170

If you are not currently using WordPress credentials to sign in, you can safely ignore this post. Otherwise, read on...

Wordpress.com has retired OpenID support for blogs created after January 2, 2016. Blogs created before then should still be usable as OpenID credentials, but even then, the support has been getting more and more brittle over the years. In particular, if you have a custom domain for your wordpress.com blog, you can't use that blog to sign in to Stack Exchange. Why? Not entirely sure, to be honest. There's a redirect somewhere that's busted, and as far as I can tell the issue isn't on our end at this point.

With this in mind, we're removing the WordPress button from the login and signup UI to avoid even implying that WordPress is a viable option for signing in if you haven't already:

enter image description here

If you are currently able to log in using WordPress credentials, they will continue to work for as long as WordPress supports them. To log in with your existing WordPress credentials, enter your blog URL into the freeform OpenID field. I strongly encourage you to consider adding another credential as a backup option as well, or at least make sure you have a valid email set in your profile to enable account recovery.

These changes took effect on Monday, November 21, 2016, and are now live.

Improve this question
33
  • 58
    Are people actually using that? Can you share some statistics?
    – Patrick Hofman
    Commented Nov 17, 2016 at 22:57
  • 35
    @PatrickHofman About 2000 or so network-wide who have nothing but WP creds and at least one Q&A profile. "Using" is a broad term, though. Most people kite the same session for years, so we can't quite skip the announcement just in case, and we get the occasional bug report.
    – Adam Lear StaffMod
    Commented Nov 17, 2016 at 22:58
  • 3
    And those are active users? Or just all that happen to have an account? Also, can't you send them a mail or private message? (Or do you do that too?)
    – Patrick Hofman
    Commented Nov 17, 2016 at 22:59
  • 60
    @PatrickHofman An inbox notification to affected users linking to this post is gonna go out some time tomorrow.
    – Adam Lear StaffMod
    Commented Nov 17, 2016 at 23:08
  • 2
    @PatrickHofman "All that happen to have an account". I actually need to modify my query some to pull up people whose most recently used credential is a Wordpress blog. That'll still have some inactive accounts, but will also catch anyone (or noone :)) who added the credential recently and intended for it to be their primary.
    – Adam Lear StaffMod
    Commented Nov 18, 2016 at 6:35
  • 2
    Thanks WP, it finally had to go. I hope OpenID gets expired sometime, it's too unsafe.
    – EKons
    Commented Nov 18, 2016 at 12:41
  • 13
    "These changes will go into effect on Monday of next week, November 21." So, half a working day? 28 days' notice would be better, so that people have a chance to see this notice and add new credentials. Or am I missing something?
    – Lightness Races in Orbit
    Commented Nov 18, 2016 at 13:27
  • 5
    As there’s now one space free … can the Stack Exchange OpenID button come back?
    – unor
    Commented Nov 18, 2016 at 14:11
  • 21
    questions about wordpress are off-topic for MSE, voting to close ;)
    – Carrie Kendall
    Commented Nov 18, 2016 at 14:44
  • 2
    @LightnessRacesinOrbit you will still be able to log in with the credentials using the freeform field.
    – Jacob is on Codidact
    Commented Nov 18, 2016 at 15:18
  • 12
    @ΈρικΚωνσταντόπουλος Would you mind giving me a pointer to the types of security concerns that exist with OpenID? I'd like to know about that. (If not, I'll take a look for myself later when I have time.)
    – Jeremy
    Commented Nov 18, 2016 at 16:24
  • 4
    @AdamLear Thanks for the inbox notification for affected users. That was a really nice thing to do. I think that as I have a backup login set up, and as the Wordpress login will continue to work for the immediate future until Wordpress stops supporting it, there is no action I need to take right now, but I appreciate being informed about this change, thank you.
    – ShreevatsaR
    Commented Nov 18, 2016 at 21:02
  • 7
    well, the only open source ID is gone. Hi Facebook and Google, you're my masters and I belong to you. Whatever I do is free for you to do whatever you want, dear binary god
    – Devin
    Commented Nov 19, 2016 at 20:33
  • 4
    @AndrewGrimm If this were a "you won't be able to log in at all" case, I'd agree. However, the currently working WordPress credentials will continue to work. This is more a UI change on our end than a deprecation, so I feel an email is excessive in this case.
    – Adam Lear StaffMod
    Commented Nov 20, 2016 at 3:58
  • 3
    I created my stackoverflow account using Wordpress open ID. Didn't need to change it. So I'm the one you are looking for :)
    – Stijn Leenknegt
    Commented Nov 22, 2016 at 18:09

4 Answers 4

Reset to default
30

Based on the reasons given, it sounds like a reasonable step to remove WordPress as a standard selection option (although with a less than optimal short notice!).

