Skip to:
Content
Pages
Categories
Search
Top
Bottom

What does a public Topic in a private Forum mean?

  • @thefarmer

    Participant

    I’m building a small community forum with about 20 users. Bbp 2.6.9. WP 6.0.1 Login Attempts reloaded plugin.

    Intention is for the whole forum to be private, and require user login to view and/or post.

    Seems simple enough and works well so began live beta test. The forum is set ‘private’. But topics within it have to be set ‘public’ for logged in participant users to see. If topics are set ‘private’ only admin/keyholders can see, and that would not be good.

    OK, so the ‘public’ topics and replies don’t seem publicly visible, after all they are in a private forum. For example https://mysite.com/forum/topicpage only returns content if user is logged in.

    So far so good.

    Except….early on in a limited test, an unexpected and uninvited brute force attack was able to identify three correct usernames (but not passwords) which I can only presume must come from reading topic post content ???

    So what does a ‘public’ topic in a ‘private’ forum mean? Is content somehow publicly visible, and how do I get all content in a private forum to be properly private and only visible to logged on users? Or is there a security flaw?

    Thx and I’ve run out of ideas, help appreciated TheFarmer

Viewing 8 replies - 1 through 8 (of 8 total)
  • @robin-w

    Moderator

    But topics within it have to be set ‘public’ for logged in participant users to see

    where are you setting this?

    forums have a visibility status of public/private/hidden, but topics have no such setting.

    @thefarmer

    Participant

    Setting is available to keymasters in the WP dashboard.

    To view it, have a private forum with a topic.

    Log in as keymaster.

    WP Dashboard > Topics > All Topics > (‘my topic’) > edit

    In the ‘Publish’ box just above the update button is an object with text ‘Visibility : Public

      edit

    ‘ This allows settings Public, Password Protected, and Private.

    Private seems to mean visible to admin/keymaster only. Password protected invites a per topic password. And Public is the default for new topics created by participant users.

    But what does ‘public’ visibilty mean for a topic within a ‘private’ forum…..?

    Thx and kr

    TheFarmer

    @thefarmer

    Participant

    It seems a reasonable question whether RSS etc feeds might be open on Topics defaulting to ‘Public’ visibilty as they do even in Private Forums ?

    Naturally concerned.

    kr

    TheFarmer

    @robin-w

    Moderator

    topics (and replies) gain their visibility from the forum they belong to.

    [edit]

    just reread the original post… will respond back again shortly

    @robin-w

    Moderator

    ok, so you are correct that topics and replies should be public.

    You don’t say how you detected a brute force, and if these were default or easily guessed usernames etc. The whole idea of a brute force attack is to try loads of usernames in the hope one is correct.

    bbpress just uses WordPress login, so if you were seeing login attempts this might be just a plain brute force on a wordpress site, unrelated to bbpress.

    Identifying users would be unlikely to come from a topic display, given that a private forum does not show public topics either on screen or through rss.

    However bbpress does have a profile page which is publicly displayable, and that might be a route. ie if the profile page of a display name does not 404, then username is valid.

    you can use :

    bbp style pack

    once activated go to

    dashboard>settings>bbp style pack>Profile

    where you can choose who to display profiles to, and therefore prevent profile pages of your users being identifiable.

    @thefarmer

    Participant

    Thx and especially for the plugin which I shall implement. It blocks public access to user profiles and that’s got to be a good thing much appreciated. But I’ll explain why I doubt that’s the cause here.

    This beta test really should have been a piece of cake. 6 savvy users, each with bespoke usernames at least 8 characters upper lower case and special characters. And strong passwords, thankfully.

    (Standard) version of Linit Login Attempts Reloaded (‘LLAR’) plugin was loaded, not anticipating any action.

    Only 3 of the 6 users bothered to post a few trivial posts. Within a day or so, LLAR flagged up failed login attempts from only those users who had posted. Not many at first but it grew exponentially over the next few days from multiple IPs (presumably bots) to about 1000/day before I shut it down.

    Now it’s not conclusive, but seems unlikely that a random attack on user profiles would only find the exact 3 users who posted. More likely those usernames were found from their posts I figure. Usernames were, after all, in the page conetent, And so the html if that were visible.

    But also visible in the RSS feed perhaps?

    I have now turned off WP’s entire RSS etc feed. Blocked offending usernames. Allocated new usernames, will implement your plugin and start the beta test again.

    Shall post the outcome. Let’s see what happens !

    thx and much appreciated all your stuff not just on this, RW

    TheFarmer

    @thefarmer

    Participant

    PS Limit Logins Reloaded reports detail of failed login attempts, that’s how I know of the brute force attack.

    @thefarmer

    Participant

    Well a couple of days in since the restart. I’m unconvinced bbpress/wp is doing the right thing with feeds from private forums. So do beware. But wholesale turning off rss seems to result in empty containers, and that seems so far successful in avoiding disclosure of page content.

    Who’d have thought a simple thing like this eh?

    kr

    TF

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.
Skip to toolbar