Notifications
Clear all

wpForo 1.x.x [Solved] User Nicenames Privacy Hole

5 Posts
4 Users
1 Likes
1,417 Views
Posts: 14
Topic starter
(@jcardona)
Eminent Member
Joined: 5 years ago

Pardon me if this a setting that I'm just not seeing... but is there a way to change what gets picked as someone's nicename? Right now it looks like it selects someone's email address which is a HUGE privacy concern for me. I know we can hide nicenames but then that makes it hard for someone to mention someone in a reply and have them get a notification.

4 Replies
Sofy
Posts: 4233
 Sofy
Admin
(@sofy)
Support Team
Joined: 6 years ago

Hi @jcardona,

WordPress and wpForo have three different names for Users:

  • Username (Login) – Being used for forum authorization (login, sign-in) action
  • Display Name – Other users and guests see in user profile details and next to user posts (post author name).
  • Nicename – Unique name which is used in WordPress and wpForo core to generate user Profile URL. In other words, this is the user slug. For example example.com/community/profile/martin59/.

After a regular user registration process, Username, Display Name and Nicename are set the same. For example If you register a user with “Martin59” Username your user names look like this:

  • Username – Martin59
  • Display Name – Martin59
  • Nicename – martin59

And profile URL will be example.com/community/profile/martin59/

The wpForo has “Display Name” and “Nicename” fields in Forum > My Profile > Account front-end page. Using these options you should change the Display Name and  Nicename to something like this:

  • Username – Martin59
  • Display Name – Martin P.
  • Nicename – martinos
Robert
Posts: 10499
Admin
(@robert)
Support Team
Joined: 8 years ago

Also, please read this support topic: https://wpforo.com/community/how-to-and-troubleshooting-2/how-to-close-username/#post-38917

Posts: 21
(@richardhkg)
Eminent Member
Joined: 4 years ago

1. @sofy @robert  I too have a major concern with this topic. Yes, I have read all the docs, and my wp_users database has different username, nickname, and display_name.

BUT wpForo does not use the Display Name as you claim. It uses the very insecure nickname. And like @jcardona I see no way to change this. As @jcardona says, a very BIG privacy/security hole!

Can you please review what you have noted and clarify. As the wpForo sync process has added 6,000 members it is not practical to ask all 6,000 to go to their profiles to make changes. So how do I set Display Name as claimed??

2. Ref Profiles, we have disabled access to profiles and admin bars for security on main site, so would like to do same for wpForo profile. Can this be done?

Thanks for your time.

PS. I have new forum live but hidden, as not able to develop wpForo offline so another security hassle to consider. BUT despite no menu access have already seen bots hacking into wpForo profiles in my security audit log within hours!!!! 🙁

Robert
Posts: 10499
Admin
(@robert)
Support Team
Joined: 8 years ago

@richardhkg,

wpForo does use Display Names and yes it does use Nickname as well.

 

1. You can disable nickname very easy. But you should know that there is no way to hack profile using nickname if you have changed it and it doesn't match to your username. The nickname is nothing! It's not username so it has no any value in security. Again, in case if it doesn't match to username.

 

2. Do you know that all WordPress plugins (e.g. BuddyPress) and even the WordPress use Nicknames in user profile URLs? So, please let me know if this is a security issue why thousands of plugins and the WordPress use the nickname in public places, in the user @mentioning and in User URLs? If you click on Article Author link on a regular WordPress article you'll go to WordPress user page. Just take a look on the URL, it consists of your nickname. So the nickname is already public, even disabling wpForo will not help you make nicknames private (unless you use custom solutions).

 

3. In any case, if you still want to disable nicknames in wpForo you should put this code in WordPress active theme functions.php file:

function wpforo_disable_user_nicenames( $nicename ){
return '';
}
add_filter('wpforo_member_nicename', 'wpforo_disable_user_nicenames', 10);

How to Easily Add Custom Code in WordPress (without Breaking Your Site)