Security Issue - Need Assistance
We've just started using wpForo as our team forum. The forum is a page on our Wordpress website, where we also maintain a blog.
I have the forum set up with proper access rights for each user group, and that part is working.
Each user has to register in order to gain access to the forum - and as such, general visitors to our website who are not registered users will not see the forum space (they will only see our blog space).
We just noticed a problem however, and I don't know a workaround for this...
If a non-registered visitor were to happen to know the URL of our team forum and add "recent" to the end of the URL, they can enter that URL and see ALL the forum information! All of it!!!
For example, if you type https://www.[placeholder].com/community/recent for a website that uses this wpForo plugin with this default URL structure, you can get in to anyone's forum. How is that possible?
And more importantly, how can this be fixed so this ISN'T possible?
Am I missing a setting?
Or is this a built-in issue?
We have tested this while NOT logged in to the forum - using all browsers and incognito on all browsers. And have tested this on phones that have never had the owner visit our website in the past. In ALL cases, using the URL structure I wrote above - provides full access to our forum.
I look forward to your help!
We solved this installing a secondary plugin, e.g Ultimate Member, and used this plugin to specify that the forum page are only for logged on users.
@wp_eikari - I just installed the Ultimate Member plugin - just the free version.
How did you set up your website so the forum is the only thing hidden to non-registered users?
Our website is our blog - so we need visitors to be able to access all content on the blog (pages and posts).
The forum is just on one page of the website. I would like visitors to have access to the forum page so they can see the public forums, but I only want registered users to see the non-public forms.
I couldn't find a way to do that with the free version of Ultimate Member, and am hoping you can share your method with me. Thank you in advance.
@thedrawingboard If you've installed UM, on each page, there should be an option marked "Restrict access to this content?" where you can select whether or not you want the contents to be accessible to those logged in or not.
Hope this helps.