Forum Replies Created

Viewing 11 replies - 1 through 11 (of 11 total)
  • kagsundaram


    I was about to start a new thread…

    …good thing I looked first.

    I have exactly the same problem.

    I have a commerce site, software for $$, registered subscribers get a discount, and a few items are free for registered Subscribers. (Email lists are good business)

    This plugin works great for restricting access to the discount price pages, however, once a person knows the URL of a free zip file in Media, it is downloadable without login, even though it is “protected” exactly as @agnoletti describes above.

    Thread Starter kagsundaram


    @nicolaskulka, I have a work-around which is simple, reasonable, safe, and adequate for my purposes, so I am setting the pursuit of a real solution aside for a while.

    The conditions engendering the problem are quite obscure and unlikely.
    The problem seems to require all of the following:

    * multisite
    * subdomain
    * WordPress Address (WordPress installation) one level beneath the root
    * Site Address (public URL) is root (i.e., https : / / myroot . com)
    * WordPress folder name does not begin “wp” (
    * the prime site (site 1) has set its own WPS Hide Login alias

    The last condition is highly unusual, as the prime site would usually rely on the alias set in the Network Admin.

    The work-around is this:
    In the database, in the table mydbtables_options (wp_options):
    * delete the entry “whl_page”

    This is simple and reasonable, because because on a subdomain multisite installation, the Network Administrator (who usually owns the prime site) can be expected to be comfortable using phpMyAdmin or equivalent.

    It is safe, because the the WPS Hide Login alias for the entire network will still be active from its home in mydbtables_sitemeta (wp_sitemeta), and the individual aliases (if any) of all of the other sites are undisturbed in mydbtables_##_options (wp_##_options).

    The problem should be fixed in software someday, a minor tweak, I would expect, to the 1.8 change, but it can be a very low priority, now that there is a work-around.

    ICYMI @eceleste

    • This reply was modified 1 year, 1 month ago by kagsundaram.
    Thread Starter kagsundaram


    …a slight problem…” due to the incomplete testing of a plugin fix, which solved somebody else’s problem, who was also using a quite sophisticated multisite setup, and, like my clients, required high security.

    Not that I blame anyone, it is a rather obscure problem. Many hours of poring through 20-KB trace dumps has narrowed the problem to occurring only on the primary site of a multisite installation, only if, as a security measure, the installation folder is one level deep and does not begin “wp…” in the folder name, and then only if the administrator of the prime site has set a WPS Hide Login alias from that site (as opposed to setting it from the network admin panel).
    That is a very obscure and unlikely set of conditions to be testing for.

    For the vast majority of WordPress users, having a WordPress installation bought for a small fraction of the hourly rate they would need to pay a senior software engineer is the best way to go, it serves their needs well.
    For others, more is needed. One of my clients is running a campaign for the presidency of a nation through secure multisite WordPress installation I created for him. A simple site was inadequate.

    I do appreciate the desire and attempt to help; it was good advice for the average WordPress installer, no one had any way of knowing from my initial post my level of expertise, or that I had designed, built and programmed my first computer when John F, Kennedy was president.

    • This reply was modified 1 year, 1 month ago by kagsundaram.

    @eceleste, I am glad for you that your code software found its way into the authorized plugin and has solved your problem.

    Unfortunately, that same software fix broke the plugin for me.


    I am right now looking at that software on two screens, one in the tg-sites-menu repository, and the other in the current version of the plugin as installed on one of my sites.

    (I had previously confirmed that yes, it does work properly on a subfolders multisite installation; one of mine is in that configuration.)

    It looks like the fix will be fairly simple, but… …which simple fix?
    I do not face the same problem of partial-multisite login, so if I test it as working, I may have undone what you set out to fix, unknowingly.

    Looking at the regex software here, I have written code like that, and then when I get back to it a year later, I wonder what it was that I did. Regex is fun and difficult.

    So I am hoping we can find some means of cooperation on this, both for efficiency and to avoid regression.

    Please read the other post, and point me to where the most likely starting point for the fix would be. (I am fairly certain it lies between lines #142-148 of classes/plugin.php)

    Thread Starter kagsundaram


    Thanks for the the link, @nicolaskulka

    I looked at the original ticket (and the website of the post author), and, as I expected, the original poster (and author of the fix) seems to have a subfolders multisite rather than a subdomain multisite.

    I will be looking at that fix (as soon as I can break free of the software of my own plugins) and see what I can do to improve on it, so that it will work for subdomain multisites as well.

    Again, thank you for the link.

    Thread Starter kagsundaram


    There is nothing improper about the way the site is installed.

    It does make use of all of the sophistication which WordPress provides.

    Yes, subdomain installs are tricky. It took me many weeks to get it right when I first set it up a decade ago.

    It was working fine with this plugin for years, until a few months ago, which was, as I noted, the same time that the changes log for this plugin notes a change in the way multisite is handled.

    I have found it common for plugin authors to fail to test their plugins in all legitimate configurations of WordPress; it requires have multiple testbed sites. The plugin that I am currently writing, my fourth, is on two sites, and will be tested on three others, with different configurations, before being offered to the public.
    However, it is clear that Nikolas has indeed taken the time and effort to test on multiple configurations; but this one little problem is an easy one to miss in testing.

