Data privacy issues / leak of usernames/names in ultimate members plugin (gdpr)

We need an option to restrict people from accessing the /user/ directory and the user profile pages. These are accessible by everyone which leaks sensitive data like (but not limited to) name and surname, username and much more.

Regarding legal issues and privacy concerns…

There should be an easy option to restrict access to userprofiles except the own profile.

Problem 1: Name and surname are considered personal data in a wide variety of countries, especially in the european union. An owner of a website has to protect this kind of data from beeing accessable by third parties. In the ultimate member plugin this data is made public or at the current most restrictive scenario to members of the site.

Problem 2: Usernames can be used by hackers in various ways to start an attack or gain more info. A wordpress admin should never publicly post under his username. The nickname is what people should display instead. However, in the ultimate member plugin you can’t choose nickname as the Profile permalink structure for users. Only username, user id, real names. None of these are acceptable imho.

Workaround 1: You can go to pages / Profile — UM User and restrict access to logged in users. However, logged in users still can access the profiles of other users and get access to their username / real name / user id depending on the settings. When restricting access to editors or other high priviledge roles, the user accounts are still accessible by every logged in user.

Even if members opt out to be excluded from the members directory, their profiles are still accessible by everyone.

So an option to make member profiles inaccessible by other users in general is mandatory.