Forum Replies Created

Viewing 15 replies - 16 through 30 (of 37 total)
  • Hi TallSam, I updated the plugin and now, if you enable the option named “Disable cookie” it will also stop displaying that checkbox as it’s not needed.
    If you do this I guess it would be a good thing to write in your privacy policy that you are not setting the comments cookie at all.

    To get the new version you would need to disable & delete the plugin then download, install and activate the new version. The download location is the same, it’s listed in the previous messages.

    Regarding the Name -> Nickname change: I’ll be back with details about that 🙂

    Cheers!
    Alex.

    Hi Tri, that’s simple: please add the following function in functions.php file of your child theme:

    // automatically make post sticky 
    add_action('wp_insert_post', 'mo_make_it_sticky_if_role');
    function mo_make_it_sticky_if_role( $post_id ) {
    	if( current_user_can('author') ) {
    		stick_post( $post_id );
    	}
    }

    This will make any new post sticky if currently logged user has “author” role, right at the moment when he/she clicks Posts -> Add New.

    Hope it helps 🙂
    Alex.

    Then you could go with https://wordpress.org/plugins/complete-open-graph/

    It globally removes the site title part of titles by default and it adds an Open Graph Settings box on individual posts and pages where you could edit shared title and description individually and independently from post/page title and content. Otherwise it pulls these info from the post/page itself (but removing the site title part as I said).

    This is the simple, plugin approach, otherwise there are some code snippets to achieve more customized results with some more effort – please let me know if you would like to go that way.

    Have a great weekend!
    Alex.

    Hi Rolf, thanks for coming back with a solution,

    I understand the need to quickly upload the fix to a lot of websites, but I suspect redirecting user archives will not stop bots from enumerating your usernames (read below why),

    First, if you would like a quick solution easy to upload please use this file – just unzip, then upload the “stop-wordpress-user-phishing.php” file directly in the /wp-contents/plugins/ directory of each website, then go to Plugins and activate this plugin, named “Stop Username Phishing”.

    It’s just one step more than just uploading and it’s guaranteed to work (and tested).

    If you would like to see what’s in the file before downloading please see it here: https://gist.github.com/alexmoise/d5d9073e6165d4e5ac098a184d5405e6

    ===

    Now, why redirecting author archive to site homepage will not prevent bots from enumerate your usernames: The mechanism used by user phishing bots is a bit different and works before that;

    These bots access the website using these URLs:

    http://your-domain.com/?author=1
    http://your-domain.com/?author=2
    … and so on,

    Then they get back from the website the address where the author archive is, which translates into something like:
    http://your-domain.com/?author=1 -> http://your-domain.com/author/admin
    http://your-domain.com/?author=2 -> http://your-domain.com/author/anotheruser
    … etc.

    But then, the bot doesn’t actually follow that newly obtained link; instead the bot removes the “http://your-domain.com/author/” from the author archive URL sent by the website and stores the list of users; then accesses the “http://your-domain.com/wp-login.php” and fils the username field with the username and the password with dictionary words …

    So, we need to drop the communication right after receiving the request to access something that contains “?author=” – that’s way there’s a “die();” thing in the file above 🙂

    That’s all, hope it helps!
    Cheers!
    Alex.

    Ahh, about the GDPR … I guess first technical solutions will start to show up across web in the form of functions developed by independent developers to cover various issues they encounter; then some of these functions will become more widely known, improved and used; then based on these some plugins will start to pop in the Plugin Directory … maybe some well-known plugins will include these … and so on, something like this.
    This is the way it evolves all the time 🙂

    Welcome Rolf,

    With such a vast array of situations where WordPress could be used it’s hard to predict all the things people could do to it,
    But the good thing is that it’s pluggable enough that it can be easily protected (beside turning it into … almost anything 🙂 )

    So, which approach would you choose from the above? Code or plugin? If you could disclose this, of course!

    Cheers!
    Alex.

