been processed, you’re all set and the old passwords will no longer be on the contact records.
With Local Auth Only On, How do I Generate Passwords?
When you generate a password in Infusionsoft using Memberium’s HTTP POST, Memberium will store that password in the password field you set in Memberium. This is the same field you just cleared above.
This password is also sent directly to WordPress where it is hashed and securely stored. The reason we put the generated password in Infusionsoft is so that you can email it to the new member in a welcome email. Otherwise, they wouldn’t be able to log in.
If the member ever changes their password, the new password will not be sent to Infusionsoft. Unless cleared, the generated password will remain in Infusionsoft regardless of what the member’s actual password may be.
With Local Auth Only On, How do Members Reset Their Passwords?
If a member forgets their password, they can reset it using the built-in WordPress reset functionality.
On your site, the reset form can be found here (replace yourdomain.com with your actual domain) yourdomain.com/wp-login.php?action=lostpassword
The bolded part of the URL is where you can find the default password reset form which looks similar to this:
Note that I’m using the BuddyBoss theme above. You can style the page using your theme or plugins such as LoginPress.
After the member resets their password, the new password will not be stored in Infusionsoft – only WordPress.
With Local Auth Only On, How do I Reset Member’s Passwords For Them?
There may be a time when you as the site admin need to reset a member’s password.
Resetting a password is simple. Remember, changing the password field in Infusionsoft will have no effect on the actual password. Instead, we have to change the password in WordPress.
Once you’re logged in as an admin, go to the main admin dashboard (/wp-admin) and click on the Users tab…
Search for the email of the member and then click on it. You will be taken to a screen like below.
Scroll down about halfway until you see the “Account Management” section and click on “Generate Password”
WordPress will generate a strong password for you. Copy that password somewhere if you want to use it. Otherwise, type in a custom password, scroll down to the very bottom of the page and select “Update” to save the new password.
That is all you have to do to reset someone’s password as an admin.
As intended, the new password will not be sent to Infusionsoft – it will only be stored in WordPress.