Forum has been created to help all our customers in properly working our theme. We offer complete help with configuration theme and make default look, just like on our Be|theme demo. We don`t offer theme customization.


Before creating a new discussion, please:
1. Check on forum if discussion hasn`t been created before. Use the forum Search on the right.
2. Read carefully the documentation included to package.
3. If you didn`t find what you need and would like to post a new question click the "Start a New Discussion" button on the right.
4. You can post on forum only after registration (you need purchase code to register) .


NOTE!!! If you are starting a new topic and have got problems with your site and you want us to check what`s wrong please always give url to your site because without that we can`t check what`s wrong. Each case may be different because of your installed plugins, servers or other things.


IMPORTANT!!! Along with your inquiry, please attach the address of the page which concerns the question. This will cause the time to answer on your question will be much shorter. If you do not want to publish your address publicly in the forum, please send a private message. Thanks!

BeTheme is leaking author-login in class names

BeTheme is leaking blog authors' login name. I think this is a security problem. 

My only blog which has BeTheme is regularly brute force attacked daily by bots. One of my friends has the same problem. We discovered that BeTheme uses author login name in classes and bots get the author names and try to guess weak passwords.

Can you please change this behavior removing author login from classes and adding user-ID or author display name or some other information there?

Cheers,

Comments

  • Please sign in to see answear!
  • edited December 2016
    Hi,

    For example: in the includes/content-post.php

    line 40:

    $post_class[] = 'author-'. mfn_slug( get_the_author_meta( 'user_login' ) );

    this class is added as author-username to blog page classes
  • Please sign in to see answear!
  • edited December 2016
    Hi,

    So user name to login should be displayed like in:


    <div class="post-item isotope-item clearfix author-admin post-175 post type-post status-publish format-standard has-post-thumbnail hentry category-motion category-photography category-uncategorized tag-eclipse tag-grid tag-mysql">

    This way every user's login id is open to the public if they posted once.
  • Please sign in to see answear!
  • There are not many ways hackers get the right username unless a theme developer does what you do and I won't bother too much about this as I already fixed your mistake for my and my friend's blogs and wanted to warn you. However, this is not related to WordPress, this is happening just because of this useless code you have in your theme:

    $post_class[] = 'author-'. mfn_slug( get_the_author_meta( 'user_login' ) );


    Cheers,
  • Please sign in to see answear!
  • We are also concerned that Author in blogs is showing username instead of name.
    In users, there are username and name fields. 
    You should display author as name and NOT as username. 
    Can this please be fixed? 
    Thank you. 
  • Hi 
    Sorry, I see that we can choose how to display with "Display name publicly as" option. 
    This is fine. Thank you again. 
Sign In or Register to comment.