Hiding user names in members list for non-logged-in visitors
-
On my site, I regularly get attempts to log in with user name admin. Presumably, bots trying it on. I have no use name admin for that reason.
Recently, there are malicious attempts about every minute to log on using actual user names. They get locked out after three tries but I cannot be sure some users have guessable passwords, although I try to prevent that when a password is changed.
I guess the user names are leaking through the public version of the members’ directory. You can see that here. This public page contains links in the avatar and user handle which contain the member’s user name. I want to retain this publically-viewable directory but need to remove the links when the visitor is not logged on.
I have my own custom plugin that hooks onto ‘bp_directory_members_item’ and which displays the summary data you can see. Logged-in members see more detail than public visitors.
I am looking for a way to filter the avatar and displayed name in which I could remove the links to the member’s profile and just display the image and the display name as text, thus hiding the member’s user name.
Some users have their recent activity displayed and this has a view link to the activity. Although this link is anonymous, if it is followed, it also gives away the user name. Simplest would be to remove the View link for non-logged-in members.
Any pointers or advice will be gratefully received.
WP v5.5.3
BP v6.3.0
-
HI,
I have the same concern.
Particularly since WP uses the ‘username’ as a unique id and a login. Meaning its not only shown in profiles and BP member information, its also used in Url paths like member and author links. Not to mention individual plugins and themes might directly reference and use ‘username’ in ways you might not anticipate. Which would mean lots of audits of all the themes, plugins and updates you use on the site. and a huge testing effort.
It seems to me that trying to shut down all those threats is time consuming, exhausting and prone for mistakes.
Why not just use ‘username’ as a unique id and turn off the ability to login by ‘username’. That way if ‘username’ is plastered all over the place, it does not matter so much — as it can not be used to login and access data.
I certainly hope WP is working on a solution to fix this issue, which I see as a security issue. (As in, you need two pieces of data to log in. Username and password. publicly providing 1 of those pieces of data (the username) severely increases security risk, problems, and issues.)
In the mean time,
I used hook action wp_authenticate to do my own login (that does not use the unique id ‘username’ ).
For more information on that hook action see https://developer.wordpress.org/reference/hooks/wp_authenticate/Depending on where you put the ‘wp_authenticate’ solution this change can survive updates with out reapplication.
To be even more complete you can turn it off in the wordpress code, which would mean your changes would have to be reapplied after updates.
bump
Was there any solution to this?
No resolution I have heard of. It would be complicated.
I have adopted a work-around. which is to allow login by email address only. That way, leaking the user name is no longer a security risk.
- You must be logged in to reply to this topic.