Abigailm
Forum Replies Created
-
Forum: Plugins
In reply to: [WP-SpamShield] Newest two versions causing major errorsWeb host is Media Temple DV using CPanel.
I don’t have time to fill in the support request form right now– I have to fix all the sites first. Rolling back to version 1.9.9.8.1 and disabling updates on all sites, so you wouldn’t be able to see the error or use any of my sites for testing purposes.
Forum: Plugins
In reply to: [WP-SpamShield] Newest two versions causing major errorsSame error, HUGE error logs on sites, entries like:
[20-Jan-2017 06:56:06 UTC] PHP Warning: preg_match(): Delimiter must not be alphanumeric or backslash in /[path to wp]/wp-content/plugins/wp-spamshield/includes/class.utils.php on line 665
Sites are all running WP 4.7.1, Centos 6.8, Apache 2.4.23, PHP 5.6.28
Multiple errors per minute so error logs are HUGE)
(I’m now reviewing all sites on the server and disabling plugin wherever error log problem is showing up)
POSTING HERE SO OTHER USERS WITH SIMILAR ISSUE CAN SEE IT. (I will either roll back to earlier version of spamshield or replace with a different antispam plugin where needed, so I am reporting the issue, not seeking support at this time).
Forum: Plugins
In reply to: [WP-SpamShield] Turn off auto-updates?Thank you, but now we are just going around in circles.
I wrote in the first line of my opening post that it was a “Feature Request” and I specifically stated that I had found the information in your Troubleshooting Guide suggesting installation of a third party plugin to control auto-updating (Easy Updates Manager.)
So I already knew what your solution is. I just don’t think it is a satisfactory solution because I don’t want to be installing new plugins to fix problems caused by other plugins.
Obviously you think it is acceptable, so there is no point in debating. It is your plugin, you can do what you want with it.
It’s just that it makes extra work for me because I have multiple sites to worry about. I can’t accept your reassurances that it really isn’t necessary to test the site after update because last night it produced such a critical error.
So right now now even though your plugin does good things, I think it is more trouble than it is worth for me to use it … so I will look for a different solution.
Forum: Plugins
In reply to: [WP-SpamShield] Turn off auto-updates?yet this plugin is one of the few major plugins that has never had a security vulnerability
It caused a very important web site that I manage to go offline last night, well past my working hours, and required me to essentially stay up all night to fix it, and then check all of the other sites I manage using your plugin. The pushing out of a fix 3 hours later only increased my workload, as I then had to redo the testing/checking of all sites. (And the first “fix” generated a bunch of error messages my logs, so my desire to check and verify all installations was obviously a legitimate concern)
Anything that can change my site configuration and bring down my site without my active involvement or approval is a security risk in my view.
I don’t care whether the problem is due to malicious intent or mere negligence, the result is the same: someone made a change to my web site without my knowledge, approval or permission, and it broke my site.
Because of one update?
No, I have had problems on sites due to the background updating of your plugin on multiple occasions on multiple sites because of the need to clear caches on update, something that you also have documented as necessary. Usually I find out when someone writes to me about a form not working.
Those weren’t bugs in your program, but caused me inconvenience in the same way.
Unfortunately despite the best of efforts, sometime things happen that we can’t foresee.
That is why it is inconsiderate and irresponsible to force automated updates on users who haven’t opted into that service.
That’s also ironic that you mention Wordfence…they’ve had a similar issue more than a few times, and the issues in that plugin did affect nearly everyone.
Wordfence has automatic updates as an option that can be toggled on and off by the user. It is an option listed near the very top of their options menu, and they also provide the option to email the site owner every time there has been an automatic update.
I was offering you the helpful suggestion that you could code something similar. Instead I just get an argument. (I think that most developers would have simply politely acknowledged the suggestion, whether or not they intended to implement it.)
Again, no need to respond. Your refusal to acknowledge the concern I expressed in my feature request (which is not the same as a “support request”) has told what I need to know for the future.
Forum: Plugins
In reply to: [WP-SpamShield] Turn off auto-updates?Scott, as I noted above, I tried to submit a support request on your site at the link you provided and there was a long form to fill out, and after I filled it out and clicked “submit”, the form was rejected.
In any case, I am not seeking support, I am making a suggestion, and based on your response to this and other threads I prefer to keep my suggestion on an open forum where others can see it.
You do not have to reply to my remarks that follow — they are really meant for other support forum users to read.
