Jump to content

where is tag widget


Saurabh Jain

Recommended Posts

Posted

I think what @Saurabh Jain was asking was the free tags widget that has been included with IPSCS since 3.0 was released. It's cool that someone has created a premium "paid only" widget or plugin but that IPS has been removing the very features of IPS that are broadly used by IPS licensed customers.

While IPS says that they have received feedback that these features should be removed, I honestly think that the only people asking for such features to be removed are third-party app developers who want IPS to remove features so they can generate income by creating a paid version of that feature.

Who's to say that in the future IPS decides to remove "Calendar", "Leaderboard", "Members", social media login handlers in favor of allowing app developers to create "paid" versions of those features. It seems that with every new release, more features are removed from the suite and yet nobody can point to a support topic from IPS where IPS has asked licensed IPS customers on what features should be removed. It just seems to be a closed process where nobody can offer feedback on what features have become redundant.

I voice my concern when IPS 4.0 was released that it was a big mistake removing "display name" from the IPS forum account process. The reason being? It makes it 200% easier for hackers to lock your admin account. If you have your system set up to never unlock a locked account except by the admin, then you have a serious problem. I've seen people who were made at other forum admins simply keep logging into an admin's account and locking that admin's account, just out of spite. When you have the ability to publicly show display names, then it makes it more difficult for someone to figure out login username. For my site, I have two admin accounts created on my site in case something similar happens to my "LIVE" forums. I just think there needs to be some oversight when IPS is considering removing features from the forum software, such as asking the entire community about what features should be removed, which should remain or be included and just allow public comment or feedback regarding upcoming upgrades to the software.

This has actually happened to me on my test account, hackers have actually locked me out of my own account and I've had to delete the installation and reinstall the test forum on my website, that I use for testing the IPS releases. IPS had informed me that they removed displayed in favor of login names due to feedback from its community and I never recall anyone asking for that. This is just one example I'm referring to.

Posted
15 minutes ago, Rheddy said:

I think what @Saurabh Jain was asking was the free tags widget that has been included with IPSCS since 3.0 was released. It's cool that someone has created a premium "paid only" widget or plugin but that IPS has been removing the very features of IPS that are broadly used by IPS licensed customers.

While IPS says that they have received feedback that these features should be removed, I honestly think that the only people asking for such features to be removed are third-party app developers who want IPS to remove features so they can generate income by creating a paid version of that feature.

Who's to say that in the future IPS decides to remove "Calendar", "Leaderboard", "Members", social media login handlers in favor of allowing app developers to create "paid" versions of those features. It seems that with every new release, more features are removed from the suite and yet nobody can point to a support topic from IPS where IPS has asked licensed IPS customers on what features should be removed. It just seems to be a closed process where nobody can offer feedback on what features have become redundant.

I voice my concern when IPS 4.0 was released that it was a big mistake removing "display name" from the IPS forum account process. The reason being? It makes it 200% easier for hackers to lock your admin account. If you have your system set up to never unlock a locked account except by the admin, then you have a serious problem. I've seen people who were made at other forum admins simply keep logging into an admin's account and locking that admin's account, just out of spite. When you have the ability to publicly show display names, then it makes it more difficult for someone to figure out login username. For my site, I have two admin accounts created on my site in case something similar happens to my "LIVE" forums. I just think there needs to be some oversight when IPS is considering removing features from the forum software, such as asking the entire community about what features should be removed, which should remain or be included and just allow public comment or feedback regarding upcoming upgrades to the software.

This has actually happened to me on my test account, hackers have actually locked me out of my own account and I've had to delete the installation and reinstall the test forum on my website, that I use for testing the IPS releases. IPS had informed me that they removed displayed in favor of login names due to feedback from its community and I never recall anyone asking for that. This is just one example I'm referring to.

Sounds like you should implement the two-factor authentication if your community is getting that much unwanted attention, as well change the default admin folder path so people aren't guessing it and forcing the admin account to lock by mis-entering the password.

Also, I really don't think there is some conspiracy between IPS and plugin developers - I doubt any of the plugin developers make enough to have this as their primary income, let alone enough incentive to collude with IPS to have features removed from the suite.

Posted

Just to throw a couple of things into the mix of posts above:

1. There's no conspiracy. :)

2. (Speaking completely as a client) , you'll note I asked about that cloud plugin too to see if its compatible or not.

3. (Speaking as a client) Regarding login security/locked admin accounts, its quite easy to manually unlock them via phpmyadmin if you have access to this and need to, however a (Again, speaking as a client only) you could consider switching to email only login, not "email or name" logins. This way unless the person/persons attempting the login know your account email they are not going to have much luck trying to lock the account, never mind anything else. Renaming the admin directory is also a sensible thought too.

4. Display name history is viewable in the ACP via Members

5. All feedback is read. :)

Posted

@AndyF, I haven't checked this to be sure; but, if you log into your forum account under your admin account and someone attempts to "lock" your account just to mess with your access, then that also locks your login into the ACP. But, someone correct me if I'm wrong, but enabling two factor login doesn't prevent someone from being able to lock your account.

