[thefarmer]

Well a couple of days in since the restart. I’m unconvinced bbpress/wp is doing the right thing with feeds from private forums. So do beware. But wholesale turning off rss seems to result in empty containers, and that seems so far successful in avoiding disclosure of page content.

Who’d have thought a simple thing like this eh?

kr

TF

[thefarmer]

PS Limit Logins Reloaded reports detail of failed login attempts, that’s how I know of the brute force attack.

[thefarmer]

Thx and especially for the plugin which I shall implement. It blocks public access to user profiles and that’s got to be a good thing much appreciated. But I’ll explain why I doubt that’s the cause here.

This beta test really should have been a piece of cake. 6 savvy users, each with bespoke usernames at least 8 characters upper lower case and special characters. And strong passwords, thankfully.

(Standard) version of Linit Login Attempts Reloaded (‘LLAR’) plugin was loaded, not anticipating any action.

Only 3 of the 6 users bothered to post a few trivial posts. Within a day or so, LLAR flagged up failed login attempts from only those users who had posted. Not many at first but it grew exponentially over the next few days from multiple IPs (presumably bots) to about 1000/day before I shut it down.

Now it’s not conclusive, but seems unlikely that a random attack on user profiles would only find the exact 3 users who posted. More likely those usernames were found from their posts I figure. Usernames were, after all, in the page conetent, And so the html if that were visible.

But also visible in the RSS feed perhaps?

I have now turned off WP’s entire RSS etc feed. Blocked offending usernames. Allocated new usernames, will implement your plugin and start the beta test again.

Shall post the outcome. Let’s see what happens !

thx and much appreciated all your stuff not just on this, RW

TheFarmer

[thefarmer]

It seems a reasonable question whether RSS etc feeds might be open on Topics defaulting to ‘Public’ visibilty as they do even in Private Forums ?

Naturally concerned.

kr

TheFarmer

[thefarmer]

Setting is available to keymasters in the WP dashboard.

To view it, have a private forum with a topic.

Log in as keymaster.

WP Dashboard > Topics > All Topics > (‘my topic’) > edit

In the ‘Publish’ box just above the update button is an object with text ‘Visibility : Public

edit

‘ This allows settings Public, Password Protected, and Private.

Private seems to mean visible to admin/keymaster only. Password protected invites a per topic password. And Public is the default for new topics created by participant users.

But what does ‘public’ visibilty mean for a topic within a ‘private’ forum…..?

Thx and kr

TheFarmer