You have created an excellent, powerful plugin but your use of forced auto-update- particularly without clearly documenting it and providing users with a means to opt-out in the setting menu – is in itself a serious security problem. Here’s an article that explains why – https://www.wordfence.com/blog/2016/11/hacking-27-web-via-wordpress-auto-update/ — but the events of last night are equally illustrative. You pushed out two updates that causes hundreds or maybe thousands of websites to go down. In the first case, the problem was a conflict with Wordfence, which is one of the most widely used WordPress security plugins, with well over a million installations.
The WordPress auto-update API for plugins is intended for critical security updates — it’s a logical way to quickly push out a patch for a newly discovered vulnerability. WordPress would allow you to configure the API to limit plugins to those situations.
But that is not how you are using it. You used it last night to push out a release with a very long list of changes and improvements:
= 1.9.9.8.2 =
*released 01/18/17** Added robust detection for over 90 web hosting services to further improve compatibility with various server setups and edge cases. We developed this functionality for our RS System Diagnostic plugin and imported it to WP-SpamShield.
* Added robust detection for web proxy/WAF/CDN services such as Cloudflare, Incapsula, and Sucuri CloudProxy. We developed this functionality for our RS System Diagnostic plugin and imported it to WP-SpamShield.
* Improved support for Varnish and other server-side caching systems.
* Added functionality to enforce existing [plugin Minimum Requirement #3](https://www.redsandmarketing.com/plugins/wp-spamshield/?wpss=requirements#wpss_requirements), “Your server must be configured to allow the use of an .htaccess file.” Accordingly, if a standalone Nginx server is detected, the plugin will deactivate. Standalone Nginx servers have never been supported by the plugin, and this has always been explained in the plugin Minimum Requirements, but unfortunately despite existing warnings in the admin, not everyone pays attention, and this became necessary.
* Made various code enhancements and improvements.
* Improved some filters in the anti-spam algorithm.
* Maintenance: Updated existing spam filters.Auto-updating is potentially a valuable and convenient service for many unsophisticated users who have small sites and blogs and don’t want to be bothered with having to regularly update their sites on their own.
But for those of us who are more experienced and may manage multiple sites for different clients, perhaps dozens or even hundreds of sites — it is disastrous when a plugin causes multiple sites to go down at once. For live sites, many web designers prefer to test things out first in a development environment. Just reading through the changelog I quoted above suggests a dizzying array of things that could go wrong depending on a particular site configuration.
So while it is nice to offer auto-updates as a feature (as Wordfence does) — it is not helpful to build it into a plugin without providing prominent notice to users that the plugin is to configured to make changes to itself (and the site) at unpredictable times and intervals, or to provide a clear and prominent way to opt-out.
Forced automatic updating is a feature that requires a considerable amount of trust between end user and developer. Trust from the user that updates have been thoroughly tested in multiple environments, and trust as well that that the developer is honest and would not push out an update with malicious code or spam. (This has happened in the past with some WordPress plugins).
While I do trust your honesty and good faith – the events of last night are a breach of trust as to the quality of your programming and pre-testing. Basically you you pushed out software with serious bugs–and your fix was buggy as well.
So no, I don’t want forced background updates for your plugin; I want to be able to test first.
At this time I’m choosing to post my comment in this public forum because I believe that others who use the plugin have the right to understand and be aware of the problem. When you ask users to post private support requests via your site, that might be more convenient for you, but it also tends to bury the problem from public view.
When I discovered the problem last night, after fixing it on my own site I promptly came to this forum with the intent to report the bug, to alert others as well as you of the problem. I then saw that others had already posted.
You certainly deserve kudos for promptly fixing the problem you created.
But we users cannot assume that will be the case. One advantage of an open forum is that users can often help one another when a theme or plugin developer is not so quick to respond.
There is an other advantage of an open forum: when I am using a plugin or theme with a history of problems on updates, I typically will wait several days to upgrade and monitor support forums to ensure that the latest update is safe. Unfortunately your plugin now falls into that category (history uf buggy updates). If you discourage users from posting problems here, it just makes me more wary, as I feel I am then left on my own to thoroughly test each updates.
Forum: Plugins
In reply to: [WP-SpamShield] Turn off auto-updates?I tried to go to your support page but it had a long complicated form to fill out and then did not let me submit the form — particularly inappropriate since I saw submitting a “suggestion” rather than a request for tech support.
I’ve disabled WP-Spamshield on the site that went down tonight and switched to a different anti-spam plugin for now.
Your troubleshooting guide says in bold print, “Very important: Caches should be cleared every time a plugin is updated, added, or removed from your WordPress site!”
So you KNOW that the cache needs to be cleared and you also KNOW that WP-Super Cache is not going to clear itself when a plugin updates. (Also on your site, “Some caching plugins don’t automatically update the cache when a new plugin is installed, and most don’t when plugins are updated.”)