From the way I understand it, if you know someone's login username, all you have to do if enter the wrong password (three times, I believe locks an account), you don't need to know the password to the account in order to lock the account. For someone who knows about or is familiar with IPS would know how to cause havok with an IPS community. The whole display name/login username was the best way to prevent someone from hacking an IPS forum account.

When 4.x was released, IPS did state that it wasn't possible to enable or mod the software to use a display name along with a login username. My concern regarding stronger security with IPS' forum software was realized when someone successfully hacked my site by using security flaws in the software to hack files on my server. Don't ask me how they did that because I don't know. They were also able to hack a test board I had installed on my site that only I have access to. I eventually had to delete the test board and reinstall it under a different directory while disabling the ability to view directories.

Two factor authentication only works to prevent someone who might figure out your password from trying to log into your account without the second password. I've actually taken a look at it and it doesn't really add any security to the software.

I'm not trying to make an issue out of this but rather that IPS doesn't really consult its licensed users when they're looking at removing features from the software. Personally, I think this policy needs to change. I'm not saying that IPS needs to consult its licensed users but rather when developing a new version of the software, such as moving forward with 4.3 and beyond, that IPS consider a feedback forum and ask its customers what they think about the idea of removing new features in the future. For instance, just say that IPS is planning on removing board statistics in IPS 4.3, open a feedback topic or blog entry and ask your licensed users for feedback on whether it needs to be removed or if it should remain. IPS doesn't have to listen to the community but asking for input allows licensed users to get more involved when it comes to future releases of the software. I've found that a lot of the features that end up getting removed come at the request of its commercial and corporation customers, and not its genuine licensed userbase, those of us who post here on the support forums. Hate to say it, but IPS did mention as much way back when IPS 3.x was being developed.

Posted
1 hour ago, Rheddy said:

 

@AndyF, I haven't checked this to be sure; but, if you log into your forum account under your admin account and someone attempts to "lock" your account just to mess with your access, then that also locks your login into the ACP. But, someone correct me if I'm wrong, but enabling two factor login doesn't prevent someone from being able to lock your account.

From the way I understand it, if you know someone's login username, all you have to do if enter the wrong password (three times, I believe locks an account), you don't need to know the password to the account in order to lock the account. For someone who knows about or is familiar with IPS would know how to cause havok with an IPS community. The whole display name/login username was the best way to prevent someone from hacking an IPS forum account.

 

:) Locks yes if you know the username. I have not tested this with 2FA however personally.

 

Regarding my comment about email vs username logins I wanted to expand a little bit on this:

Do you have a test board to hand ?

If so (please do not do this to your live site)

Go to ACP > System > Login Handlers > Edit the "Standard" one > Change the choice to "Email Address" and save (make sure you do know the email first!)

Logout of the ACP. Logout of the 'front end'

Now attempt to login as if you know the username but not the email address. You'll find its near impossible to do this or lock the account at all, as you do not have the email to initiate the login process. :)

Here are some pics. The form will *not* proceed if either an email is not entered or if it does not match anything:

email_1.png

The account name and password *is* correct in this pic however without the email address belonging to the account, its a no go and this means the "lockout" will not increment as you do not get to that stage:

email_2.png

Same with the admin panel:

email_3.png

Entering a random address:

email_4.png

Again as it does not 'exist' it won't count as a login lock attempt as there is nothing to associate it to either. :)

As a random aside I think having email only login may also reduce potential spam bots too as any automated ones may rely on having a 'username' login rather than 'email only' too.

Posted

I've just been reluctant to switch over to email addresses for login but I'll try it and see if there's any change. It's not that I'm refusing to switch over but that since I have a Comcast account, being a subscriber to their xfinity services, it's too easy to guess the email address. That's why I've been reluctant to do so. Additionally, using a free email service really isn't an option for me because I've heard from a number of people who have had their email addresses and social media accounts hacked and the companies unwilling to restore those accounts.

Recently, Anime News Network not only had their website and domain name hacked but they also lost control of their twitter account which they weren't able to retrieve. One email address I use is displayed as a contact through whois for my site not to mention the email address for contacting me through my website. I personally use a number of email addresses for Paypal, another  for account registration for my root admin account which is also the domain for my site to make it easier to contact me through my site for content removal requests and the like since my site and community deals a lot with anime, manga, fan fiction and fanart ... so you see the problem.

I'll look at the email login thing but I don't know how well received it would be for my community. But, I'll test out your suggestion on my test forums and see how it works.

Posted

Oh it was just a thought as I was really just wanting to point out if it was set to email only (not email or username) there's not a practical way for anyone to "lock" the account unless they know the email address as the user/display name is of no use when it is set this way. :)

Some members may not like email only logins, this seems to vary quite a bit between communities, I'd assume its simply familiarity really. They have been available for a long time, certainly since IP.Converge for the 2x series at least as you may recall (I noted your 'join' date so you're likely to remember this I think)

It is good practise I'd agree to use a different email address as if that is compromised then you do not lose 'everything' as such. I'm no security expert though but I do appreciate the time/trouble you've taken to write your reply. :)

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...