BuddyPress.org

@dangthrimble – no matter what you do to hide the admin username, the really good hack teams are running scans to get the admin names by running url checks like “yourdotcom /?author=2
?author=3

and scraping the details wp is providing both on page, and in meta fields.
Then adding those names to their pass cracking bot nets.
(look in your raw access logs, you will see it)

I’ve tried changing names on wp sites many times, the rssn hackers get getting the new names, you can tell if you check your fail log with “limit login attempts” plugin.

I’ve played with some code to change in wp themes to hide details there, but my php is slightly below beginner and my understanding of what the theme code is doing is same.

I tried a plugin from the wp-repo that is supposed to hide all that- but it’s not working.

(you could htaccess geo block ukrain and chna from your site completely and probably prevent 90% of these issues anyway from what I have seen by checking logs)

I found some htaccess someone posted that is supposed to suppress all requests for “/?auth [nc] or something like that – but since I do not understand what each part is doing, I have not deployed it.

I think it needs to be htaccess add and include anything with “author” and a number to work well (reg ex for numbers?)

Until I find a htaccess regex method I understand and trust, I have found that the best combo for prevention is:

Geo IP Block
(https://wordpress.org/plugins/ip-geo-block/ )
(default settings are okay, I think it’s best to change the drop downs to block by country the plugins area, theme area, admin ajax, etc as well – options in settings
Also some blogs may want to uncheck the “comment post” block by country
)

If this geoip block plugin author had a donate link I’d already sent him some bucks, it’s the most useful plugin I’ve found since… “good question”

and succuri is an informative add on as well
(shows that some bots have figured out how to bypass the limit login attempts max tries setting)

The way WP is handling question marks in urls (string queries I think it’s called) and giving up 200 status codes and extra info (including author names) to bots is a big issue for me, this kind of relates to the unanswered support question I posted here:
https://wordpress.org/support/topic/question-mark-url-return-200-not-404-string-query-noindex-or?replies=1

Right, I’m with you.

After this line in the plugin

echo 'Shared successfully to your Home Place with tags: '.$tags;

Can you add this?

do_action( 'newsbaby_after_insert_post', $post_id );

Then change my code you added to functions.php to:

function valuser_add_new_post_activity( $post_id ) {
    $post = get_post( $post_id );
    $user = get_userdata( $post->post_author );

    $args = array(
        'user_id' => $post->post_author,
        'action' => $user->user_login . ' published ' . $post->post_title,
        'component' => buddypress()->blogs->id,
        'type' => 'new_blog_post',
        'item_id' => get_current_blog_id(),
        'secondary_item_id' => $post->ID,
        'recorded_time' => bp_core_current_time(),
        'hide_sitewide' => false
    );
    bp_activity_add( $args );
}
add_action( 'newsbaby_after_insert_post', 'valuser_add_new_post_activity' );

That should do it 🙂

Try adding this to your theme’s functions.php file:

function valuser_add_new_post_activity( $ID, $post ) {

    $user = get_userdata( $post->post_author );

    $args = array(
        'user_id' => $post->post_author,
        'action' => $user->user_login . ' published ' . $post->post_title,
        'component' => buddypress()->blogs->id,
        'type' => 'new_blog_post',
        'item_id' => get_current_blog_id(),
        'secondary_item_id' => $post->ID,
        'recorded_time' => bp_core_current_time(),
        'hide_sitewide' => false
    );
    bp_activity_add( $args );
}
add_action( 'publish_post', 'valuser_add_new_post_activity', 10, 2 );

That’s how I’d add new blog posts to the activity stream. I’ve hooked bp_activity_add() to the published_post action which will fire each time a new post is added to the database.

Please note I haven’t tested.

I read another solution here

1. Install and activate this plugin https://wordpress.org/plugins/wp-exec-php/

2. Create a new page called “Friends” or whatever name you want and add it to your menu.

3. In content of this page, add this code

<meta http-equiv=”refresh” content=”0;URL=http://blabla.com/members/<?php global $current_user;
get_currentuserinfo();

echo sanitize_file_name($current_user->user_login). “”;

?>/activity/friends/”>

4. You may still need a way to hide this menu from logged out users. Plugin https://wordpress.org/plugins/if-menu/

Is there an easy way to do this?

Yes. You can do this quite easily.

1. Choose a Facebook login plugin from the WP plugin repo:

https://wordpress.org/plugins/

Maybe try searching for 'social login'

2. Hide the BuddyPress registration form

Most of wordpress plugins mentions above work like

Attacker > HTTP server > PHP > WordPress > PLUGINS

We all need to have something before WordPress that’s why I recommend

NinjaFirewall (I do not have any relation with the plugin creator)

https://wordpress.org/plugins/ninjafirewall/

Block the attacker before the WordPress

Attacker > HTTP server > PHP > NinjaFirewall > WordPress > PLUGINS

As always in installing any plugins that possibly can block your admin access you have to read the Installation note and have access to the FTP.

