Title: Synchro's Replies | WordPress.org

---

# Synchro

  [  ](https://wordpress.org/support/users/synchro/)

 *   [Profile](https://wordpress.org/support/users/synchro/)
 *   [Topics Started](https://wordpress.org/support/users/synchro/topics/)
 *   [Replies Created](https://wordpress.org/support/users/synchro/replies/)
 *   [Reviews Written](https://wordpress.org/support/users/synchro/reviews/)
 *   [Topics Replied To](https://wordpress.org/support/users/synchro/replied-to/)
 *   [Engagements](https://wordpress.org/support/users/synchro/engagements/)
 *   [Favorites](https://wordpress.org/support/users/synchro/favorites/)

 Search replies:

## Forum Replies Created

Viewing 15 replies - 1 through 15 (of 16 total)

1 [2](https://wordpress.org/support/users/synchro/replies/page/2/?output_format=md)
[→](https://wordpress.org/support/users/synchro/replies/page/2/?output_format=md)

 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Advanced Custom Fields (ACF®)] PHP Fatal error on update to version 5.7.11](https://wordpress.org/support/topic/php-fatal-error-on-update-to-version-5-7-11/)
 *  [Synchro](https://wordpress.org/support/users/synchro/)
 * (@synchro)
 * [7 years, 3 months ago](https://wordpress.org/support/topic/php-fatal-error-on-update-to-version-5-7-11/#post-11202711)
 * I had a problem with the 5.7.10-5.7.11 update too – it was throwing a fatal error
   in both admin and on site saying that the function acf_add_local_field_group 
   was not defined. I did this same trick with the version number, and it came back
   to life, and I reinstalled the plugin.
 * Now it _says_ that it upgraded successfully, but if I check for updates again,
   it keeps suggesting the same update. I can see in the files that it is running
   5.7.11, but WP seems convinced it’s still 5.7.10.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] Blocking access to .user.ini](https://wordpress.org/support/topic/blocking-access-to-user-ini/)
 *  Thread Starter [Synchro](https://wordpress.org/support/users/synchro/)
 * (@synchro)
 * [7 years, 4 months ago](https://wordpress.org/support/topic/blocking-access-to-user-ini/#post-11080922)
 * I am using 2.4. I tried using `<FilesMatch "\.ini$">` as well but that didn’t
   work either, however, the rewrite suggestion does work, so thanks for that. I’d
   still really like to know _why_ the Files or FilesMatch directives don’t work,
   especially since they are what is recommended in the docs.
    -  This reply was modified 7 years, 4 months ago by [Synchro](https://wordpress.org/support/users/synchro/).
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] WordFence requires unsafe-eval in CSP](https://wordpress.org/support/topic/wordfence-requires-unsafe-eval-in-csp/)
 *  Thread Starter [Synchro](https://wordpress.org/support/users/synchro/)
 * (@synchro)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/wordfence-requires-unsafe-eval-in-csp/#post-10982838)
 * I’ve run into another one of these with Wordfence 7.1.18 when loading the WF 
   dashboard page on a fresh install with WP 4.9.8:
 * \`
    [Error] EvalError: Refused to evaluate a string as JavaScript because ‘unsafe-
   eval’ is not an allowed source of script in the following Content Security Policy
   directive: “script-src ‘self’ ‘unsafe-inline’ [http://www.google-analytics.com](http://www.google-analytics.com)
   [http://www.bugherd.com](http://www.bugherd.com) “.
 *  Function (jquery.tmpl.min.1543941426.js:10:3544)
    o (jquery.tmpl.min.1543941426.
   js:10:3544) template (jquery.tmpl.min.1543941426.js:10:2004) tmpl (jquery.tmpl.
   min.1543941426.js:10:1423) tmpl (jquery.tmpl.min.1543941426.js:10:938) wafConfigPageRender(
   admin.1543941426.js:3230) (anonymous function) (admin.php:238) i (load-scripts.
   php:2:27455) fireWith (load-scripts.php:2:28215) ready (load-scripts.php:2:30018)
   K (load-scripts.php:2:30374) `
 * Again, I find it absolutely mystifying that a security product would require 
   you to disable one of the most effective ways to combat XSS available in order
   to use it. You should be encouraging users to use _tighter_ security, not the
   reverse. Are you not dogfooding this? Do you not run Wordfence on sites with 
   CSP reporting turned up full? This isn’t some weird edge case, it’s absolutely
   basic web security applicable to everyone. If your templating system requires
   unsafe-eval, it’s time to find a templating system that’s not broken.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] Wordfence WAF won’t run on a read-only system](https://wordpress.org/support/topic/wordfence-waf-wont-run-on-a-read-only-system/)
