SweetDate – Security: Weak Points

[Roader]

In English:

My friend Radu, please, read.

There are 4 weak points that SweedDate has.

1) Many plugins equal more resource consumption and possible vulnerabilities.

For the reason, If BbPress is Not necessary for the Blog or Nothing in the Theme Depend of it…  But, when I disable Bbpress, the Blog does not work. This is only and example.

The Theme needs more secure and internals functions (php).

Security Plugins:

A) WangGuard. But this, does not work well with the Theme.

B) All In One WP Security and Firewall.  It works, but, its Captchas not with SD.  I. e.

Captcha for Login. This affect the Default Login Form or BuddyForm (Profile / Login… you know). Why? Because the Captcha is not compatible with this Form! When you Enable this Captcha in Plugin Options, you cant Login.

C) WordFence. This plugin has a Option very nice, but, Not work with SD. The function is: Force all members to use Strong Password.

2) The Theme has not default Captcha for: Login forms, Registration Forms, Forget My Pass Form and Comment Form (Blog).

Maybe reCaptcha or other sure, simple and functional  (enable and disable from Theme Opt.).

3) Username is Exposed in: Profile @yourusename (buddypress). Pretty info for a Hacker!

Behind the Public Name (in the html links):

http://www.yoursite.com/author/yourusername (Blog Posts, Comments).

http://www.yoursite.com/members/yourusername (Buddypress ==> Comments, Widgets, Messages, etc.)

http://www.yoursite.com/forums/profile/yourusername   (Bbpress).

4) Anyone can register with unsafe emails. This, because the function php for prevent that, does not work with the Theme.

In Spanish:

El punto tres muy importante.

1) El primer punto débil es que el Theme depende de demasiados Plugins externos, en vez de incluir más funciones internas seguras. Y, algunos Plugins de seguridad no funcionan bien.

2) No tiene Captcha en el Login form, en el Login hacia el DashBoard, Olvidaste la Contraseña y Registro (dos registros en realidad).

3) Permite que el Nombre de Usuario (con el que uno inicia sesión) sea Expuesto a cualquier Hacker.

4) Cualquiera puede registrarse con correos falsos. El código para prevenir esto no funciona.

Por el momento estos son los puntos. Ahora pasaré a explicarlos, esperando que mi amigo Radu no piense que es pidiendo Customization.

Este, señores, es un problema que nos concierne a todos.

1) A más plugins, más cargado se hace el WordPress y más vulnerable. Pienso que eso uds lo saben. Por eso es mejor usar lo más posible Functions.php  con líneas Seguras.

Tres Plugins de Seguridad:

A–  WangGuard. No funciona bien con el Theme.

B–  All In One WP Security and Firewall. Este funciona pero… El Captcha que trae NO con el Theme. Hay un Captcha para el Login. Tal aparece el Login hacia el DashBoard, pero, afecta al Login del Home Page (Profile / Login) ya que el Captcha no se muestra ahí, permanece oculto y NO permite hacer Login.

C– WordFence. Tiene una función para forzar a todos los Usuarios a usar Contraseñas fuertes, pero esta función NO va con el Theme basado en BuddyPress.

2) Explicado en el punto 1b.

Lo recomendable es que el Theme incluya algún Captcha simple para esas áreas donde se requiere, también uno para el Comentarios (en el Blog, pues el de AIOWSF no funciona). Tal Capcha simple podría ser activado en Theme Options.

3) BuddyPress expone el Nombre de Usuario en el Perfil, donde se muestra por ejemplo: @jonhdoe.

También se muestra cuando uno va a hacer una Mención o enviar un Mensaje Público.

Esto NO es para nada Seguro.

Se muestra el Nombre de Usuario en los Links HTML detrás del Nombre Público. Por ejemplo:

http://www.tusitio.com/author/tunombredeusuario (en el Blog)

http://www.tusitio.com/members/tunombredeusuario (actividad, comentarios, widgets, etc. de Buddypress)

http://www.tusitio.com/forums/profile/tunombredeusuario (Bbpress)

Encontré una función para solucionar esto, sustituyendo el Username por el Nickname, pero, solo funciona con  author / Posts.   Podría mejorarse para el Theme en general… RADU!

 

4) Así es, cualquiera puede usar Dominios de Correo falsos. La función para evitar esto, y condicionar a los usuarios a SOLO usar yahoo, outlook, etc. No funciona con el Theme.

[Roader]

For My friend Radu.
I know he dislikes my requests, but I do them for the benefit of all.

WordFence. Please, check this problem, or… includes. STRONG (LINK)

FUNCTIONS:

Point 3: Well, this works, but Only with Author Blog / Post, not with Comments, etc.
This code automatically change UserName for NickName. For BuddyPress @Username in Profile, check this Code (Link). It would help us a simple function based on this.

COPY CODE

add_filter( 'request', 'wpse5742_request' );
function wpse5742_request( $query_vars )
{
    if ( array_key_exists( 'author_name', $query_vars ) ) {
        global $wpdb;
        $author_id = $wpdb->get_var( $wpdb->prepare( "SELECT user_id FROM {$wpdb->usermeta} WHERE meta_key='nickname' AND meta_value = %s", $query_vars['author_name'] ) );
        if ( $author_id ) {
            $query_vars['author'] = $author_id;
            unset( $query_vars['author_name'] );    
        }
    }
    return $query_vars;
}

add_filter( 'author_link', 'wpse5742_author_link', 10, 3 );
function wpse5742_author_link( $link, $author_id, $author_nicename )
{
    $author_nickname = get_user_meta( $author_id, 'nickname', true );
    if ( $author_nickname ) {
        $link = str_replace( $author_nicename, $author_nickname, $link );
    }
    return $link;
}

Point 4:

I found this, but, does not work. Please, check it.

CODE 1.

COPY CODE

// Restrict WordPress Registration to Email Whitelist
add_action('registration_errors', 'sizeable_restrict_domains', 10, 3);
function sizeable_restrict_domains( $errors, $login, $email ) {
	$whitelist = array("yahoo.com","hotmail.com");
	if ( is_email($email) ) {
		$parts = explode('@', $email);
		$domain = $parts[count($parts)-1];
		if ( !in_array(strtolower($domain), $whitelist) ) {
			$errors->add('email_domain', __('ERROR: You may only register with an approved email address.'));
		}
	}
	return $errors;
}

CODE 2.

COPY CODE

// Restrict WordPress Registration to Email Whitelist
function is_valid_email_domain($login, $email, $errors ){
 $valid_email_domains = array("yahoo.com","hotmail.com","outlook.com","gmail.com","aol.com","mail.com");;// whitelist email domain lists
 $valid = false;
 foreach( $valid_email_domains as $d ){
 $d_length = strlen( $d );
 $current_email_domain = strtolower( substr( $email, -($d_length), $d_length));
 if( $current_email_domain == strtolower($d) ){
 $valid = true;
 break;
 }
 }
 // if invalid, return error message
 if( $valid === false ){
 $errors->add('domain_whitelist_error',__( '<strong>ERROR</strong>: you can only register using @gmail.com or @outlook.com emails' ));
 }
}
add_action('register_post', 'is_valid_email_domain',10,3 );

[Roader]

In Spanish first.

Observa esto Laura. Ni siquiera la pagina de uds esta protegida del todo.

Si escribes esto en el Buscador:

https://seventhqueen.com/?author=1

Obtienes esto:

https://seventhqueen.com/author/sqadmin

Aqui, sqadmin es el nombre de usuario maestro para acceder al sitio, basta con aplicar algunas tecnicas de Brute Force Attack para acceder a su base de datos y sitio.

Esta vulnerabilidad se llama: WP User Enumeration.

WordFence, All In One WP Security y cierta .htaccess Rules resuelven este problema. Sin embargo, no es suficiente, ya que el Username queda expuesto en los Posts. Solo basta hacer Clic Derecho sobre el nombre Publico, Inspector de Elemento (Html). Asi que ahi ves: https://archived.seventhqueen.com/forums/users/laura

En conclusion: SweetDate, Kleo, BuddyApp, NO son temas seguros, porque los Usernames quedan Expuestos a cualquier persona Maliciosa.

Solucion: Que Radu mejore el codigo PHP que compartir aqui, para que automaticamente se cambien todos los usernames por Nicknames en buddypress, comments, widgets, etc. en todos los links. Incluido ese de BP / Profile @johndoe (example).

Explicaselo claramente en ingles al Equipo. ESO NO ES UN CAPRICHO. ES UN PROBLEMA DE SEGURIDAD.

[Roader]

Entonces, si a eso le sumamos lo otro que dije, de que la function de WordFence: “Force Users to use strong passwd” NO funciona con el Theme, o que tampoco funciona el codigo para permitir solo dominios de Email seguros, o que tampoco funcionan los Captchas de AIOWSF, el Theme es todavia mas vulnerable.

Radu piensa que estoy abusando de su confianza por pedirle que trabaje en esta seguridad. Por lo que ha estado ignorandome y solo responde que esta Customization no la cubre el Soporte. Y yo repito: NO es ninguna customization, es un Problema de SEGURIDAD que afecta a todos los clientes de 7thQ.

Yo espero que tu, Laura, entiendas el asunto y hables con el y los demas para una RAPIDA solucion.

[Abe]

Hi, please write in English only, our staff responds in English only.

Hi there!!! Help others from the community and mark any reply as solution if it solved your question. Mark as a solution

[Radu]

Hi,

We are not responsible for the vulnerabilities from certain plugins, we are here only to helps you related to our products bugs and questions

Your bbpress issue can be caused by child theme

Cheers
R.

Hi there!!! Help others from the community and mark any reply as solution if it solved your question. Mark as a solution

[Roader]

Sorry Radu, I appreciate you, but we do not agree on this point. Security is very important and for all. So, you need to buy a Safe Theme!

Hi Abe, keymaster.

In resume:

Your site is vulnerable. For example, put this in the Browser Navigation:

https://seventhqueen.com/?author=1

And, Voila! Your login username is revealed. It is: sqadmin

This vulnerability is called: WP User Enumeration.

So, using Brute Force Attack, DDoS, or SQL Injection or whatever, your site could be hacked.

—————–
The other problem is, that your Theme (SweetDate) has 3 weak points:
Please, read my commentary: #151645 and #151646

AND PLEASE, RADU, We need the optimize functions.php, PLEASE! You are a master in Php, so.

[Roader]

A gift and example.

# Protect Headers
Header set X-XSS-Protection “1; mode=block”
Header set X-Content-Type-Options nosniff
Header always append X-Frame-Options SAMEORIGIN
Header append X-Frame-Options “DENY”
Header set X-Content-Security-Policy “allow ‘self’;”
Header always unset “X-Powered-By”
Header always edit Set-Cookie “(?i)^((?:(?!;s?HttpOnly).)+)$” “$1; HttpOnly”

# Protect Wp-Includes
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>

[Roader]

OTHER THING, ABE, KEYMASTER:

For the next Update, PLEASE, Optimize (minify) the necessary css, js and images by default. Your Theme is slow!

I’ve been trying to improve the loading of files by default for weeks,
but I can’t pass of 80% for PC and 70% Mobile.

And yes, I’m using Gzip Compression and Wp Super Cache, but… you can see.

[Roader]

My friend Radu.

I see where the problem is.

By default, WordPress generates the nickname based on the User Name.

If one changes the Nickname, then the Username is not exposed.

However, doing this task manually is very tedious on a site with BuddyPress.

Therefore, what we need is Only a Php Code, which automatically changes the Nickname based on the First Name and Last Name of the User.

So please, help us with that.

Photo 1: New User.
Photo 2–3: Custom User.

[Roader]

RADU, for example:
But, does not work, I dont know why! :-/

COPY CODE

function set_default_display_name( $user_id ) {
  $user = get_userdata( $user_id );
  $name = sprintf( '%s %s', $user->first_name, $user->last_name );
  $args = array(
    'ID' => $user_id,
    'display_name' => $name,
    'nickname' => $name
  );
  wp_update_user( $args );
}
add_action( 'user_register', 'set_default_display_name' );

Source: quick-tip-set-the-default-display-name-for-wordpress-users

[Roader]

RADU. The Solution for changing username / nickname is:

But please, check the Register Form, I dont know why! The code for valid Emails does not work. And not work Force Strong Passwd.

COPY CODE

function set_default_display_name( $user_id ) {
$user = get_userdata( $user_id );
$name = sprintf( '%s %s', $user->first_name, $user->last_name );
$nickname = strtolower( str_replace( ' ', '', $name ) );
$args = array(
'ID' => $user_id,
'display_name' => $name,
'nickname' => $nickname,
'user_nicename' => $nickname
);
wp_update_user( $args );
}
add_action( 'user_register', 'set_default_display_name' );

[Roader]

UPDATE CODE:

COPY CODE

function set_default_display_name( $user_id ) {
$user = get_userdata( $user_id );
$name = sprintf( '%s %s', $user->first_name, $user->last_name );
$nickname = sanitize_user( strtolower( str_replace( ' ', '', $name ) ) );
$args = array(
'ID' => $user_id,
'display_name' => $name,
'nickname' => $nickname,
'user_nicename' => $nickname
);
wp_update_user( $args );
}
add_action( 'user_register', 'set_default_display_name' );

[Roader]

Limit buddypress (sweetdate) user email domains:

SOLUTION:

Create a basic plugin: restricted-email-domains.php

COPY CODE

<?php
/*
Plugin Name: Restricted Email Domains
Description: Restricts registration user email addresses to @valid-domains.com
From: http://old.webit.ca/2011/03/limit-user-email-domains-in-buddypress/
Version: 1.0
*/
add_option('limited_email_domains', array('yahoo.com', 'outlook.com', 'hotmail.com', 'gmail.com', 'aol.com', 'mail.com')); 

Then, Radu, help me with Force users to use Strong Passwd in BP.

[Roader]

Radu, please, check this, and give the right code…
https://buddypress.org/support/topic/minimum-password-strength/

[Roader]

COPY CODE

// Force strong password BuddyPress plugin

function lehelmatyus_validation() {
 global $bp;

 if ( !empty( $_POST['signup_password'] ) )
   if ( !valid_pass( $_POST['signup_password'] ) ){
    $bp->signup->errors['signup_password'] = __( 'Your password is not strong enough. It needs to be at least 8 characters long, and must contain at least: 1 lowercase character (a-z), 1 uppercase character (A-Z), 1 number (0-9) and 1 special character (!@#..)', 'buddypress' );
   }
 }
 add_action( 'bp_signup_validate', 'lehelmatyus_validation');

 function valid_pass($candidate) {
   $r1='/[A-Z]/';  //Uppercase
   $r2='/[a-z]/';  //lowercase
   $r3='/[!@#$%^&*()-_=+{};:,<.>]/';  // whatever you mean by special char
   $r4='/[0-9]/';  //numbers

   if(preg_match_all($r1,$candidate, $o)<1) return FALSE;
   if(preg_match_all($r2,$candidate, $o)<1) return FALSE;
   if(preg_match_all($r3,$candidate, $o)<1) return FALSE;
   if(preg_match_all($r4,$candidate, $o)<1) return FALSE;
   if(strlen($candidate)<8) return FALSE;

   return TRUE;
}

[Roader]

Well, my friend, only the Captchas 😉

[Abe]

@montecci01 any custom codes should be handled by you with the help of a developer if is the case.
Our team can’t asses all the codes you send.
In the case there is a theme issue or code that can be optimised we will gladly accept any snippets and suggestions.

Please stick to theme related questions!!

Hi there!!! Help others from the community and mark any reply as solution if it solved your question. Mark as a solution

[Roader]

Hello Abe, I spent hours looking for solutions. And I shared them here.

Just I need to put Captchas to the Theme.

On the part of you, please improve that of Pagespeed ​​I. and GTmetrix.
Check Comment #151940

[Roader]

Abe, check #151936

You need to protect your site seventhqueen.com

Your site is vulnerable.

[Author]

Posts