Hi there!
You have created a really good add-on, and I would like to work with gVectors in the future to purchase its extended functionality, but I have encountered a question that is causing me some confusion.
When registering on the forum, the user's Login is used by default as their Nickname.
In turn, the user's Nickname is used as the default URL Address Identifier.
For example: I registered on this forum with the username “Dum.” My nickname automatically became @dum.
Now, when you go to my profile page, the URL Identifier will be displayed in the address bar, which means that my Nickname will be displayed in the address bar and, consequently, my Login will also be displayed there.
In addition, my nickname and login will be displayed in the forum footer, in the “Our newest member” line.
I am attaching screenshots.
I am not allowed to change my Nickname after registration. This means that all users will still be able to find out my Login by simply going to my profile page, as my Login will be displayed in the address bar.
Okay! To avoid a similar situation on my forum, I added an additional “Nickname” field to the registration form so that users could immediately set a Nickname for themselves during registration that is different from their Login. But wpForo still sets a Nickname that's the same as the Login. And again, any user can see my Login in the address bar when they go to my profile page.
However, I encountered another problem.
Everything goes fine during registration. A new Nickname, which differs from the Login, is set directly in WordPress, but it is not set in wpForo.
Okay! I decide to check if I can change the user's nickname on the profile page in vpForo. I change the nickname and it changes in WordPress. Everything is fine.
Then I decide to check if I can change the forum user's Nickname using the WordPress dashboard. I change the Nickname in WordPress and... the Nickname does not change on the wpForo profile page.
I reread several times all the similar topics on your forum that I could find.
I cleared the cache as described here https://wpforo.com/community/how-to-and-troubleshooting-2/nicknames-cannot-be-modified/
I don't have any caching plugins installed.
I deleted user caches. I synchronized users, updated their statistics, and flushed permalinks. Nothing helped.
!! The reason why wpForo does not respond to nickname changes in the WordPress dashboard is as follows:
When changing the nickname in the WordPress panel, an entry is made in the table $wpdb->usermeta with the meta key "nickname".
In turn, when changing the nickname on the wpForo profile page, changes are made to the table $wpdb->users with the meta key "user_nicename".
WordPress table relations allow to replace the "nickname" metakey when the "user_nicename" metakey changes.
As a result, when changing the nickname in the WordPress dashboard, only the value of the usermeta table changes, while the users table retains the value set by wpForo.
In this thread, @robert says that
all WordPress plugins (e.g. BuddyPress) and even the WordPress use Nicknames in user profile URLs? So, please let me know if this is a security issue why thousands of plugins and the WordPress use the nickname in public places, in the user @mentioning and in User URLs? If you click on Article Author link on a regular WordPress article you'll go to WordPress user page. Just take a look on the URL, it consists of your nickname. So the nickname is already public, even disabling wpForo will not help you make nicknames private (unless you use custom solutions).
Indeed, nicknames are used for display in user URLs, and there is no problem with this, PROVIDED that the nickname is not equal to the Login.
This thread provides a good example of users mistakenly entering their email address in the “login” field, making it accessible to all other users.
Usually, when people register an account somewhere, they expect that their login will be known only to them and will not be displayed publicly. So, the fact that the email was displayed in the address bar in this case is definitely not a user error.
So yes, it's a real security vulnerability.
This raises several questions:
1.
Are you planning to change anything with the algorithms for displaying user URLs?
Although you claim that there are no problems with this, the forum has quite a lot of topics with complaints about the display of Logins in the address bar and requests to fix this. However, you have been ignoring this for several years. Do you really think that displaying the login in the address bar is normal?
Taking into account the changes that have occurred in legislation on the protection of rights, the described problem does not make wpFor attractive.
2.
Please tell me where I can find the function that is responsible for relationship nicknames on the vpForo user page with wpdb->users -> "user_nicename". And can I use this function to change this relationship to a relationship with $wpdb->usermeta -> "nickname". Since there is currently no other solution than to hide user logins from public access without using custom solutions. And then at least by adding a new field to the registration form, it will be possible to achieve the desired result.
3.
Or perhaps you can suggest another way to solve this issue that could be implemented now?
Thanks!