 *  Thread Starter [Synchro](https://wordpress.org/support/users/synchro/)
 * (@synchro)
 * [7 years, 8 months ago](https://wordpress.org/support/topic/wordfence-waf-wont-run-on-a-read-only-system/#post-10666453)
 * Thanks. I’ve implemented that and it’s now happy running read-only.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] Wordfence WAF won’t run on a read-only system](https://wordpress.org/support/topic/wordfence-waf-wont-run-on-a-read-only-system/)
 *  Thread Starter [Synchro](https://wordpress.org/support/users/synchro/)
 * (@synchro)
 * [7 years, 9 months ago](https://wordpress.org/support/topic/wordfence-waf-wont-run-on-a-read-only-system/#post-10552669)
 * I can switch write access on and off – the problem I have with wordfence is that
   I can set it all up and configure it all (including the WAF), and it’s happy,
   but if I then set it to read-only, it breaks, and actually disables the WAF. 
   That seems entirely unnecessary – I can see that things like logging within the
   webroot might be a problem, but I can’t see any good reason to break in that 
   scenario – more to the point, breaking logging is a much less serious problem
   than disabling the entire protection system, which is what it does at preesent.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] WordFence requires unsafe-eval in CSP](https://wordpress.org/support/topic/wordfence-requires-unsafe-eval-in-csp/)
 *  Thread Starter [Synchro](https://wordpress.org/support/users/synchro/)
 * (@synchro)
 * [7 years, 11 months ago](https://wordpress.org/support/topic/wordfence-requires-unsafe-eval-in-csp/#post-10403392)
 * I understand that, and I’ve done that purely so _I_ can do so, but it seems contradictory
   to have to require _everyone_ to disable an important anti-xss security measure
   to enable a security product, not the kind of practice that should be encouraged!
 * Disabling that element of a CSP is a temporary workaround, not an appropriate
   long-term solution, which would be to implement the review check without needing
   unsafe-eval in the first place, which is why I tagged this as a bug.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] WordFence requires unsafe-eval in CSP](https://wordpress.org/support/topic/wordfence-requires-unsafe-eval-in-csp/)
 *  Thread Starter [Synchro](https://wordpress.org/support/users/synchro/)
 * (@synchro)
 * [7 years, 11 months ago](https://wordpress.org/support/topic/wordfence-requires-unsafe-eval-in-csp/#post-10391424)
 * I’ve just run into more of a blocker with the same cause: After upgrading to 
   Wordfence 7.1.7, it’s showing me a dialog that requires me to review the terms,
   however, clicking either of the review buttons results in a CSP violation due
   to needing unsafe-eval, so I can’t get past it.
 *     ```
       [Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
   
       	Function (jquery.tmpl.min.1528224180.js:10:3544)
       	o (jquery.tmpl.min.1528224180.js:10:3544)
       	template (jquery.tmpl.min.1528224180.js:10:2004)
       	tmpl (jquery.tmpl.min.1528224180.js:10:1423)
       	tmpl (jquery.tmpl.min.1528224180.js:10:938)
       	(anonymous function) (admin.php:261)
       	dispatch (load-scripts.php:3:12450)
       	handle (load-scripts.php:3:9179)
       	trigger (load-scripts.php:3:11579)
       	trigger (load-scripts.php:9:8280)
       	(anonymous function) (load-scripts.php:3:18999)
       	each (load-scripts.php:2:2886)
       	each (load-scripts.php:2:851)
       	trigger (load-scripts.php:3:18972)
       	onclick (admin.php:246)
       ```
   
    -  This reply was modified 7 years, 11 months ago by [Synchro](https://wordpress.org/support/users/synchro/).
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] WordFence requires unsafe-eval in CSP](https://wordpress.org/support/topic/wordfence-requires-unsafe-eval-in-csp/)
 *  Thread Starter [Synchro](https://wordpress.org/support/users/synchro/)
 * (@synchro)
 * [7 years, 11 months ago](https://wordpress.org/support/topic/wordfence-requires-unsafe-eval-in-csp/#post-10357938)
 * I just managed to trash my nginx config by accident and I can’t remember where
   I saw this error originally, but I’ve managed to provoke another one (I think
   the one I spotted originally was more obvious than this); I’m getting this stack
   trace when clicking the “Enable firewall” button in wp-admin:
 *     ```
       [Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' ".
   
