Security Leak In Membership Plugin

I had one of my members point out a security leak in the membership site.

I have paid members on a support group membership site. The topics discussed are quite sensitive and privacy is vital.

One member noticed that if you sign out, even if you close your browser, then check the history you can bring up and read the last page (most activity on the site is in the BuddyPress forums).

I tested it and it’s true. You cannot click to a different page, and the menu shows the correct ‘stranger’ menu, but the last page is there for anyone to see.

Can someone tell me how to fix this? This is crucial. If I cannot ensure privacy for my members then I will not have any members.

Thanks,

JoAnn

  • Brian Purkiss
    • Smushie Pies

    My first inclination is that the Membership settings are not properly restricting content.

    To verify this, do you think you could send me a URL of content that is supposed to be restricted? If I am able to see it, then Membership isn’t properly configured to restrict content. If I am unable to see the content then it’s a glitch with the plugin and I’ll notify the developer.

    Could you please send a message with the link and include my name in the subject and a link to this thread through our contact form?

  • Barry
    • DEV MAN’s Mascot

    One member noticed that if you sign out, even if you close your browser, then check the history you can bring up and read the last page (most activity on the site is in the BuddyPress forums).

    Hi, it’s called a browser cache – I can do it on a lot of sites, as the browser grabs the content of the page it has in memory rather than going back to the server for the content and therefore saving bandwidth / load time.

    You can prevent this happening across your entire site by adding some html lines to your themes header – have a look at this link and it will explain things and the steps you need:

    http://www.webmastertools.bz/how-to-stop-browser-caching/

  • JoAnn
    • The Incredible Code Injector

    Thanks so much for your quick response Barry. I checked out the site you suggested and it seems like the info is outdated, and I am confused as to how and where I would add this type of code to a WordPress theme.

    I am using the Business Portfolio child theme. Can you give me some specific direction as to what I can do to this theme to prevent browsers from saving my pages in the cache?

    This certainly seems like it would be an issue for anyone using the membership plugin. Do any of your themes address this issue?

    JoAnn

  • Barry
    • DEV MAN’s Mascot

    Thanks so much for your quick response Barry. I checked out the site you suggested and it seems like the info is outdated

    I changed the link in the post – so the one you would have gotten in your email is different to the one above.

  • PC
    • WPMU DEV Initiate

    Hiya,

    Greetings of the day.

    I was doing a regular followup today and found that we missed your last post on this one.

    Are you still seeking support on this one or managed to get it resolved ? Please let us know so that we can take it further and assist you on the same :slight_smile:

    Thanks for being a great community member !

    Cheers

    PC

  • JoAnn
    • The Incredible Code Injector

    Hi pc,

    I have not resolved this problem yet. I followed the link above, but I am not sure where to put the code that the article mentions.

    Where would I add that php code?

    Thanks so much for the follow up.

    JoAnn

  • Barry
    • DEV MAN’s Mascot

    I followed the link above, but I am not sure where to put the code that the article mentions.

    You need to put that in the header file of your theme. The header file is generally called header.php

    You can prevent this happening across your entire site by adding some html lines to your themes header – have a look at this link and it will explain things and the steps you need:

    So at the very top of your header.php file you put the php in the link and save the file and make sure it is reuploaded to your server (if you edited on your local computer)

  • PC
    • WPMU DEV Initiate

    Greetings and thanks for being a great community member.

    We haven’t heard from you on this one for long and I am doing a regular followup to see if there is still something we can assist you on this thread.

    Just to manage the support issues more efficiently, I am marking this thread as resolved for now however this is not being done to avoid your questions in any ways.

    Please feel free to mark this is “Not resolved” in case you have further questions and we would be back on it.

    Thanks a lot for being with WPMU DEV.

    Cheers

    PC

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.