@dum,
wpForo by default uses the WordPress user_nicename as the URL identifier for users, which is typically based on the username. This means the login name can be exposed in URLs. When a user changes their nicename, wpForo appends a suffix like '-2' to avoid duplicate URL identifiers for new users with the same nickname. The nickname shown in wpForo profiles is separate and can be edited independently.
However, wpForo does not have a built-in option to change the URL identifier from user_nicename to the usermeta nickname to avoid exposing the login in the URL. The user_nicename is a WordPress core feature used in URLs, and wpForo relies on it.
To address privacy concerns, some users disable editing of the nicename and keep it in sync with the display name using custom code or hooks. But there is no ready-made hook or setting in wpForo to replace the URL identifier with the usermeta nickname.
If you want to change the default nickname or how it appears, note that nickname handling is mostly controlled by WordPress core, not wpForo. For more control over usernames and nicknames, you might need custom development or WordPress plugins.
References:
- Nicename and nickname handling discussion: https://wpforo.com/docs/wpforo-v2/settings/member-profile/#members-url-structure-and-member-nickname display name and nicename in sync: https://wpforo.com/docs/wpforo-v2/settings/member-profile/#members-url-structure-and-member-nickname default nickname is a WordPress core matter: https://wpforo.com/docs/wpforo-v2/settings/member-profile/#members-url-structure-and-member-nickname
Firstly, thank you for your reply. I probably didn't explain what I wanted to say clearly enough.
Now, let's take it step by step.
I thought I could avoid the problem of the login being displayed in the URL if I purchased "wpForo - User Custom Field" add-on. With its help, I could add a "nickname" field to the wpWoro registration form. However, after reading the topics related to my question on this forum, I came to understand that this add-on would not solve the problem. This is because the "nickname" field in this add-on would make changes to the table $wpdb->usermeta. And then the following would happen
The reason why wpForo does not respond to nickname changes in the WordPress dashboard is as follows: When changing the nickname in the WordPress panel, an entry is made in the table $wpdb->usermeta with the meta key "nickname". In turn, when changing the nickname on the wpForo profile page, changes are made to the table $wpdb->users with the meta key "user_nicename". WordPress table relations allow to replace the "nickname" metakey when the "user_nicename" metakey changes. As a result, when changing the nickname in the WordPress dashboard, only the value of the usermeta table changes, while the users table retains the value set by wpForo.
It described the problem that makes it impossible to change the wpForo user nickname (URL identifier) in the WordPress panel. And, accordingly, adding the add-on's "nickname" field will not solve the problem. And clearing the cache won't help.
Now, I know that WordPress uses user_nicename to display URLs. I also know that if you don't specify user_nicename during registration, WordPress will set it equal to your login. But I was hoping that the add-on's “nickname” field would make changes to user_nicename. Alas, this is not true.
The question is precisely how to set the URL identifier during registration using the wpForo registration form, i.e., to set user_nicename.
You have written everything correctly here.
To address privacy concerns, some users disable editing of the nicename and keep it in sync with the display name using custom code or hooks. But there is no ready-made hook or setting in wpForo to replace the URL identifier with the usermeta nickname.
But there is no need for any WordPress plugins, as you say here
For more control over usernames and nicknames, you might need custom development or WordPress plugins.
There really is a need for a hook.
There are some fairly trivial ways to solve this problem. It is possible to simply add a hook to the body that registers the user using the wpForo register form with the 'user_register' parameter and userdata 'user_nicename'. At the same time, add an additional "nickname" field to the registration form and add validation for its data so that there are no matches for 'user_nicename'.
Since I am not a coding specialist and my knowledge is limited to basic knowledge and understanding of the C language, and is also long forgotten, as I learned it in the distant past, I was interested in the question: where can I find a function that describes the registration hook using the vpFor registration wrapper? Because it would take a considerable amount of time to analyze your plugin and find it myself.
Since I am limited in time to solve this problem, I have decided to solve it as quickly as possible for myself - during registration, a random set of numbers is entered in 'user_nicename', and I have also added a "nickname" field to the registration form, which sets the user's nickname so that people can immediately claim it for themselves. At the same time, the "nickname" must also be recorded in the 'display_name' field because your function.php file is set to display either 'display name' in the forum footer after registration. Of course, also possible simply remove the display of 'display_name' or replace it with the same 'user_nicename' from random numbers. After that, I plan to ask them to go to their profile and manually change the "URL identifier" field to the nickname they have chosen. Also, one can try working with the hook 'pre_user_nicename', which filters the 'user_nicename' before the user is created or updated, so that the modified value can be returned later. But I think that people who develop add-ons for WP understand this better than I do and know all the possible ways to implement it.
