Caleb

BTW.. WordFence do not even see or control the loading of asset files, such as file-images, font files, CSS files and others, because they do not load up through PHP or WordPress at all.. They are pulled directly by the web-server; if allowed by it’s rules.

Only uploaded images (which are actually represented in your pages as WordPress links, not as file-system files) can be seen by WordPress/WordFence.

The hacker do not need your WordFence email to find a link to your site. They know it.
They do not need access to your email account either. Just an address.
The hackers have no problem knowing your site. Or generally knowing all the millions of domains running WordPress. They already know. Just like comment spammers know. WordPress run sites are as obvious as the nose on our faces unfortunately.
But they need you to be used to clicking on or expecting an admin link in an email.

You are right, however, that some WordFence alert emails seem to contain up to multiple links back to your site’s admin pages already, which makes adding just one more such link kinda make no difference at all.. 🙂 If the door to phishing is 90% open already, then opening it to 99% makes no never mind. 🙂
The daily “Problem” email from scans with Plugin updates & such, though, has no site links in it. At least mine do not.

That some obscure, random WordPress programmer added a link to a WordPress email means nothing to me. My experience is that most programmers of such side-order code do not think of security at all. Just watch all the “security patches” we keep receiving for all kinds of products; repeatedly, often, and again. 🙂

Yes, Opcode Cache (Zend Opcode cache) cannot traditionally (without some special programming) cache anything except OpCodes.. (It does not cache the PHP files, but their “compiled” intermediary codes.)
Since PHP is not normally a real “compiled into machine language” language, but is merely compiled into Opcodes, which are then “executed” by the PHP interpreter.
I say “normally”, because there actually IS a full-blooded compiler-to-machine code for PHP.. Used if someone needs real speed. (Facebook picked it up and invested in making it complete, since they need better than interpreted PHP can provide. 🙂

The Opcode Cache caches these intermediary Opcodes, saving that first step of reading all that PHP text, syntax checking it, and “compiling” it.

Opcode Cache does not cache text files, CSS files, DB queries or other things.

But if you change a link to CSS in a direct PHP file, or make other changes in a PHP file, there can be an up to 60 second delay before the link-change is visible. Before the file timestamp is checked and it figures out that the Opcode cache needs updating.

If you make CSS changes (changes in CSS files) on a production site, you have worse problems, since CSS files are typically set up to cache long-term on the User’s workstation. To stop it from reloading CSS and images over and over.
To see a change in how the site is viewed in a browser, you might have to use some browser-cache-busting methods.. (Like changing the ‘ver=’ parameter on the link.)
If you do browser cache busting by changing the ver= parameter in a PHP file, then yes, that link change could be delayed for up to 60 seconds. Not a big issue on a production site. 🙂
But that is why, on a development system, you typically set the check interval to 0. Don’t wanna wait to see changes. 🙂

Posts do not make changes in PHP files, merely in the DB, and so are not affected by this setting at all.

In older PHP versions we used Zend, APC (Alternate PHP Cache), or other Opcode caches., which might also support other things. In PHP 7, the Opcode (Zend) Cache is a default, builtin thing, and PHP7 no longer support APC at all.
That’s why we now have APCu (APC-user cache), which is APC without the Opcode caching, but still providing User-data caching.

I use APCu for caching DB queries, page caching, and many other mysterious things. 🙂
And if WordPress sees that APC/APCu is present, it will use it for transient and db caching. Saves away all the goober DB queries to the options table for all the “transient” data and options all of WordPress and many plugins use. The data is sitting in APC/APCu’s shared memory cache instead.

That’s the PHP default.
The actual “default” set locally can be different, depending on the hosting setup. Since a long update frequency can make changes in PHP files seem to not work (show up delayed), some or many hosting environments set it to 0, because that stops the support calls. 🙂

Mine was ‘0’ before I changed it to ’60’. 🙂

You would see your local ‘default’, if you removed that setting again, and then looked in the PHPinfo to see what it was before you changed it.

Currently the only links in the email is to wordpress.org, which of course could be spoofed, but would not give anyone YOUR site’s login/password.

However, if a link to YOUR site was added to the WordFence emails, knowing just your email address and your site, one could easily create a spoof-site that presents a login that look’s exactly like it would coming from your site. Then they simply send you an email that looks exactly like a “Problems found on YOURSITE” WordFence email.

You click the link, see the WP login (from what looks like your site, except if you studied the domain-name closely), you type in your admin/password on the spoof-site, and they then redirect you back to your REAL site..
If you get another login-page, which would not likely happen, you think “Shoot, must have mistyped” and do it again.

Phishing accomplished. They have your admin-login and password. Ready for infection of your site and other abuse.

I agree with @wfyann & Co.. No links to the web-site in the email. It would be seriously ripe for abuse across every site with WordFence installed.

NEVER click on links in emails unless you love infections and viruses. 🙂

I think that the main thing to learn immediately from what the query looks like, is that there is no Pods involvement at all, except for Pods having set the ‘post_type’ to something other than ‘post’, when the post was created.

Since the query only looks for a post with the same post type (whatever post type you have on the page) and a datetime less or larger than current post, there is no real Pods involvement at all. It only looks in your posts table.

More importantly, if you DO NOT find these queries on the debug page, that means that it did not even try.. The only thing that theoretically could make that happen, is if get_adjacent_post short-circuits itself because it’s initial ‘get_post()’ failed.
In other words, it cannot see what the current post actually is, and so has nothing to compare to. If that happens, you have learned a lot. 🙂

Please let us know what these queries look like when you find them.
For future brain-caching. 🙂

BTW, Jim.. The Theme does not display “nothing”.. As I mentioned, if you do a view source, the NAV html code is there. But the link locations are simply empty, because nothing is returned from WP.. The theme has no way of knowing that the WP functions returning nothing is actually wrong, since that is also the result if a post has no previous or no next. 🙂

If you only had one post in a post_type, both previous and next would always be empty. No way to see that as a failure that a theme would want to report to a visitor. 🙂

It is not the theme. Septera does it the same as any other.
Looking at his page source, the link locations and mark-up are there from the theme, except that the WP functions previous_post_link() and next_post_link() are returning nothing. So no links show up.

It is a WordPress thing, as WordPress is not seeing these posts as related in a next/previous kinda way.

@jhabdas, You mentioned that one post type is hierarchical? Which one?