This topic has 19 replies, 3 voices, and was last updated 7 years by 
-
-
In English:
My friend Radu, please, read.
There are 4 weak points that SweedDate has.
1) Many plugins equal more resource consumption and possible vulnerabilities.
For the reason, If BbPress is Not necessary for the Blog or Nothing in the Theme Depend of it… But, when I disable Bbpress, the Blog does not work. This is only and example.
The Theme needs more secure and internals functions (php).
Security Plugins:
A) WangGuard. But this, does not work well with the Theme.
B) All In One WP Security and Firewall. It works, but, its Captchas not with SD. I. e.
Captcha for Login. This affect the Default Login Form or BuddyForm (Profile / Login… you know). Why? Because the Captcha is not compatible with this Form! When you Enable this Captcha in Plugin Options, you cant Login.
C) WordFence. This plugin has a Option very nice, but, Not work with SD. The function is: Force all members to use Strong Password.
2) The Theme has not default Captcha for: Login forms, Registration Forms, Forget My Pass Form and Comment Form (Blog).
Maybe reCaptcha or other sure, simple and functional (enable and disable from Theme Opt.).
3) Username is Exposed in: Profile @yourusename (buddypress). Pretty info for a Hacker!
Behind the Public Name (in the html links):
http://www.yoursite.com/author/yourusername (Blog Posts, Comments).
http://www.yoursite.com/members/yourusername (Buddypress ==> Comments, Widgets, Messages, etc.)
http://www.yoursite.com/forums/profile/yourusername (Bbpress).
4) Anyone can register with unsafe emails. This, because the function php for prevent that, does not work with the Theme.
In Spanish:
El punto tres muy importante.
1) El primer punto débil es que el Theme depende de demasiados Plugins externos, en vez de incluir más funciones internas seguras. Y, algunos Plugins de seguridad no funcionan bien.
2) No tiene Captcha en el Login form, en el Login hacia el DashBoard, Olvidaste la Contraseña y Registro (dos registros en realidad).
3) Permite que el Nombre de Usuario (con el que uno inicia sesión) sea Expuesto a cualquier Hacker.
4) Cualquiera puede registrarse con correos falsos. El código para prevenir esto no funciona.
Por el momento estos son los puntos. Ahora pasaré a explicarlos, esperando que mi amigo Radu no piense que es pidiendo Customization.
Este, señores, es un problema que nos concierne a todos.
1) A más plugins, más cargado se hace el WordPress y más vulnerable. Pienso que eso uds lo saben. Por eso es mejor usar lo más posible Functions.php con líneas Seguras.
Tres Plugins de Seguridad:
A– WangGuard. No funciona bien con el Theme.
B– All In One WP Security and Firewall. Este funciona pero… El Captcha que trae NO con el Theme. Hay un Captcha para el Login. Tal aparece el Login hacia el DashBoard, pero, afecta al Login del Home Page (Profile / Login) ya que el Captcha no se muestra ahí, permanece oculto y NO permite hacer Login.
C– WordFence. Tiene una función para forzar a todos los Usuarios a usar Contraseñas fuertes, pero esta función NO va con el Theme basado en BuddyPress.
2) Explicado en el punto 1b.
Lo recomendable es que el Theme incluya algún Captcha simple para esas áreas donde se requiere, también uno para el Comentarios (en el Blog, pues el de AIOWSF no funciona). Tal Capcha simple podría ser activado en Theme Options.
3) BuddyPress expone el Nombre de Usuario en el Perfil, donde se muestra por ejemplo: @jonhdoe.
También se muestra cuando uno va a hacer una Mención o enviar un Mensaje Público.
Esto NO es para nada Seguro.
Se muestra el Nombre de Usuario en los Links HTML detrás del Nombre Público. Por ejemplo:
http://www.tusitio.com/author/tunombredeusuario (en el Blog)
http://www.tusitio.com/members/tunombredeusuario (actividad, comentarios, widgets, etc. de Buddypress)
http://www.tusitio.com/forums/profile/tunombredeusuario (Bbpress)
Encontré una función para solucionar esto, sustituyendo el Username por el Nickname, pero, solo funciona con author / Posts. Podría mejorarse para el Theme en general… RADU!