       	Function (jquery.tmpl.min.1527005958.js:10:3544)
       	o (jquery.tmpl.min.1527005958.js:10:3544)
       	template (jquery.tmpl.min.1527005958.js:10:1915)
       	tmpl (jquery.tmpl.min.1527005958.js:10:1423)
       	colorboxModal (admin.1527005958.js:1863)
       	(anonymous function) (admin.1527005958.js:3266)
       	success (admin.1527005958.js:1818)
       	i (load-scripts.php:2:27455)
       	fireWith (load-scripts.php:2:28215)
       	y (load-scripts.php:4:22733)
       	c (load-scripts.php:4:26927)
       ```
   
 * In the page source I can see that the script handler for this button immediately
   follows the button in the layout – that’s permitted with unsafe-inline (though
   it would be better to get rid of that too), but I’m not sure why it’s trigging
   unsafe-eval.
 * Incidentally, another thing flagged by my CSP is your use of the Roboto font 
   from google fonts. Wordfence is the only thing using an external font on my site.
   It looks fine without it, but it would be better if it didn’t ask for it.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[NinjaFirewall (WP Edition) - Advanced Security Plugin and Firewall] Spurious "Files modified" alerts](https://wordpress.org/support/topic/spurious-files-modified-alerts/)
 *  Thread Starter [Synchro](https://wordpress.org/support/users/synchro/)
 * (@synchro)
 * [10 years, 5 months ago](https://wordpress.org/support/topic/spurious-files-modified-alerts/#post-6773187)
 * It was for 120 different files, all not owned by the web server and all marked
   read-only.
 * I just got another one of these and checked the ctime, and indeed it has a recent
   timestamp, however, the contents of the file has not been changed and appears
   innocuous.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] "You need to manually update your .htaccess"](https://wordpress.org/support/topic/you-need-to-manually-update-your-htaccess/)
 *  Thread Starter [Synchro](https://wordpress.org/support/users/synchro/)
 * (@synchro)
 * [10 years, 11 months ago](https://wordpress.org/support/topic/you-need-to-manually-update-your-htaccess/#post-6172834)
 * Sorry, that wasn’t clear. The error message is “You need to manually update your.
   htaccess”, and then it shows me a dialog with what should be put into .htaccess,
   but that’s not applicable because I’m using nginx. It’s not clear if the nginx
   config needs anything to be significantly different to the config I linked to
   to allow caching over https.
 * [Screen shot](http://imgur.com/gallery/lTdb5YJ)
 * The “security concerns” comment was just me saying that there are security measures
   available outside wordpress – for example changing ownership of files so that
   nothing can be written by WP, using fail2ban etc. I was quite surprised to find
   that WF doesn’t mention ownership/permissions as a security measure.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[NK Google Analytics] Installed, everything says it's ok, but no tracking code is visible](https://wordpress.org/support/topic/installed-everything-says-its-ok-but-no-tracking-code-is-visible/)
 *  Thread Starter [Synchro](https://wordpress.org/support/users/synchro/)
 * (@synchro)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/installed-everything-says-its-ok-but-no-tracking-code-is-visible/#post-5064751)
 * I think this was my fault – I misinterpreted the meaning of “NK Google Analytics
   Status” as enabling some kind of status display, not that it turned the plugin
   on.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Cookie Control] [Plugin: Cookie Control] No Async Analytics code?](https://wordpress.org/support/topic/plugin-cookie-control-no-async-analytics-code/)
