BeTheme is leaking author-login in class names

BeTheme is leaking blog authors' login name. I think this is a security problem. 

My only blog which has BeTheme is regularly brute force attacked daily by bots. One of my friends has the same problem. We discovered that BeTheme uses author login name in classes and bots get the author names and try to guess weak passwords.

Can you please change this behavior removing author login from classes and adding user-ID or author display name or some other information there?

Cheers,

Comments

  • Hi,

    we did checked our Muffin Login widget already and as you can see on http://pasteboard.co/6tSAygl1r.png we didn't found anything like that.
  • edited December 2016
    Hi,

    For example: in the includes/content-post.php

    line 40:

    $post_class[] = 'author-'. mfn_slug( get_the_author_meta( 'user_login' ) );

    this class is added as author-username to blog page classes
  • But this is how WordPress works by default. Please just take a look at http://pasteboard.co/ECKAMeWj.png and see how it works when default WP theme is active. For more details about this function, please visit https://codex.wordpress.org/Function_Reference/get_author_posts_url
  • edited December 2016
    Hi,

    So user name to login should be displayed like in:


    <div class="post-item isotope-item clearfix author-admin post-175 post type-post status-publish format-standard has-post-thumbnail hentry category-motion category-photography category-uncategorized tag-eclipse tag-grid tag-mysql">

    This way every user's login id is open to the public if they posted once.
  • There is many other ways for hackers to get the right username and we won't bother to much about this. The most important is still to get password. However, if in your opinion, this should be changed, you should drop your feedback to WordPress author directly because we have no influence on this.
  • There are not many ways hackers get the right username unless a theme developer does what you do and I won't bother too much about this as I already fixed your mistake for my and my friend's blogs and wanted to warn you. However, this is not related to WordPress, this is happening just because of this useless code you have in your theme:

    $post_class[] = 'author-'. mfn_slug( get_the_author_meta( 'user_login' ) );


    Cheers,
  • We suggest to switch to the default WP theme and you will see that it looks the same. We can remove it from theme of course but it won't change anything because there still would be pages auto-generated by WordPress that has username logins. So like we said, above code removal, won't change anything at all.

    Did you saw the screenshot we sent you above from default WP theme http://pasteboard.co/ECKAMeWj.png ? If you saw it, you can see that username logins are being auto-generated by WordPress itself.
  • We are also concerned that Author in blogs is showing username instead of name.
    In users, there are username and name fields. 
    You should display author as name and NOT as username. 
    Can this please be fixed? 
    Thank you. 
  • Hi 
    Sorry, I see that we can choose how to display with "Display name publicly as" option. 
    This is fine. Thank you again. 
Sign In or Register to comment.
This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

Cookies are small text files that can be used by websites to make a user's experience more efficient.

The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This means that cookies which are categorized as necessary, are processed based on GDPR Art. 6 (1) (f). All other cookies, meaning those from the categories preferences and marketing, are processed based on GDPR Art. 6 (1) (a) GDPR.

This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.

You can at any time change or withdraw your consent from the Cookie Declaration on our website.

Learn more about who we are, how you can contact us and how we process personal data in our Privacy Policy.

Please state your consent ID and date when you contact us regarding your consent.