NinjaFirewall will work as another layer to protect your site.

In addition if you have not done it:

1. Change your “Admin” username to something dificult and at least 10 characters (+) but easily to remember (+ for you – for security) or you have to read a note (-) safely secured in your safe locker (+)
2. Make your password at least 25 COMBINATION of characters (+) but easily to remember (+ for you – for security) or you have to read a note (-) safely secured in your safe locker (+)

NinjaFirewall:

• Web Application Firewall
• Full standalone web application firewall
• Multi-site support
• Compatible with shared hosting accounts
• Protects against RFI, LFI, XSS, code execution, SQL injections, brute
• force scanners, shell scripts, backdoors and many other threats
• Scans and/or sanitises GET / POST requests, HTTP / HTTPS traffic, cookies, server variables (HTTP_USER_AGENT, HTTP_REFERER, PHP_SELF, PATH_TRANSLATED, PATH_INFO)
• Sanitises variables names and values
• Advanced filtering options (ASCII control characters, NULL byte, PHP built
• in wrappers, base64 decoder)
• Blocks username enumeration scanning attempts through the author archives and the login page
• Blocks/allows uploads, sanitises uploaded file names
• Blocks suspicious bots and scanners
• Hides PHP error and notice messages
• Blocks direct access to PHP scripts located inside specific directories
• Whitelist option for WordPress administrator(s), localhost and private IP address spaces
• Configurable HTTP return code and message
• Rules editor to enable/disable built-in security rules
• Activity log and statistics
• Debugging mode

@pjbursnall , I wouldn’t say that it is pretty easy here

<?php global $current_user;
		get_currentuserinfo();
		$display = $current_user->display_name;
		$login = $current_user->user_login;
		$userid = $current_user->ID;
                $home = get_home_url();
?>

add that above your custom drop-down then its pretty simple just echo out the username, url etc <li class="li-fourth"><a href="<?php echo $home . '/members/' . $login . '/activity/mentions'; ?>">Mentions</a></li>

EDIT –

Oh the other bit you’d have to google for is the avatar but here
<?php echo bp_core_fetch_avatar( array('item_id' => $userid, 'type' => 'full', 'width' => 100,'height' => 100));?>
You’ll want to adjust the width/height accordingly

@pjbursnall Personally I think buddypress should disable admin access anyway as most users don’t want it but that is neither here nor there. Recreating the admin bar is pretty easy, you need to know some css, html and a few bp functions to get the current users details like username etc, as for the notifications @modemlooper or @mercime posted this a while back (my apologies for not remembering which).

function bp_notification_badge() {
	if ( is_user_logged_in() ) {
	global $current_user;
	get_currentuserinfo();
			$notifications = bp_core_get_notifications_for_user( bp_loggedin_user_id() );
				if ( empty($notifications)) {
				echo '<li class="li-first" id="li-first-right"><a href="' . get_home_url() . '/members/' . $current_user->user_login . '"><span class="circle-zero">0</span></a><ul class="second-level" id="second-level-right"><li class="li-second"><a href="' . get_home_url() . '/members/' . $current_user->user_login . '">No new notifications!</a></li></ul></li>';
				} else {
						echo '<ul class="second-level" id="second-level-right">';
					$counter = 0;
						for ( $i = 0; $i < count($notifications); $i++ ) {
						$badge = count($notifications);
						echo '<li class="li-third">'.$notifications[$i].'</li>';		
						}
				echo '</ul>';
				echo '<a href="' . get_home_url() . '/members/' . $current_user->user_login . '"><span class="circle-badge">'.$badge.'</span></a>';
			}
	}
}

As for actually disabling the admin bar + backend that can be done with a plugin, plenty of them just google.

The general idea would be to add something like this directly after bp_the_member() in members-loop.php

$days_since_last_login;

if ( $days_since_last_login > 60 ) continue;

You just need to find out how to get the number of days since last login.

You can download a plugin like Theme My Login — it automatically redirects logged out/non-registered users to a log-in page with your site’s style.

Hey,

If you go to Dashboard Settings > Buddypress > Settings, then the first option is ‘Show the Toolbar for logged out users’. Just uncheck it.

My theme is also has a setting for the login toolbar, so you may want to check out your theme settings.

I hope it helps!

@giannisff

I like the look and layout of your site. I especially like the show/hide login form at the top. Is that a plugin?

hide with css or remove html from sidebar.php

Default CSS around line 151. Height change from 126px to 0. That will get rid of the header with the menu. You might have to play a little with the size to make sure your login and logo fit ok.

@aldereteka,

No !

But why do you want to retro pedaling ? Those buttons are not visible for visitors. Reverting this just to redirect them to the login page and hoping they come back after registering is fussy !

I would suggest you to write a short message like:

<?php if ( !is_user_logged_in()  ) : ?>

<div>If you were logged in you could send a message to this member. </div>

<?php endif; ?>