Support Center Visit Demo License manager Buy @ envato

BeTheme is leaking author-login in class names

boraaboraa
in General info & installation
BeTheme is leaking blog authors' login name. I think this is a security problem. 

My only blog which has BeTheme is regularly brute force attacked daily by bots. One of my friends has the same problem. We discovered that BeTheme uses author login name in classes and bots get the author names and try to guess weak passwords.

Can you please change this behavior removing author login from classes and adding user-ID or author display name or some other information there?

Cheers,

Comments

  • AlbertAlbert
    Hi,

    we did checked our Muffin Login widget already and as you can see on http://pasteboard.co/6tSAygl1r.png we didn't found anything like that.
    Learn more: Video Tutorials | How To | FAQ Vote on what comes next
  • boraaboraa
    edited December 2016
    Hi,

    For example: in the includes/content-post.php

    line 40:

    $post_class[] = 'author-'. mfn_slug( get_the_author_meta( 'user_login' ) );

    this class is added as author-username to blog page classes
  • AlbertAlbert
    But this is how WordPress works by default. Please just take a look at http://pasteboard.co/ECKAMeWj.png and see how it works when default WP theme is active. For more details about this function, please visit https://codex.wordpress.org/Function_Reference/get_author_posts_url
    Learn more: Video Tutorials | How To | FAQ Vote on what comes next
  • boraaboraa
    edited December 2016
    Hi,

    So user name to login should be displayed like in:


    <div class="post-item isotope-item clearfix author-admin post-175 post type-post status-publish format-standard has-post-thumbnail hentry category-motion category-photography category-uncategorized tag-eclipse tag-grid tag-mysql">

    This way every user's login id is open to the public if they posted once.
  • AlbertAlbert
    There is many other ways for hackers to get the right username and we won't bother to much about this. The most important is still to get password. However, if in your opinion, this should be changed, you should drop your feedback to WordPress author directly because we have no influence on this.
    Learn more: Video Tutorials | How To | FAQ Vote on what comes next
  • boraaboraa
    There are not many ways hackers get the right username unless a theme developer does what you do and I won't bother too much about this as I already fixed your mistake for my and my friend's blogs and wanted to warn you. However, this is not related to WordPress, this is happening just because of this useless code you have in your theme:

    $post_class[] = 'author-'. mfn_slug( get_the_author_meta( 'user_login' ) );


    Cheers,
  • AlbertAlbert
    We suggest to switch to the default WP theme and you will see that it looks the same. We can remove it from theme of course but it won't change anything because there still would be pages auto-generated by WordPress that has username logins. So like we said, above code removal, won't change anything at all.

    Did you saw the screenshot we sent you above from default WP theme http://pasteboard.co/ECKAMeWj.png ? If you saw it, you can see that username logins are being auto-generated by WordPress itself.
    Learn more: Video Tutorials | How To | FAQ Vote on what comes next
  • DavidB2018DavidB2018
    We are also concerned that Author in blogs is showing username instead of name.
    In users, there are username and name fields. 
    You should display author as name and NOT as username. 
    Can this please be fixed? 
    Thank you. 
  • DavidB2018DavidB2018
    Hi 
    Sorry, I see that we can choose how to display with "Display name publicly as" option. 
    This is fine. Thank you again. 
Sign In or Register to comment.