How do explain that I login as a user A and get the profile of user B (a random fake user) ?
Besides, I want to disable loggin in from Forum, as it by-passes my subscriptions.
This smells like a caching issue?
This is a cache issue for sure. Have you excluded the forum page from your cache plugin properly? This is the instruction topic: https://wpforo.com/community/faq/wpforo-and-cache-plugins/
thank you for your patience. I don't use cache plugins so I cleared it via the Forum dashboard and the problem seems solved, i.e. logged in user now sees his account and not someone else's (though they are all fake accounts). 😀
@agendavolo You may not run any caching plugins but your hoster may run one (server wide).
I still think that something is wrong. My analytics shows tons of people viewing pages like this:
mydomain/forum/?foro=signin&redirect_to=/forum/profile/name-surname/
I need a clarification:
1) who is scanning like that? Is it a robot/google or real people?
2) whoever it is, how can they check name-surname which is fully hidden and the site has not launched?
This is not a scan. When you click on login or register menu, it goes to login/register page with such URL syfix: ?foro=signin&redirect_to=http:// example.com/your/current/page/in/forum/. The URL contains information (page URL) for back redirection. So once you've successfully login or registered, it'll redirect you back to your initial page/topic/forum where you was before clicking the login/register button.
@robert I understand that the flow is correct. But we are talking about some name-surname that should not be visible at all. And if no one is registering/logging, how can it be that such URLs are detected by my site analytics? I mean, I have different IPs from all over my country showing that URL, each with a different name-surname. This cannot be normal.
WpForo is working but I need to understand what's going on.
@agendavolo Not sure why this bothers you so much, still the only way to find out and clear this, is to check your website RAW LOGS, find the IPs and see what this IP is.
A search bot, a bad bot, a user? Whatever it is. The IP will reveal what it is.
There is no other way.
@dimalifragis it bothers me for a simple reason: privacy and hackers. I have set fake users (real names, no other data) for internal database reasons, but if a real person finds that he is registered to a forum he never signed on of course he will not be happy. So, my analytics do show that Mr X discovers his name in my forum. I don't know how he does it but he does.
Besides that leaves a question open, that there is some leakage from the forum. Otherwise where can Mr. X read his name from... if even Admin cannot? How can you find a URL if even Admin gets a 404?
I don't understand how you guys think this is all normal. I don't see it that way.
@agendavolo Your statistics will solve the mystery. Find the IP from stats or from your raw logs. Why don't you do that?
There is not security issue or leak as you suggest in wpForo.
