Support » Plugin: BuddyPress » Brute force attack off user names in directory

  • I discovered that someone was brute forcing every single name with a single attempt per IP address of every user in the directory.

    Seems like its a bad idea to show the actual log in names in the public directory.

    I confirmed by changing a user name and the log in attempt name switched. Removing the directory and then changing them name resulted in them not knowing the new name.

    Ah well. It was a nice comfy plugin until now. Switching to Profilegrid which has more privacy options.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Boone Gorges

    (@boonebgorges)

    Sorry to hear about your issue.

    It’s worth noting that BuddyPress doesn’t directly use user_logins in the directory and elsewhere in the interface. Instead, it uses the user_nicename value, which matches user_login by default, but need not; plugins like https://wordpress.org/plugins/edit-author-slug/ allow user_nicename to be customized.

    The issue of user_nicename being public is not limited to BP. WordPress itself uses user_nicename to build author archives (example.com/author/felty, etc). As such, it’s not considered private information by WP, though your situation indicates that this can sometimes result in unpleasant enumeration attacks.

    Good luck as you set up your site.

    manni65929

    (@manni65929)

    So as much as Boone Gorges tells it here – he’s not giving a fuck. That’s what you often have when it comes down to security and buddypress.

    Felty

    (@felty)

    Well… Although I liked the way BuddyPress worked, it just got really bad because not all users will do this for themselves and keep the user names the same.

    But ProfileGrid allows you to have better privacy between users and you can set profiles to be private by default:

    https://wordpress.org/plugins/profilegrid-user-profiles-groups-and-communities/

    This is a major issue – they should not have a default that reveals usernames. While this could be WP core’s responsibility it should not be because it would require additional friction when creating an account. BP should *not* reveal usernames in its directory – that’s just a dumb, dumb security decision.

    How are you doing with ProfileGrid? It looks like a nice alternative to BP (which, tbh, has always seemed a little ‘off’ in its usability).

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this review.