jon
Forum Replies Created
-
Forum: Plugins
In reply to: [My Private Site] MultisiteThere are several possible causes. The most likely solution is the “Check User Role on Site?” setting at the bottom of the Settings page. Setting it to a blank checkbox will very likely solve your problem.
Based on the Registration URL you quote, it would appear as if the user is self-registering on the first site, which leaves them with no User Role on the second site.
Be sure to respond to this post if this either doesn’t solve your problem and/or doesn’t make any sense to you.
Forum: Plugins
In reply to: [My Private Site] User automatically logged out after a first succesful loginI have got caught before, though not with this plugin, with WordPress having me logged in to http://www.domain.com and not logged into domain.com, i.e. – for Admin panel access.
There are a number of ways that this could be your problem, mostly related to timing between WordPress (which does its own redirection), the automatic redirection you speak of, and this plugin. For example, this plugin could see the URL before it is redirected, and therefore force a login based on the URL before redirection, not after. I’m not saying that is what is happening, as there are lots of possible combinations of those three “players”.
Forum: Plugins
In reply to: [My Private Site] User automatically logged out after a first succesful loginNot specifically related to this plugin, but I have seen this situation happen with what I call “Domain Aliases”. WordPress login cookies are specifically for one domain. http://www.example.com, example.com and example.org all have different login cookies.
In theory, if your user logged in on example.org, and it was Parked in a way that left example.org visible in the browser address bar even though the WordPress Site was example.com, and the user clicked on a hard-coded example.com link, he/she would not be logged in.
Forum: Plugins
In reply to: [Multiple Themes] Wrong theme on ajax requestI (the “Jon” that David mentions above) just took a look at the code and the plugin’s AJAX-handling code is not being executed in any /wp-admin/ URLs because of a check of the is_admin() function.
My mind is a little foggy on what happened as I was fully occupied with two older relatives with huge medical issues. My best recollection is that the AJAX code was written and fully tested a long time earlier, then, much later, other issues came up that saw me have to rewrite the beginning of the plugin, and I more or less blindly coded the usual
if ( is_admin() )logic that is used in almost all plugins.When I decided to adopt out my plugins, I felt that I had to release the features I had been working on and thought I had completed. With so little time to spend on it, my testing was not comprehensive.
Forum: Plugins
In reply to: [My Private Site] How secure is "My Private Site" plugin?I should also add a third risk to the list: a hacker gaining access to a WordPress ID and password or your web hosting Control Panel. A month ago, the extremely secure web hosting company that I use caught a hacker trying to brute force (try common WordPress IDs with a million passwords) into one of my sites protected by this plugin. Needless to say, after a few attempts, the web hosting company locked down the site.
The lesson here is to use some care in selecting WordPress IDs and passwords.
Forum: Plugins
In reply to: [My Private Site] How secure is "My Private Site" plugin?To answer your first question, the redirect occurs before any of the page is populated. Not even the opening <html> tag has been sent to the browser.
Second question: I’m not aware of any ways to make my plugin fail like you suggest. The most obvious way with most plugins is by altering the URL query parameters, but this plugin could not be “tricked” in that manner.
Third question: It is easy to get confused when testing WordPress itself and plugins. The Cookies that determine your logged-in status to WordPress are URL-based. There would be a separate Cookie for http://www.example.com and example.com. It is not usually a problem (i.e. – cannot happen in most setups), but all it means is if you log in to http://www.example.com then login again to example.com, you can log out of http://www.example.com and still find yourself logged in to example.com. This confuses Testers. Since a Visitor cannot log into either, it doesn’t matter. The only security risk that I can think of is having a User on a shared computer, but the bigger risk there, of course, is the User walking away from the share computer and not logging off at all.
Fourth question is partially answered in the /includes/public.php module with this code:
/* Earliest Action Hook possible is 'template_redirect', AFTER Rewrite: URL changed with Pretty Permalinks and correcting the presence or absence of www. in domain name. Unfortunately, a wpengine.com (hosting site) mandatory plugin appears to be blocking this hook, so the next hook in time sequence is being used: 'get_header' */ add_action( 'get_header', 'jr_ps_force_login' );To clarify, Plugins, WordPress Core and Themes all queue themselves up for any Hooks (Filters or Actions) they want to use, and can set priorities on who goes first for a given Hook. My plugin makes no effort to be first or last in the code above, so allows the default priority of 10 to be used.
I know your concerns, and I do use the plugin myself, but I think the biggest risks reside elsewhere. Specifically, turning the plugin off and having a search engine or archive.org capture the content. And an insecure web server.