4) Así es, cualquiera puede usar Dominios de Correo falsos. La función para evitar esto, y condicionar a los usuarios a SOLO usar yahoo, outlook, etc. No funciona con el Theme.
For My friend Radu.
I know he dislikes my requests, but I do them for the benefit of all.WordFence. Please, check this problem, or… includes. STRONG (LINK)
FUNCTIONS:
Point 3: Well, this works, but Only with Author Blog / Post, not with Comments, etc.
This code automatically change UserName for NickName. For BuddyPress @Username in Profile, check this Code (Link). It would help us a simple function based on this.COPY CODEadd_filter( 'request', 'wpse5742_request' ); function wpse5742_request( $query_vars ) { if ( array_key_exists( 'author_name', $query_vars ) ) { global $wpdb; $author_id = $wpdb->get_var( $wpdb->prepare( "SELECT user_id FROM {$wpdb->usermeta} WHERE meta_key='nickname' AND meta_value = %s", $query_vars['author_name'] ) ); if ( $author_id ) { $query_vars['author'] = $author_id; unset( $query_vars['author_name'] ); } } return $query_vars; } add_filter( 'author_link', 'wpse5742_author_link', 10, 3 ); function wpse5742_author_link( $link, $author_id, $author_nicename ) { $author_nickname = get_user_meta( $author_id, 'nickname', true ); if ( $author_nickname ) { $link = str_replace( $author_nicename, $author_nickname, $link ); } return $link; }Point 4:
I found this, but, does not work. Please, check it.
CODE 1.
COPY CODE// Restrict WordPress Registration to Email Whitelist add_action('registration_errors', 'sizeable_restrict_domains', 10, 3); function sizeable_restrict_domains( $errors, $login, $email ) { $whitelist = array("yahoo.com","hotmail.com"); if ( is_email($email) ) { $parts = explode('@', $email); $domain = $parts[count($parts)-1]; if ( !in_array(strtolower($domain), $whitelist) ) { $errors->add('email_domain', __('ERROR: You may only register with an approved email address.')); } } return $errors; }CODE 2.
COPY CODE// Restrict WordPress Registration to Email Whitelist function is_valid_email_domain($login, $email, $errors ){ $valid_email_domains = array("yahoo.com","hotmail.com","outlook.com","gmail.com","aol.com","mail.com");;// whitelist email domain lists $valid = false; foreach( $valid_email_domains as $d ){ $d_length = strlen( $d ); $current_email_domain = strtolower( substr( $email, -($d_length), $d_length)); if( $current_email_domain == strtolower($d) ){ $valid = true; break; } } // if invalid, return error message if( $valid === false ){ $errors->add('domain_whitelist_error',__( '<strong>ERROR</strong>: you can only register using @gmail.com or @outlook.com emails' )); } } add_action('register_post', 'is_valid_email_domain',10,3 );Hi, please write in English only, our staff responds in English only.
Hi there!!! Help others from the community and mark any reply as solution if it solved your question. Mark as a solution---
@ SeventhQueen we do our best to have super happy customers. Thanks for being our customer.Hi,
We are not responsible for the vulnerabilities from certain plugins, we are here only to helps you related to our products bugs and questions
Your bbpress issue can be caused by child theme
Cheers
R.Hi there!!! Help others from the community and mark any reply as solution if it solved your question. Mark as a solutionMy friend Radu.
I see where the problem is.
By default, WordPress generates the nickname based on the User Name.
If one changes the Nickname, then the Username is not exposed.
However, doing this task manually is very tedious on a site with BuddyPress.
Therefore, what we need is Only a Php Code, which automatically changes the Nickname based on the First Name and Last Name of the User.
So please, help us with that.
Photo 1: New User.