 *  [Synchro](https://wordpress.org/support/users/synchro/)
 * (@synchro)
 * [13 years, 11 months ago](https://wordpress.org/support/topic/plugin-cookie-control-no-async-analytics-code/#post-2764636)
 * I didn’t put it inside the plugin at all as that would break when the plugin 
   is updated. The plugin calls whatever function name you give it, so I named it
   not to clash with its own implemntation and just included it in my own pages 
   by sticking the script in the footer.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Cookie Control] [Plugin: Cookie Control] No Async Analytics code?](https://wordpress.org/support/topic/plugin-cookie-control-no-async-analytics-code/)
 *  [Synchro](https://wordpress.org/support/users/synchro/)
 * (@synchro)
 * [13 years, 12 months ago](https://wordpress.org/support/topic/plugin-cookie-control-no-async-analytics-code/#post-2764482)
 * Indeed, there are several problems in this area.
 * Firstly, the instructions tell you to enter `ccADDAnalytics()` in the On Accept
   and On CookiesAllowed fields, yet the function provided is called `ccAddAnalytics`,
   and since JS is case-sensitive, that won’t work.
 * The instructions also tell you to create that function, however, the plugin already
   includes one (even if you leave the GA ID field empty, which I’d definitely class
   as a bug), so if you create one as instructed you’ll have a name clash.
 * I rewrote the function (and renamed it so the built-in one isn’t called) to use
   the async version:
 *     ```
       <script type="text/javascript">
       function ccAddAnalytics2() {
         "use strict";
         var _gaq = _gaq || [];
         _gaq.push(['_setAccount', 'UA-XXXXXX-XX']);
         _gaq.push(['_trackPageview']);
         (function() {
           var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
           ga.src = ('https:' === document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
           var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
         })();
       }
       </script>
       ```
   
 * All works for me now.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Import Users from CSV] [Plugin: Import Users from CSV] No user was successfully imported](https://wordpress.org/support/topic/plugin-import-users-from-csv-no-user-was-successfully-imported/)
 *  [Synchro](https://wordpress.org/support/users/synchro/)
 * (@synchro)
 * [14 years, 2 months ago](https://wordpress.org/support/topic/plugin-import-users-from-csv-no-user-was-successfully-imported/#post-2598873)
 * I’m seeing the same thing, even with the example CSV file. It says
    `No user 
   was successfully imported, please check the error log.` The error log is created,
   but it’s empty. No permissions problems, no PHP errors logged. This is on a brand
   new install of WordPress 3.3.1 with no other plugins, running on PHP 5.3.2.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[WP Splash Image] [Plugin: WP Splash Image] Adds excess slashes in HTML tab](https://wordpress.org/support/topic/plugin-wp-splash-image-adds-excess-slashes-in-html-tab/)
 *  Thread Starter [Synchro](https://wordpress.org/support/users/synchro/)
 * (@synchro)
 * [14 years, 3 months ago](https://wordpress.org/support/topic/plugin-wp-splash-image-adds-excess-slashes-in-html-tab/#post-2541248)
 * I can confirm that it’s fixed, thanks very much for dealing with it so quickly.

Viewing 15 replies - 1 through 15 (of 16 total)

1 [2](https://wordpress.org/support/users/synchro/replies/page/2/?output_format=md)
[→](https://wordpress.org/support/users/synchro/replies/page/2/?output_format=md)