    Same problem, but only when uploading from a mobile device. Curious.

    Thread Starter kagsundaram


    There may be a problem in the WordPress core concerning confusion between Home URL and Site URL for some MultiSite configurations.
    Or maybe not.

    The code below works on my installation for URLs of uploaded files edited directly into the “…insert an image url manually:” box.

    It does not work for images selected with the “Select an Image File” button.


    * function wpclpl_image_dimensions()
    * @param boolean $return (default: false)
    * returns or echoes image dimensions
    function wpclpl_image_dimensions( $return=false ){

    global $wpclpl_plugin_options;

    if( !empty( $wpclpl_plugin_options[‘wpclpl_logo_url’] ) ){

    // file location
    if( wpclpl_file_is_local() === true ){

    $wpclpl_logo_url = esc_url($wpclpl_plugin_options[‘wpclpl_logo_url’]);

    $wpclpl_logo_url = str_replace(‘www.’,”, $wpclpl_logo_url);
    $sadhu_site_url = site_url();
    $sadhu_slashed = $sadhu_site_url.’/’;
    $wpclpl_logo_url = str_replace($sadhu_slashed, ”, $wpclpl_logo_url);

    $wpclpl_logo_pathinfo = pathinfo($wpclpl_logo_url);
    $wpclpl_logo_file_path = ABSPATH.’/’.$wpclpl_logo_pathinfo[‘dirname’].’/’.$wpclpl_logo_pathinfo[‘basename’];

    $wpclpl_logo_dimensions = getimagesize($wpclpl_logo_file_path);

    $wpclpl_logo_width = $wpclpl_logo_dimensions[0];
    $wpclpl_logo_height = $wpclpl_logo_dimensions[1];

    if( !$return ){
    <span class=”wpclpl-logo-size wpclpl-description”><?php _e(‘Original size’,’wpclpl’); ?>: <span id=”wpclpl-logo-width”><?php echo $wpclpl_logo_width; ?></span> x <span id=”wpclpl-logo-height”><?php echo $wpclpl_logo_height; ?></span>px</span>
    } else {
    return array($wpclpl_logo_width,$wpclpl_logo_height);

    } else {

    // external file: can’t read image dimensions.
    if( !$return ){
    <span class=”wpclpl-description”><?php _e(“Note: The Plugin can not read dimensions of external files. Please add them to your stylesheet manually.”,’wpclpl’); ?></span>
    } else {
    return ”;





    I followed “; as closely as possible.

    Thread Starter kagsundaram


    I have listed the output of the echo statements in a comment on the fix page.

    Thread Starter kagsundaram


    It has been an enlightening four hours.

    As I see it, there are two problems in WPCLPL, perhaps three.

    As a preface, the “perhaps”. I don’t know whether the stored URL before today had the “wordpress” elided out back when it was working, or whether it had already been changed in error since the failure. Nor how it worked at all that way, if it was that way before.
    With that out of the way…

    Problem #1: Because this is a “Server Alias” system (the only way subdomain WP multisite will work the way IX has configured their servers) the “SERVER” ($_SERVER[‘SERVER_NAME’]) is ‘, although the apparent server is “’. Thus when $_SERVER[‘SERVER_NAME’] is used to strip off the server from the URL, ‘sadhu.’ is left behind to cause trouble.

    Problem #2: Because the WordPress installation is in /wordpress/ but the apparent directory, the URL for login, is the root, the /wordpress/ was getting dropped out of the URL string as it was being reconstructed.

    Multisite has many variations of installation, all of which must be considered. There is first the simple subdirectories-vs-subdomains choice. I believe that if subdirectories everything is easier for us plugin developers.

    Then there is the choice between three possible configurations of home and installation directories.

    • WordPress may be installed in the root.
    • WordPress may be installed in, with login at
    • WordPress may be installed in, with login at an aliased (My configuration. It is non-obvious how to install this way.)

    Then there ares the variations in how the host server configuration handles subdomains. This is NOT a choice of the WordPress administrator, usually. It is generally pre-set by the host company. Sometimes it varies at one hosting firm between dedicated-IP and shared-IP accounts, however, there is frequently no difference between these two. The configurations I have seen are:

    • Real subdomains, with an index.php in each to point to the wordpress installation in the root domain.
    • Real subdomains, with .httacces aliasing to the WordPress installation in the root domain.
    • Aliased subdomains, which don’t “actually exist”, they are merely “served by” the server of the root domain, where WordPress can intercept these requests. (This is the setup I am stuck with.)

    I suspect that there is some combination of ABSPATH, SERVER_ROOT, etc. etc. that will resolve all of these differences.
    However, this knowledge is not clearly documented in any easy to find place.
    I will keep looking.


    Thread Starter kagsundaram


    I got it working.

    It needed significant rework around lines ~310-330.

    I have published an excerpt, containing all my changes, ugly test-code echoes and all. Later I expect to clean it up, and add some switches, because what works for a server-aliased subdomain system will probably not work for a served subdomain system, nor for a subdirectory system.

    More in the next post. For now, here is the fix that works on the IXwebhosting Apache server.

Viewing 11 replies - 1 through 11 (of 11 total)