But topics within it have to be set ‘public’ for logged in participant users to see
where are you setting this?
forums have a visibility status of public/private/hidden, but topics have no such setting.
Setting is available to keymasters in the WP dashboard.
To view it, have a private forum with a topic.
Log in as keymaster.
WP Dashboard > Topics > All Topics > (‘my topic’) > edit
In the ‘Publish’ box just above the update button is an object with text ‘Visibility : Public
‘ This allows settings Public, Password Protected, and Private.
Private seems to mean visible to admin/keymaster only. Password protected invites a per topic password. And Public is the default for new topics created by participant users.
But what does ‘public’ visibilty mean for a topic within a ‘private’ forum…..?
Thx and kr
TheFarmer
It seems a reasonable question whether RSS etc feeds might be open on Topics defaulting to ‘Public’ visibilty as they do even in Private Forums ?
Naturally concerned.
kr
TheFarmer
topics (and replies) gain their visibility from the forum they belong to.
[edit]
just reread the original post… will respond back again shortly
ok, so you are correct that topics and replies should be public.
You don’t say how you detected a brute force, and if these were default or easily guessed usernames etc. The whole idea of a brute force attack is to try loads of usernames in the hope one is correct.
bbpress just uses WordPress login, so if you were seeing login attempts this might be just a plain brute force on a wordpress site, unrelated to bbpress.
Identifying users would be unlikely to come from a topic display, given that a private forum does not show public topics either on screen or through rss.
However bbpress does have a profile page which is publicly displayable, and that might be a route. ie if the profile page of a display name does not 404, then username is valid.
you can use :
bbp style pack
once activated go to
dashboard>settings>bbp style pack>Profile
where you can choose who to display profiles to, and therefore prevent profile pages of your users being identifiable.
Thx and especially for the plugin which I shall implement. It blocks public access to user profiles and that’s got to be a good thing much appreciated. But I’ll explain why I doubt that’s the cause here.
This beta test really should have been a piece of cake. 6 savvy users, each with bespoke usernames at least 8 characters upper lower case and special characters. And strong passwords, thankfully.
(Standard) version of Linit Login Attempts Reloaded (‘LLAR’) plugin was loaded, not anticipating any action.
Only 3 of the 6 users bothered to post a few trivial posts. Within a day or so, LLAR flagged up failed login attempts from only those users who had posted. Not many at first but it grew exponentially over the next few days from multiple IPs (presumably bots) to about 1000/day before I shut it down.
Now it’s not conclusive, but seems unlikely that a random attack on user profiles would only find the exact 3 users who posted. More likely those usernames were found from their posts I figure. Usernames were, after all, in the page conetent, And so the html if that were visible.
But also visible in the RSS feed perhaps?
I have now turned off WP’s entire RSS etc feed. Blocked offending usernames. Allocated new usernames, will implement your plugin and start the beta test again.
Shall post the outcome. Let’s see what happens !
thx and much appreciated all your stuff not just on this, RW
TheFarmer
PS Limit Logins Reloaded reports detail of failed login attempts, that’s how I know of the brute force attack.
Well a couple of days in since the restart. I’m unconvinced bbpress/wp is doing the right thing with feeds from private forums. So do beware. But wholesale turning off rss seems to result in empty containers, and that seems so far successful in avoiding disclosure of page content.
Who’d have thought a simple thing like this eh?
kr
TF