However, having to type in something manually each time will be a pain, so I would suggest that you replace the button with a "My Favorite OpenID Provider" button, which then fills in a user configurable setting.

This will make the issue of What OpenID providers should we feature on the login page? much less of an issue because it would more or less only affect people using OpenID the very first time. This will benefit all non-default selection OpenID users, not just WordPress.

Logic something like the following:

if (login_method == openid && !user_settings.contains(favourite_openid_provider)
{
   answer = ask("Do you want to save " + sanitize(url) + " as your favorite...")
   if (answer == yes)
   {
       user_settings.save(favourite_openid_provider, url)
   }
}
Improve this answer
10
  • 17
    Where exactly do you see that “favorite OpenID provider” setting stored? Because this is the login dialog, so you cannot have this stored in the user configuration you get access to after the login.
    – poke
    Commented Nov 19, 2016 at 19:02
  • 7
    @poke Cookie? Local storage?
    – D_4_ni
    Commented Nov 19, 2016 at 19:54
  • 3
    @D_4_ni So the same location the login session itself is stored..?
    – poke
    Commented Nov 19, 2016 at 20:00
  • 6
    @poke Yes, but obviously with a longer lifetime, and not cleared by a logout. I don't think there are better ways to store data about the user not sitting behind the login.
    – D_4_ni
    Commented Nov 19, 2016 at 20:05
  • 2
    @poke this can easily, but not altogether reliably, solved with JavaScript's localStorage.
    – Diminutive Colossus
    Commented Nov 19, 2016 at 20:05
  • 2
    +1 Certainly something The Powers could consider, actually, independently of the WP login button removal.
    – yo'
    Commented Nov 20, 2016 at 22:47
  • I agree it would be nice to have this saved in a long lived cookie on the client side. There should still be a way to override that stored cookie on login time. And if there is such an override, it may not even be necessary to ask at login time if the user want to save it. It ought to be safe to save it without asking the user.
    – kasperd
    Commented Nov 26, 2016 at 15:01
  • Uncaught SyntaxError: Unexpected token { (expected a closing parentheses but found } instead)
    – cat
    Commented Nov 29, 2016 at 12:45
  • @cat Please improve the answer directly instead of just adding a comment.
    – hlovdal
    Commented Nov 29, 2016 at 12:48
  • @hlovdal It's one character (< 6) and my comment's glib anyways since it's pseudocode...
    – cat
    Commented Nov 29, 2016 at 13:22
5

If you set up your account with WordPress OpenID like I did and want to create a regular Stack Exchange OpenID (a.k.a. "log in with email") for your account, follow these directions.

You can also follow these directions to add another OpenID, such as Google or Facebook, to your account.

Theoretically, you can have as many OpenIDs and email logins associated with your account as you want.

Improve this answer
3

What about inferring the OpenID URL from the e-mail address itself?

When an e-mail [email protected] is entered, a request to the site is made in the background to see if the page includes the required OpenID elements, and if so, allow to use it right away by clicking on the login button without filling in the OpenID URL explicitly?

That would make it a lot easier to use a custom OpenID.

Improve this answer
2
  • I'm not sure I follow. If you're going to type in your email, you might as well type in your OpenID? If I understand you right, this would also slow things down in most cases - where people log in with email and password - if we wait for the OpenID check. Or it'd be a usually wasted request if we don't wait. Most people don't sign in with their own custom OpenID domain. I'm also not sure that having an email address at the OpenID-providing domain is all that common?
    – Adam Lear StaffMod
    Commented Nov 25, 2016 at 19:18
  • 1
    @AdamLear this has the advantage of using a single field for both OpenID and SE account users. User types in e-mail -> check if OpenID and if so use that -> if no OID ask for password.
    – André Borie
    Commented Nov 27, 2016 at 11:02
2

I guess 2000 people discovering the button for their login method (WordPress) is gone and not knowing how to work-around that, and not knowing if that login method is just somehow no longer supported at all, could end up to be a support issue.

I'd suggest that at least for a while (indefinitely), add a note (and link) below the remaining login buttons like: "Looking for the WordPress OpenID login button? Click here for the story".

Improve this answer
2
  • I've "kited" my OpenID session for years it seems. I signed up for SO when it opened, and at the time my thoughts were "oh dog, not another login/password combo to keep track of", so I went with my old WP account. So no, I wouldn't have noticed for ages that the login method had disappeared, I guess until I logged in from a new computer.
    – dland
    Commented Dec 4, 2016 at 11:32
  • Oh and thanks admins for the message in my Inbox, well played.
    – dland
    Commented Dec 4, 2016 at 11:33

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .