Support » Plugin: CoursePress Learning Management System » Security ISSUE !!

Viewing 14 replies - 1 through 14 (of 14 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    Please don’t post the same topic multiple times. Your 3 duplicates have been deleted.

    And it then displays the Admins username on the site .. which is VERY INSECURE !

    I’m not familiar with this plugin but I can say that displaying the userID alone isn’t insecure or a security issue.

    I did say in one of my Posts that they were not appearing to me on the Support page and apologised if they did.

    Any login credentials, userID, gives an unwanted step up into unlocking a system.
    And it should definitely NOT be an Admin one accessed in this way.

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    Well… it may not be desirable to you but again, a userID does not insecure a system make.

    If it were the Google, Twitter, WordPress and many more systems would be insecure. They’re not because the security lies in the user authentication. Normally that means passwords and everyone should pick strong ones. But there are 2 factor authentication systems too and those can often be used.

    Jan,

    They are insecure. That’s the point! Just because others do it that way doesn’t make them secure.

    In fact, what’s the first thing we are always told about WP installations? Don’t have admin as the site admin’s username. Why not? Because then a hacker only has to guess one thing, the password, instead of two.

    So jrpmedia makes an excellent point — or he would be if the plugin had the limitation of being able to create only one instructor. Thankfully, while the plugin does have several (in my view, significant) problems, this isn’t one of them.

    Hi there,

    I hope you are well today and thank you for your question.

    The CoursePress plugin doesn’t display Instructor username but its display name which you can set something different from username from user profile page.

    You will find more information about user profile page on the following page.

    http://codex.wordpress.org/Users_Your_Profile_Screen

    Please advise if you have more questions.

    Cheers,
    WPMU DEV

    Hi WPMU DEV Member,

    Since the latest update I can display the UserName on a Page as you suggest … BUT

    I also get spurious code on the page:
    [course_instructor_avatar instructor_id=”1″ thumb_size=”235″ class=”instructor_avatar_full”]

    Thx,

    +1

    I don’t want the URL to show my admin username.

    I’m also getting that code on the instructor profile page. I have avatars turned off. I don’t need or want one.

    I’m the only instructor. I tried adding another instructor to avoid the URL issue, but it wouldn’t accept the same email address. I don’t want to use a different email address.

    I also tried adding an avatar to see if that code would disappear. I can’t find anywhere to add an avatar! I’m using the CoursePress theme.

    I also have the same concern. Even though I have set mine to use my “nicename” instead of admin name, it still links through with the admin login name in my instructor field and instead of showing the avatar image that displays on the course description page, it shows

    [course_instructor_avatar instructor_id=”1″ thumb_size=”235″ class=”instructor_avatar_full”]

    Hi there,

    I have notified the plugin developer to get his reply about the security issue of displaying username in URL.

    The plugin developer will reply here shortly.

    To help keep support tickets separate, could you please open a new thread for your new question. This helps to prevent any confusion (for us) as I’m sure you understand.

    This might also help other members looking for a similar answer. ๐Ÿ™‚

    Cheers,
    WPMU DEV

    This is absolutely a security issue ๐Ÿ™

    Hey again thefreebird ๐Ÿ™‚

    As my colleague above mentioned, the developer should be checking into this shortly. Thanks for bumping the thread, I’ll send another note to the developer on this.

    Have a great rest of your day!

    Cheers,
    Tyler

    Plugin Author Timothy Bowers

    (@gmax21)

    Hey all,

    Using an insecure password is the main issue, but if the username is a worry then you should consider two-factor authentication. WordPress itself displays your username in the author URL:

    /author/username

    So you’ll want a plugin to stop WordPress doing the same if you believe this is a security concern. WP Taverns Jeff Chandler covered this earlier in the year:

    Why Showing The WordPress Username Is Not A Security Risk

    To quote a couple of other names (in the comments) from this this article, Jim Walker:

    I can tell you from ten years fixing hacked web sites that WordPress password related hacking is the least serious issue on the board (though it gets a lot of press for some odd reason).

    The main reason why clientโ€™s are hacked has less to do with passwords and more to do with clientโ€™s not updating their plugins, themes and WordPress installations.

    Mika aka Ipstenu:

    I also deal with hacked sites, and I concur. Brute force password attacks tend to kill a server before someone actually gets in.

    The common reasons I see for being hacked:

    * Old versions of WP
    * Out of date plugins/themes
    * Inactive plugins/themes with security holes (โ€œIโ€™m not using it, why should I update?โ€)
    * Third party (non WP) code on the account
    * Virus on the computer captured passwords (this one happened to me, hush)
    * Rogue admin installed backdoor

    The last two are fairly exceptional.

    And one other thing covered in the comments, developers fixing security issues as and when they’re found.

    I’ve not freelanced for a few years now but these were my general experience including with other systems, not just WordPress. I’d imagine if this were a huge security issue then WordPress.com and Edublogs would be major targets and they would have been hacked tons of times, they both power millions of websites.

    Anyway, that said and done our developer is making an update that will hash the username, this will ensure the slug is still unique and solve this issue for you all. ๐Ÿ™‚

    Keep an eye out for that update ๐Ÿ™‚

    Plugin Author WPMU DEV – Your WordPress Toolkit

    (@wpmudev)

    WPMU DEV Support Staff

    Good news everybody!

    we have added additional option to HIDE instructor username and use MD5 hashed value instead.

    You can find the option under PRIVACY section of the CoursePress settings.

    Cheers,
    Marko

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Security ISSUE !!’ is closed to new replies.