    Hi Rolf,

    It seems that somebody (a bot?) managed to enumerate the usernames and tried to log in using them; That could be easily stopped using more than one method:

    The simplest approach is to block the most trivial user enumeration at the server level, by adding the following code in the “.htaccess” file in your website root directory:

    # Stop User ID Phishing
    <IfModule mod_rewrite.c>
    	RewriteCond %{QUERY_STRING} ^author=([0-9]*) [NC]
    	RewriteRule .* http://your-domain.com/? [L,R=302]
    </IfModule>

    Please beware that before adding this code to “.htaccess” you need to go to “Settings” -> “Permalinks” and switch permalinks to any setting except the default “Plain”, then you need to replace “your-domain.com” in the code above with your own domain name.

    Another approach is to use a plugin like WPBruiser, which has an option named “Prevent User Enumeration” in its “Security” tab that literally “Prevents bots from enumerating users through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API”.
    That’s a pretty easy and powerful thing to do, and there’s other security goodies included for website protection.

    Good luck and have fun! I’d love to know which approach you choose and the results you get!
    Alex.

    Welcome,

    There are a number of ways to customize that text,

    The easiest way would be to use a plugin like Loco Translate, create a new language (like “My custom English”) and change things around as needed 🙂

    Another approach is to redefine the comment form HTML as you need it, with the following bits of code added in the “functions.php” file of your (child?) theme:

    // comment form fields re-defined:
    add_filter( 'comment_form_default_fields', 'mo_comment_fields_custom_html' );
    function mo_comment_fields_custom_html( $fields ) {
    	// first unset the existing fields:
    	unset( $fields['comment'] );
    	unset( $fields['author'] );
    	unset( $fields['email'] );
    	unset( $fields['url'] );
    	// then re-define them as needed:
    	$fields = [
    		'comment_field' => '<p class="comment-form-comment"><label for="comment">' . _x( 'A CUSTOM COMMENT LABEL', 'noun', 'textdomain' ) . '</label> ' .
    			'<textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" aria-required="true" required="required"></textarea></p>',
    		'author' => '<p class="comment-form-author">' . '<label for="author">' . __( 'A CUSTOM NAME LABEL', 'textdomain'  ) . ( $req ? ' <span class="required">*</span>' : '' ) . '</label> ' .
    			'<input id="author" name="author" type="text" value="' . esc_attr( $commenter['comment_author'] ) . '" size="30" maxlength="245"' . $aria_req . $html_req . ' /></p>',
    		'email'  => '<p class="comment-form-email"><label for="email">' . __( 'A CUSTOM EMAIL LABEL', 'textdomain'  ) . ( $req ? ' <span class="required">*</span>' : '' ) . '</label> ' .
    			'<input id="email" name="email" ' . ( $html5 ? 'type="email"' : 'type="text"' ) . ' value="' . esc_attr(  $commenter['comment_author_email'] ) . '" size="30" maxlength="100" aria-describedby="email-notes"' . $aria_req . $html_req  . ' /></p>',
    		'url'    => '<p class="comment-form-url"><label for="url">' . __( 'A CUSTOM WEBSITE LABEL', 'textdomain'  ) . '</label> ' .
    			'<input id="url" name="url" ' . ( $html5 ? 'type="url"' : 'type="text"' ) . ' value="' . esc_attr( $commenter['comment_author_url'] ) . '" size="30" maxlength="200" /></p>',
    	];
    	// done customizing, now return the fields:
    	return $fields;
    }
    // remove default comment form so it won't appear twice
    add_filter( 'comment_form_defaults', 'mo_remove_default_comment_field', 10, 1 ); 
    function mo_remove_default_comment_field( $defaults ) { if ( isset( $defaults[ 'comment_field' ] ) ) { $defaults[ 'comment_field' ] = ''; } return $defaults; }

    Then, in the code above, change “A CUSTOM … LABEL” with the text you need,

    BUT please beware that the comment form HTML might be also replaced by theme or a plugin and re-replacing it this way could override that (and as far as I can see in your screenshot it seems that you already have a custom comment form).
    Also if you decide to go with the code above then the first re-ordering code is not necessary anymore, as the order in this code will set the fields order anyway.

