Notifications
Clear all

wpForo 1.x.x Mentioning and user_nicename is revealing login names

4 Posts
4 Users
0 Likes
1,303 Views
Livi
Posts: 1
 Livi
Topic starter
(@livi)
New Member
Joined: 3 years ago

Hi!

We recently noticed that our WPforo instance is showing our usernames (the ones used at login) when quoting a post or when @mentioning someone. For privacy/security reasons, we would not want this information to be shown.

The nicknames (display_name) are shown correctly around the little avatar box next to posts, where the name links to user's profile. Only @ mentioning and quoting are revealing the usernames (login names).

We are using Ultimate Member and UM profiles in our forum. We also use UM registration/login forms.

After some research and testing, we figured out that WPForo uses user_nicename field when fetching the information for quoting/mentioning. We have not been using user_nicename with anything, so the field has default values in it, which means they are the same as usernames.

As a solution, we were thinking of copying the contents of display_name field into user_nicename field, and use appropriate WP function like sanitize_user() or similar to remove spaces and non-alphabet characters.

Questions:

  1. Do you see a problem with this approach and will the mentioning system work correctly even if the user_nicename field changes often?
  2. Are there any other requirements/restrictions for the content in this field for mentioning?
  3. Can WPForo be configured to use display_name as a field when mentioning/quoting?

 

Thanks in advance!

3 Replies
Martin
Posts: 863
Moderator
(@martin)
Support Team
Joined: 6 years ago

Hi @livi,

wpForo doesn't show usernames, it shows nicenames for mentioning, this is the same name used in profile URL by WordPress and all other plugins. nicenames  are public. This problem comes from WordPress, because it sets users nicknames the same username on registration. All registration processes are being done in WordPress core functions, wpForo only provides a nice registration form, nothing else.

All users should go to their My Profile > Account page and change the nicename to something else. Only 1% of WP users have enough skills to understand that.  

WordPress and wpForo have three different names for Users:

  • Username (Login) – Being used for forum authorization (login, sign-in) action
  • Display Name – Other users and guests see in user profile details and next to user posts (post author name).
  • Nicename – Unique name which is used in WordPress and wpForo core to generate user Profile URL. In other words this is the user slug. For example example.com/community/profile/martin59/.

After a regular user registration process, Username, Display Name and Nicename are set the same. For example If you register a user with “Martin59” Username your user names look like this:

  • Username – Martin59
  • Display Name Martin59
  • Nicenamemartin59

And profile URL will be example.com/community/profile/martin59/

In order to fix this security issue, wpForo has “Display Name” and “Nicename” fields in Forum > My Profile > Account font-end page. Using this options you should change the Display Name and  Nicename to something like this:

  • Username – Martin59
  • Display Name – Martin P.
  • Nicename – martinos

This is a secure way to configure User Names. 

Reply
Synergy
Posts: 16
(@synergy)
Active Member
Joined: 2 years ago

But I really think this method is very cumbersome. Many users will see it as too technical and be reluctant to do that.

I rather chose to set the Member URL structure to be /USER_ID/ under Forum>Setting>Members as seen in the screenshot attached.

Is that safe?...Does that remove the danger even when the user did not change display and nicename?

Reply
Alvina
Posts: 1872
Moderator
(@alvina)
Member
Joined: 3 years ago

Hi @synergy

If you're using the method mentioned by Martin, everything will work fine.

In case if you want to display "Members URL structure" with the  USER_ID, you can do it without any worries.

Reply
Share: