Search reveals all hidden content...

If a search query returns results that are supposed to be hidden, those results are visible anyway.

In short: a visitor can use the search function to circumvent the protected content filtering.

Does the Membership plugin address this major security flaw in some manner that I've not found yet?

We need search for each of the user types we have on the website (such as visitors, and members of varying levels).

  • pxwm

    Hi @EXPfarm

    I'm unsure whether this is possible within the membership plugin but suggest one option is to write some bespoke code to restrict the Wordpress search function to certain pages/posts/permalink/category

    The Wordpress search function can be modified in the theme by inserting an if statement in The Loop to only return search results if they match a certain criteria.

    You would have to decide what criteria to check within The Loop because it can only access information contained within The Loop.

    I know you can check the category but not sure if you can capture the membership level/url etc.

    If you can obtain the url then the membership plugin has the functionality to limit access to content by url by membership level so it may be best to consider this option.

    I hope this helps

    Regards
    SteveB

  • Patrick

    Hi there @EXPfarm

    I hope you're having a great day!

    We are still working on improving the search functionality in Membership.

    In the meantime however, there are a couple of other options you may want to consider.

    For example, ensure your search template displays only the_excerpt in search results, and protect content past the more tag. You can even auto-inject a more tag in all posts with this handy little gem:
    https://wordpress.org/plugins/auto-more-tag/

    You could also limit what is returned in search results by filtering the results as seen in this post:
    https://premium.wpmudev.org/forums/topic/protecting-content-from-search#post-698356

    And, of course, a plugin like Relevanssi that enables you to restrict results automatically could come in handy too.

    I hope this helps! And thanks for being a member :slight_smile:

  • EXPfarm

    I've been reading suggestions on this issue on WPMUDEV all morning. I'm going with a hack approach, I added the search function to the URL group that is in the negative rules for the visitor type.

    I added this bit of code/address to the URL group:
    /?s=.*

    That makes all search results restricted for our visitors.

    The search feature on/off approach is a hack though, and not a real solution. This approach hides the private content from the public, but it means our visitors no longer can search the website.

    This hack won't work for Member websites that have varying levels of access, as the search function is either "on" or "off" for a given user type.

    Thanks for the help.

  • Michael Bissett

    Hey @EXPfarm,

    Glad to hear you were able to find a way to handle this in the meantime (even if it's not a perfect solution)! :slight_smile:

    We're definitely working on resolving this issue, as this definitely an important issue to address. As @pxwm (Steve) had suggested earlier though, it may be possible to custom code a solution for this.

    You may wish to hire a developer for this though, if coding isn't your thing:

    https://premium.wpmudev.org/wordpress-development/

    Hope you're having a great start to your weekend! :slight_smile:

    Kind Regards,
    Michael

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.