Notifications
Clear all

wpForo 1.x.x [Solved] Fake users still creating issues

12 Posts
4 Users
0 Reactions
1,540 Views
Posts: 57
Topic starter
(@agendavolo)
Trusted Member
Joined: 8 years ago

How do explain that I login as a user A and get the profile of user B (a random fake user) ?

Besides, I want to disable loggin in from Forum, as it by-passes my subscriptions.

11 Replies
dimalifragis
Posts: 2611
(@dimalifragis)
Famed Member
Joined: 5 years ago

This smells like a caching issue?

Robert
Posts: 10590
Admin
(@robert)
Support Team
Joined: 9 years ago

@agendavolo,

This is a cache issue for sure. Have you excluded the forum page from your cache plugin properly? This is the instruction topic: https://wpforo.com/community/faq/wpforo-and-cache-plugins/

Posts: 57
Topic starter
(@agendavolo)
Trusted Member
Joined: 8 years ago

thank you for your patience. I don't use cache plugins so I cleared it via the Forum dashboard and the problem seems solved, i.e. logged in user now sees his account and not someone else's (though they are all fake accounts). 😀 

1 Reply
dimalifragis
(@dimalifragis)
Joined: 5 years ago

Famed Member
Posts: 2611

@agendavolo You may not run any caching plugins but your hoster may run one (server wide).

Posts: 57
Topic starter
(@agendavolo)
Trusted Member
Joined: 8 years ago

I still think that something is wrong. My analytics shows tons of people viewing pages like this:

mydomain/forum/?foro=signin&redirect_to=/forum/profile/name-surname/

I need a clarification:

1) who is scanning like that? Is it a robot/google or real people?

2) whoever it is, how can they check name-surname which is fully hidden and the site has not launched?

5 Replies
Robert
Admin
(@robert)
Joined: 9 years ago

Support Team
Posts: 10590

@agendavolo,

This is not a scan. When you click on login or register menu, it goes to login/register page with such URL syfix: ?foro=signin&redirect_to=http:// example.com/your/current/page/in/forum/. The URL contains information (page URL) for back redirection. So once you've successfully login or registered, it'll redirect you back to your initial page/topic/forum where you was before clicking the login/register button.

(@agendavolo)
Joined: 8 years ago

Trusted Member
Posts: 57

@robert I understand that the flow is correct. But we are talking about some name-surname that should not be visible at all. And if no one is registering/logging, how can it be that such URLs are detected by my site analytics? I mean, I have different IPs from all over my country showing that URL, each with a different name-surname. This cannot be normal.

WpForo is working but I need to understand what's going on.

dimalifragis
(@dimalifragis)
Joined: 5 years ago

Famed Member
Posts: 2611

@agendavolo Not sure why this bothers you so much, still the only way to find out and clear this, is to check your website RAW LOGS, find the IPs and see what this IP is.

A search bot, a bad bot, a user? Whatever it is. The IP will reveal what it is.

There is no other way.

(@agendavolo)
Joined: 8 years ago

Trusted Member
Posts: 57

@dimalifragis it bothers me for a simple reason: privacy and hackers. I have set fake users (real names, no other data) for internal database reasons, but if a real person finds that he is registered to a forum he never signed on of course he will not be happy. So, my analytics do show that Mr X discovers his name in my forum. I don't know how he does it but he does.

Besides that leaves a question open, that there is some leakage from the forum. Otherwise where can Mr. X read his name from... if even Admin cannot? How can you find a URL if even Admin gets a 404?

I don't understand how you guys think this is all normal. I don't see it that way.

dimalifragis
(@dimalifragis)
Joined: 5 years ago

Famed Member
Posts: 2611

@agendavolo Your statistics will solve the mystery. Find the IP from stats or from your raw logs. Why don't you do that?

There is not security issue or leak as you suggest in wpForo.

Page 1 / 2