papapup
Forum Replies Created
-
Happy Day @wfpeter ,
Thank you for the update and recommended approaches.
We have checked that each Domain A, Domain B and Domain C has its own .htaccess
Domain A & B as below. Where else Domain C’s .htaccess with regards to RoundCube which I am not publishing here.
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
# Wordfence WAF
<IfModule LiteSpeed>
php_value auto_prepend_file '/home/pathto/theDomain/wordfence-waf.php'
</IfModule>
<IfModule lsapi_module>
php_value auto_prepend_file '/home/pathto/theDomain/wordfence-waf.php'
</IfModule>
<Files ".user.ini">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php74” package as the default “PHP” programming language.
<IfModule mime_module>
AddHandler application/x-httpd-ea-php74 .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not editFor Domain D, we have check that there isn’t any ,htaccess at the /home/pathto directory. However, there is one under the /home/pathto/public_html where typically Domain D being the primary domain is assigned as below
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://DomainD.com/$1 [R,L]
# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php74” package as the default “PHP” programming language.
<IfModule mime_module>
AddHandler application/x-httpd-ea-php74 .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not editWhere Wordfence is installed, Domain A and Domain B has its own user.ini
; Wordfence WAF
auto_prepend_file = '/home/pathto/theDomain/wordfence-waf.php'
; END Wordfence WAFCan I say in conclusion, there shouldn’t be anything that could redirect it to WordFence from RoundCube?
While the “learning mode” provide the solution to it, we didn’t experience any of these for 4 years until now. Therefore it did prompt us to do a major drill down to this matter leading towards WordFence prompting the following code being blocked as a potential malicious XSS Cross Site Scripting
<style type="text/css">@font-face
{ font-family: "Cambria Math"; }
@font-face
{ font-family: DengXian; }
@font-face
{ font-family: Aptos; }
@font-face
{ font-family: "Gill Sans MT"; }
@font-face
{ font-family: Tahoma; }
@font-face
{ font-family: "@DengXian"; }
#replybody1 p.MsoNormal, #replybody1 li.MsoNormal, #replybody1 div.MsoNormal
{ margin: 0cm; font-size: 12.0pt; font-family: "Aptos",sans-serif; mso-ligatures: standardcontextual; }
#replybody1 span.EmailStyle17
{ mso-style-type: personal-compose; font-family: "Aptos",sans-serif; color: windowtext; }
#replybody1 .MsoChpDefault
{ mso-style-type: export-only; }
@page WordSection1
{ size: 612.0pt 792.0pt; margin: 72.0pt 72.0pt 72.0pt 72.0pt; }
#replybody1 div.WordSection1
{}</style>Looking at the above, it sure don’t look malicious. Can you confirmed?
Appreciate your input for this as security is utmost important to us and everyone should! 🙂
Details in this reply has been added to the above
- This reply was modified 1 year, 8 months ago by papapup.
LOL! I had to read the paragraph….
The post author, users that can edit the post, and any users of roles with the restrict_content capability can always view the post, regardless of their role.
with this
Since the Editor can edit pages, the Content Permission will not work for them.
and staring at the Content Permission section of the page…. many times to get the logic!
I guess, the reason the Administrator and Editor role is left there in case the role has been altered for whatever reason.
Thanks for the great explanation! I suggest that this put up as a FAQ.
As for the hook, let me try it out. Will post another question if I need help.
Thanks again.
- This reply was modified 2 years, 11 months ago by papapup.
My further testing to determine why an Editor Role user still displays the page content despite the page content permission is set as other roles is because of two capabilities that somehow let it show the content
1. edit_others_pages; and
2. edit_published_pages
Now, the question is truly then, is this a bug ?Hi @wfjanet ,
Any update to this?@wfjanet ,
Disabling the RECAPTHA as suggested allow the registration to go thru
To reaffirm the configuration is as below
WF -> Login Security -> Settings Tab
– WooCommerce Integration = ON
– Use single-column layout for WooCommerce/shortcode 2FA management interface = ON
– Enable reCAPTCHA on the login and user registration pages = OFF
If “Enable reCAPTCHA on the login and user registration pages” is turned ON, the registration gets blocked.
NOTE: I have also emailed the diagnostic with the forum username @papapup
Thanks in advance.wfjanet ,
The result is still the same. It’s showing the following error message.
REGISTRATION ATTEMPT BLOCKED: This site requires a security token created when the page loads for all registration attempts. Please ensure JavaScript is enabled and try again.@wfjanet ,
Let me set it up and get back to you. Thanks!Forum: Plugins
In reply to: [Gutenberg] Gutenberg v15.5.x causing conflict to WooCommerce 7.5.1Hi @zoonini ,
The issue is resolved for my end.