So, here is a dumb, unlikely, but “quick to test” suggestion..
If you have the option “Hide WordPress version” switched on in your options page, could you try switching it off and retest?
That option is not really of any use anymore anyway, so turning it off has no negative impact. But it could potentially explain some things.
Welp that was a weird thing to try, but it seemed to fix it! Can you explain why that would cause this issue?
Yes, certainly.. It is a buggy pattern match and change done by WordFence.
Also called “a bug” in the code. 🙂
WordFence only touches your CSS and JS links when you turn that option on.
It tries to (only means to) change the “?ver=x.y.z” type parameters on the links, but uses a somewhat simplistic preg_match and code pattern to do so. Your site must be using some odd links that end up running the pattern astray.
Why it affects just YOUR site that way (by mis-matching and changing the wrong thing on your particular styling links) I can only say if I knew what your specific links look like. Which depends on theme names and other things. Then I could replay that pattern in my head on your link/theme structure, and see where the matching and code goes wrong.
The problem in your case goes away when you stop trying to “Hide the wordpress version”, because WordFence stops trying to change your CSS/JS links. Stops using the poorly constructed method to find version strings to change.
You don’t need that option anyway.. As it states in WordFence’s own help documentation, they actually suggest you no longer turn that option on. There are so many other ways for bad guys to know that you are using WordPress that “hiding” is kinda useless. 🙂
And it just adds to the time it takes WordFence to run, without any benefit.
Just look at the page source. It is filled with WordPress and plugin unique paths.
Bad bots don’t care what version of WordPress you are running. Only that you are in fact running WordPress, which is very obvious to anyone looking. All they have to do is ask Google or manually click “view source” on a web-page. 🙂
BTW.. I was exaggerating when I said “unlikely” to make a difference. 🙂
Just hedging my bets, since I was just making a qualified guess.. 🙂
Wow Caleb, that’s an amazing catch on that Wordfence “Hide version” option. That explains some CSS problems I had a while back that took me literally days to track down, and never did totally resolve. It sounds good so of course I had it turned on, off now. Thanks, MTN
Thank you so much Caleb! After some more research on my site it turns out my issue was a combination of that setting and a PageSpeed mod on the server that I was not aware of. Thanks again!
Thanks @maspegren for sharing the reason for this conflict, did you disable the PageSpeed module as a whole? or just re-configured it somehow? I’m curious to know.
Good thinking in narrowing down this issue Caleb, thanks!
Actually, the mod is still enabled. They cleared the cache and things are looking good now. We will be working with the server admin to figure out a way this mod stops breaking our site.
The PageSpeed Mod really do not have anything to do with this particular problem, I think, other than it’s caching part holding on to the page content with the bad css links in it.
Meaning that the config change will not be immediately visible, since the page cache has to expire before the new code shows up. Eventually the pages would have been expired out the cache by themselves.
BTW.. if you don’t like being fronted by PageSpeed, or having it rewrite pages, you should be able to turn that off for just your site by putting
<IfModule pagespeed_module>
ModPagespeed off
</IfModule>
in your .htaccess file