Photo 2–3: Custom User.RADU, for example:
But, does not work, I dont know why! :-/COPY CODEfunction set_default_display_name( $user_id ) { $user = get_userdata( $user_id ); $name = sprintf( '%s %s', $user->first_name, $user->last_name ); $args = array( 'ID' => $user_id, 'display_name' => $name, 'nickname' => $name ); wp_update_user( $args ); } add_action( 'user_register', 'set_default_display_name' );Source: quick-tip-set-the-default-display-name-for-wordpress-users
RADU. The Solution for changing username / nickname is:
But please, check the Register Form, I dont know why! The code for valid Emails does not work. And not work Force Strong Passwd.
COPY CODEfunction set_default_display_name( $user_id ) { $user = get_userdata( $user_id ); $name = sprintf( '%s %s', $user->first_name, $user->last_name ); $nickname = strtolower( str_replace( ' ', '', $name ) ); $args = array( 'ID' => $user_id, 'display_name' => $name, 'nickname' => $nickname, 'user_nicename' => $nickname ); wp_update_user( $args ); } add_action( 'user_register', 'set_default_display_name' );UPDATE CODE:
COPY CODEfunction set_default_display_name( $user_id ) { $user = get_userdata( $user_id ); $name = sprintf( '%s %s', $user->first_name, $user->last_name ); $nickname = sanitize_user( strtolower( str_replace( ' ', '', $name ) ) ); $args = array( 'ID' => $user_id, 'display_name' => $name, 'nickname' => $nickname, 'user_nicename' => $nickname ); wp_update_user( $args ); } add_action( 'user_register', 'set_default_display_name' );Limit buddypress (sweetdate) user email domains:
SOLUTION:
Create a basic plugin: restricted-email-domains.php
COPY CODE<?php /* Plugin Name: Restricted Email Domains Description: Restricts registration user email addresses to @valid-domains.com From: http://old.webit.ca/2011/03/limit-user-email-domains-in-buddypress/ Version: 1.0 */ add_option('limited_email_domains', array('yahoo.com', 'outlook.com', 'hotmail.com', 'gmail.com', 'aol.com', 'mail.com'));Then, Radu, help me with Force users to use Strong Passwd in BP.
Radu, please, check this, and give the right code…
https://buddypress.org/support/topic/minimum-password-strength/COPY CODE// Force strong password BuddyPress plugin function lehelmatyus_validation() { global $bp; if ( !empty( $_POST['signup_password'] ) ) if ( !valid_pass( $_POST['signup_password'] ) ){ $bp->signup->errors['signup_password'] = __( 'Your password is not strong enough. It needs to be at least 8 characters long, and must contain at least: 1 lowercase character (a-z), 1 uppercase character (A-Z), 1 number (0-9) and 1 special character (!@#..)', 'buddypress' ); } } add_action( 'bp_signup_validate', 'lehelmatyus_validation'); function valid_pass($candidate) { $r1='/[A-Z]/'; //Uppercase $r2='/[a-z]/'; //lowercase $r3='/[!@#$%^&*()-_=+{};:,<.>]/'; // whatever you mean by special char $r4='/[0-9]/'; //numbers if(preg_match_all($r1,$candidate, $o)<1) return FALSE; if(preg_match_all($r2,$candidate, $o)<1) return FALSE; if(preg_match_all($r3,$candidate, $o)<1) return FALSE; if(preg_match_all($r4,$candidate, $o)<1) return FALSE; if(strlen($candidate)<8) return FALSE; return TRUE; }@montecci01 any custom codes should be handled by you with the help of a developer if is the case.
Our team can’t asses all the codes you send.
In the case there is a theme issue or code that can be optimised we will gladly accept any snippets and suggestions.Please stick to theme related questions!!
Hi there!!! Help others from the community and mark any reply as solution if it solved your question. Mark as a solution---
@ SeventhQueen we do our best to have super happy customers. Thanks for being our customer.Hello Abe, I spent hours looking for solutions. And I shared them here.
Just I need to put Captchas to the Theme.
On the part of you, please improve that of Pagespeed I. and GTmetrix.
Check Comment #151940
The topic ‘SweetDate – Security: Weak Points’ is closed to new replies.