All I want is for my plugins to let me decide when to update. I do keep plugins up to date, but I make sure that I do updates on plugins with the potential to impact site function at a time when I will be able to test the site after updates.
Whether or not there is a problem that is specific to my site configuration, I should have the ability to prevent any software from making automated changes if that is my preference.
Forum: Plugins
In reply to: [WP-SpamShield] Turn off auto-updates?Thank you, but your reply does not address my concern. I need to disable auto-updates for wp-spamshield.
I have suggested that you include a program setting to disable this auto-update, so I don’t have to stay up all night in order to test and address problems caused by a patch you decide to push out at 3:30 am.
You know… so I can do updates and testing on MY schedule.
(And yes, the new updated did cause problems on my site. Every time spamshield updates, the comment forms all generate a javascript/cookie error. That usually requires clearing all caches and disabling/reenabling the plugin to fix).
Forum: Themes and Templates
In reply to: [evolve] Downgraded to Evolve 3.6.4I’ve also gone back to version 3.6.4. I’ve been using Evolve for quite a while and there is a very long history of problems with upgrades, particular display issues as when new features are introduced and changes made to the theme stylesheet, little attention is paid to backward compatibility. I also use many different themes and have not experienced this issue with upgrades to other free themes.
I always make a full site backup before doing an Evolve update and keep a copy of the working version so I can easily revert. I’d strongly recommend that others do the same.
I appreciate effort by all theme developers to keep their themes updated to address possible security issues and to keep up with upgrades to WordPress, but I really think that when major changes are made to theme layout or structure, it’s better practice to distribute that as a new and separate theme rather than an upgrade pushed out that is likely to adversely impact long-established live sites.
Forum: Themes and Templates
In reply to: [evolve] Upgrade breaks site (out of memory error)I didn’t do anything to the site between the time you posted and I asked my question, other than to check the console to try to figure out what you were talking about.
I’m glad to know that you’ve pushed out another upgrade, though. I’ll just test that when I have time and post if there are continuing problems.
Forum: Themes and Templates
In reply to: [evolve] Upgrade breaks site (out of memory error)Could you be more specific — I checked console in two browsers (Chrome & Firefox) and didn’t see any errors noted.
After you issue the next update I’ll try disabling the Google Language Translator during the upgrade process as well as other non-critical plugins test more – but the Google Language Translator is a very popular plugin with more than 100,000 active installs so if there is a conflict, it is likely to impact many users.
Forum: Themes and Templates
In reply to: [evolve] Upgrade breaks site (out of memory error)Web site is https://www.davistraining.info — but as noted I have reverted to version 3.64
Forum: Themes and Templates
In reply to: [evolve] Upgrade breaks site (out of memory error)What part of the child theme needs to be updated?
I don’t have any custom templates – just the stylesheet and functions.php file with the enqueue directive:
add_action( 'wp_enqueue_scripts', 'theme_enqueue_styles' ); function theme_enqueue_styles() { wp_enqueue_style( 'parent-style', get_template_directory_uri() . '/style.css' ); wp_enqueue_style( 'child-style', get_stylesheet_directory_uri() . '/style.css', array('parent-style') ); }Or do you just mean that the child theme needs to be de-activated and reactivated?
Forum: Themes and Templates
In reply to: [evolve] Upgrade breaks site (out of memory error)Glad to see this confirmed. I assume I’m probably running plugins that add to load, but the changelog shows that the file structure and framework was significantly changed with this version of evolve. (“Implemented SASS, changed structure of theme folders”)
Forum: Plugins
In reply to: [Data Tables Generator by Supsystic] Update breaks RSS FeedJust a note – the update does indeed resolve the problem.
Forum: Plugins
In reply to: [Cloudflare] Is this plugin a MUST?The plugin is not necessary. It offers some extra features, but wordpress site will run fine on Cloudflare without it.
It’s probably more valuable in a situation where a wordpress admin does not have access to the Cloudflare account — I have the plugin installed and working on my sites, but I am not sure what it really does for me at this point, and I find it just as easy to open the cloudflare dashboard in another browser window or tab if I want to clear the cache or enable development mode while working on the web site.
I think that the older plugin offered some features that extended the capabilities of Cloudflare….but I am not sure if any of those features apply.
I hope someone from the Cloudflare team will jump in here to tell us what, if anything, the plugin now offers as an extra that we can’t get simply by using the Cloudflare dashboard. (I’m sure there are some benefits, but I don’t think they impact core functions)