Of course, this is a very monkey solution, but it can be implemented with minimal knowledge and with a few dozen lines of code in less than an hour.
However, now after updating wpForo, I will have to add this to the code every time, which is inconvenient.
Here's the topic where a person writes that he has created a community of elderly people who are not very tech-savvy, and they mistakenly entered their email addresses in the "Login" field, and now they are displayed in the URL.
Currently, emails, phone numbers, and simple character sets are used as logins for registration on various platforms, so it is not surprising that users may mistakenly enter their email address in the "login" field.
Firstly, considering how data protection legislation has changed, forum owners could be liable to pay large fines for displaying email addresses in this way. As a result, people are moving to other platforms and other developments in order to build their communities, and you, in turn, are losing potential customers.
Secondly, if I registered on a platform and saw that my email address or phone number was displayed in the address bar, I would never return to that site and would advise other users not to do so either. This, in turn, leads to a decrease in interest in wpForo, which, in turn again, reduces the number of your potential customers.
Just because WP considers displaying nicknames to be normal does not mean that their policy is ideal. A known nickname is already 50% of what is needed for brute force.
Okay, even if you take all the necessary security measures, such as 2FA and others (which is the only way to avoid brute force attacks, as claimed by WP), and avoid the possibility of password guessing. Also, people usually set up the same logins for different sites, which again puts them at risk of hacking, only on a other site (if that site has not taken the necessary security measures). And this again deters users.
Also, there is still the issue of data protection legislation.
Let's assume that I install all the necessary protections, but what should I do about sensitive user data becoming public?
In fact, it is no longer just an addition, but a default requirement. Because сurrently, even the "wpForo - User Custom Field" does not allow you to avoid such situations for the reasons I have already outlined.
As a quick example, here are a few more topics where users write that they have encountered the problem of disclosing sensitive data.
https://wpforo.com/community/how-to-and-troubleshooting-2/how-to-change-the-default-mention-name/
https://wpforo.com/community/how-to-and-troubleshooting-2/display-name-default-to-username/
https://wpforo.com/community/how-to-and-troubleshooting-2/display-wp-username-by-default/
You can also find many pages in the web where people write that the VP policy in this respect is not ideal and sometimes causes problems. Indeed, most services today display the user's nickname in the URL, but it is not the same as the login and, moreover, does not display any sensitive data that may have been entered by mistake.
However, initially, the people who register with WP are those who will be developing the website, and they can change their 'user_nacename' in the database before anyone visits their profile. Forum users, however, will not have this option, so this issue falls to the forum owners.
In fact, wpForo is an excellent tool for creating a community, and it is obvious that a lot of effort has been put into its development. However, the problem with the possibility of sensitive data disclosure deprives it of many advantages over its competitors and, in specific cases, even makes it to an extent unsuitable for use.
If this were an obsolete project, then there would be no questions, but you support it, correct errors, refine it, and make other changes. So it's not entirely clear why you are disregarding issues related to data disclosure for such a considerable time, because they are really important. Especially since solving them does not require a lot of time and effort.
After all, these are your potential customers who want to use your product but are facing obstacles due to legislation and other factors.
For the rest, you have a really great product.
The questions I asked at the beginning of this thread remain unanswered for now.
1.
So, I wish I were wrong and knew that this problem would somehow be solved, but as I understand it, you don't plan to change anything with the display of the login in the URL. However, in our reality, the login is displayed by default, despite the fact that technically the nickname is displayed there.
That's right?
2.
Where and how can I find the vpForo hook that is responsible for user registration and make changes to the vpForo registration form, as a result of which, when a user registers, the data they enter (for example, from the custom field "login" that I will add to the registration form or registration page wrapper) is recorded in the 'user_nicename' field of the $wpdb->users table?
Best regards!
@dum ,
I'm sorry but it's really hard do follow such long descriptions of issues. Please keep it as short as possible and let me know the key issue. Agin, wpForo only uses the nickname for user URLs, it's not the login or username. It could be the same if user doesn't change it in his/her profile page:
