typing in url name shows all protected posts

Hi
This might be a security bug. If as an unregistered visitor, I type in address:

http://[domain_name]/author/[author_username]/

I will get all the protected post by the author without any problem. Clicking on the post links takes me to the Member Options page so the intended protection function is ok in this case.

So the protected post are not protected if the said line is typed in the browser address bar.
I have the “Alternative View Protection” enabled for all.
I’m hosted on Bluehost Standard and all my plugins, themes and WordPress itself are up to date.

Being new to S2, I don’t know if it is something I am doing wrong or if it is a bug.

That’s strange… What method are you using to block these pages? I imagine URI restrictions?

– Eduan

Hi Eduan

I use the dropdown right hand box that you get when editing/creating posts and pages to restrict access. These then appear with their ID# in the Post and Page Access Restriction in the correct sections of the S2members setup area.

Should I also use URI Restrictions as well even though I don’t use Buddy Press?

– Victor

Ok solved by using the URI Restrictions on S2members setup area. To help others with the same problems here’s a summary of the problem and solution:

1. Protected pages/posts are shown to anyone who enters this in the browser address bar:

http://[domain_name]/author/[author_username]/

2. Go to URI Restrictions and enter the URI in the highest level (#4) box:

/author/[author_username]/

And save all changes (note you need all the forward slashes)

I only discovered the exposure of protected pages by accident. Perhaps Eduan or any support person could tell us any other URIs that might expose protected pages and posts? Thanks

For this kind of case using URI restrictions is the best, also URI restrictions aren’t only for when you use BuddyPress.

– Eduan