    So, test around and see what you get. I’d love to know which way you go and the results you get 🙂

    Alex.

    Hi delifort, that would be easy, please add this code in the “functions.php” file in your currently active theme (hopefully a child one!):

    // change comment form fields order
    add_filter( 'comment_form_fields', 'mo_comment_fields_custom_order' );
    function mo_comment_fields_custom_order( $fields ) {
    	$comment_field = $fields['comment'];
    	$author_field = $fields['author'];
    	$email_field = $fields['email'];
    	$url_field = $fields['url'];
    	unset( $fields['comment'] );
    	unset( $fields['author'] );
    	unset( $fields['email'] );
    	unset( $fields['url'] );
    	// the order of fields is the order below, change it as needed:
    	$fields['comment'] = $comment_field;
    	$fields['author'] = $author_field;
    	$fields['email'] = $email_field;
    	$fields['url'] = $url_field;
    	// done ordering, now return the fields:
    	return $fields;
    }

    This unsets all comment form fields and then set them back, switching the Email and Name fields – but you could switch any of them by swapping the 4 lines before the “return” as you need.

    Hope this helps 🙂
    Cheers!
    Alex.

    Hi ordresser, I’d give this plugin a try: Sewn In Simple Social Optimization

    It’s neat and simple, specifically designed for Title and Descriptions, but could get really powerful while combined with its siblings plugins like this: https://wordpress.org/plugins/sewn-in-simple-seo/ of this: https://wordpress.org/plugins/sewn-in-xml-sitemap/

    There are also few code snippets in the plugin description (of each one), could use these to further enhance/modify the features.

    Hope these will help 🙂

    Cheers!
    Alex.

    Welcome TallSam, I’m glad I could help,

    In the meantime I completed the plugin with a page with options where you could enable/disable each of the features separately,

    If you care about that you could disable & delete your current version, then download, install and activate the new one 🙂

    You’ll need to go to the newly created settings page and check a few checkboxes at first activation of the new version (you’ll see a notice with a link guiding you to do that). I chose to go this way to make it clear that combined with the “Comment author must fill … ” option it will block commenting 😉

    Cheers!
    Alex.

    Welcome!
    Updated it, no cookie beyond this point 🙂 It might be necessary to delete the cookie already present in browser, then check if it reappears again (it shouldn’t). The new function only prevents creating the cookie, doesn’t delete the existing ones.

    Please deactivate & remove, then download, install and activate.
    Let me know if everything works alright!

    Best regards,
    Alex.

    Regarding the comment cookie: it’s used to store the comment author details, so these stay filled in their respective fields.
    In our case only the Name is used, as only this field is present.

    There’s a way to stop that cookie being set too, and doing so will make the Name field always show up empty, even for authors that have commented before, forcing them to type in their name each time they want to submit a comment.

    If that’s your intention please let me know and I’ll update the plugin 🙂

    Best regards,
    Alex.

    Ahh, that is correct 🙂

    I updated the plugin now, added a function that empties that text,

    Please deactivate & remove the plugin, then download and install again.

    Best regards,
    Alex.

    Hi, just uploaded an image file named literally:
    now-thats-a-really-really-really-really-really-long-file-name-for-an-image-file-to-try-to-upload-it-in-wordpress-media-manager-using-standard-functions.png
    Seems to be fine in Media Manager.

    However, the “imagenam~.jpg” is 8 characters long followed by a “~”, which suggest something like a browser that reads the “8.3 alias” of the file and uploads that instead of the regular long-named file. Are you using an older version of Windows?

    OR maybe your website is hosted on a Windows server and PHP is configured somehow that doesn’t pass the long name to it?

    Few more details about these would come in handy 🙂

    Best,
    Alex.

Viewing 15 replies - 16 through 30 (of 37 total)