Forum: Plugins
In reply to: [My Private Site] Is there a way to let google index ?This question has come up from time to time in the past. Unfortunately, having the plugin “open up” the site to search engines would create a potential security hole that hackers would undoubtedly find a way to get through.
Which is not to say that it would even be possible to do.
Forum: Plugins
In reply to: [My Private Site] Exclude @gmail.com and @hotmail.com etc.I see that you got some responses from other plugin authors on the subject. Glad to see!
Sorry for the delay in responding, but this plugin does not have that kind of functionality.
Forum: Plugins
In reply to: [My Private Site] How secure is "My Private Site" plugin?First, to clarify, I am the original author of this plugin, but David has graciously offered to adopt all of my plugins after personal and family health issues forced my retirement from supporting and maintaining them. Second, David is the security guru. I’m not, though I have been Programming continuously since 1971, professionally since 1973, and retired in 2007.
I built the plugin to be as secure as WordPress is, by letting WordPress handle the login process, with the plugin’s code using WordPress’ authentication “hooks” to force login on public areas of a WordPress site. Plugin Settings are as secure as WordPress Settings since they are stored in the same database and accessed through the same WordPress PHP functions. Login status is as secure as WordPress login status because the plugin lets WordPress handle the cookie(s) that determine login status of each user and visitor.
As I also said in the description, direct access by URL to images and other files, including any non-WordPress HTML files, is possible without being logged in, because WordPress does not protect any of those things. The biggest risk in this area is making a public site private, since archive.org and even search engines (through their “cached version” option) allow access to older versions of a URL, when the site was still public.
Of course, if a web server was incorrectly set up to allow .php files to be viewed by visitors, or the WordPress database to be directly accessible by visitors, that would also be a major risk for WordPress without this plugin.
As you can see, the security of this plugin was designed to match that of WordPress: no better and no worse.
All of that said, this is not industrial grade security. Then again, WordPress has never claimed to provide industrial grade security when installed with all its default settings.
Forum: Installing WordPress
In reply to: Installing WordPress alongside existing siteYes, this could be done in a subdirectory, but I would argue that a “cleaner” (more fool-proof) solution would be to create a subdomain for WordPress and install it there, so that you have a really clean separation between your WordPress and non-WordPress sites.
As in example.com being your existing site, and wp.example.com being your WordPress site. That approach might even allow you to use the GoDaddy install script, though I personally think it is worth the investment in time to do a standard WordPress install, because it will help you debug problems later, if you have some idea of how it was installed.
Forum: Plugins
In reply to: [Multiple Themes] Editing custom fields on old theme pages breaks the pageThe Plugin’s Settings page has a Theme Options tab that explains all the issues associated with changing the Theme Options, including Template used for each Page. Be aware, however, that the information provided on that Tab was written some time ago and is a set of Workarounds, since the plugin does not control the behaviours discussed. I’ve even seen talk that one of the solutions requires a plugin that is no longer in the WordPress plugin directory.
All that said, the Plugin Author may have specific solutions for you. I’m just sharing my thoughts.
Yes, that will probably work. The Theme Options tab talks about other ways to do that, too.
The plugin author may have more ideas for you because what I have to say is out of date, in that I haven’t worked with this plugin since a previous version of WordPress. And things have changed in WordPress since then.
The Settings page has a “Theme Options” tab that brought together all of the available Workarounds known as of about a year ago. It is worth a read.
To directly answer your Backend question: With a couple of theme-specific exceptions, mostly to make AJAX work properly, the plugin does not override WordPress standard behaviour for Admin panels, which means that the WordPress Active Theme is considered the Theme by Admin/Backend. When the plugin was originally written, and even during its several major rewrites since, Admin panels looked the same, no matter what Theme was Active.
Forum: Plugins
In reply to: [Multiple Themes] multiple plugin theme issue!I have not used this plugin in a while, but, in the past, I have used the suggestions on the Theme Options tab of the plugin’s Setting page to “workaround” the type of problem you are having.
Forum: Plugins
In reply to: [Multiple Themes] start from scratchThe plugin makes no changes to WordPress Settings or any other parts of the WordPress database that WordPress uses when this plugin is Deactivated. The Plugin stores all changes into its own Settings. If you Uninstall the plugin from the WordPress Plugins Admin panel, even those Settings will be deleted.
Of course, if you followed the instructions on the Theme Options tab, those changes will remain, since they were not done through the plugin, but through WordPress’ standard Admin panels.