Forum Replies Created

Viewing 15 replies - 1 through 15 (of 23 total)
  • arcane

    (@arcarcane2012)

    This really looks like a miscommunication to me. 8.5.0 was released Jan 7th according to their github, out for a bit but withdrawn because of an unrelated issue. You can see the issues in several of the posts in this forum. Automattic folks have been saying that they’d have v8.5.1 out by Monday.

    Wordfence likely didn’t know that it was withdrawn and waited their few days before releasing the information about the vulnerability and here we are with a medium severity vulnerability and no patch at the moment. I’ve taken my shop offline for the weekend as a result.

    • This reply was modified 1 year, 2 months ago by James Huff.
    • This reply was modified 1 year, 2 months ago by arcane.
    arcane

    (@arcarcane2012)

    Following, as I have the same issue. It seems like anything related to WooCommerce is also very slow to load (Settings, Customers, Dashboard, etc). I’m thinking because it’s trying to do the database update or at least check on every page load.

    I will be investigating further on the emails part. My Admin emails were readable but my customer who checked out as guest tried to log in to the site so I assume (they haven’t responded to my email follow up) that they didn’t receive the email links for downloading their product.

    • This reply was modified 4 years, 11 months ago by arcane. Reason: set notification
    Thread Starter arcane

    (@arcarcane2012)

    Will do. ??

    Thread Starter arcane

    (@arcarcane2012)

    Thank you. I’ve spent some time with that post already. I will spend some more time with the host. ??

    Thread Starter arcane

    (@arcarcane2012)

    OK, it’s definitely the hotlink protection. I opted to remove jpgs from the file types protected and just like that, all of the images for top posts and related posts reappeared.

    So, is there a way to keep the hotlink protection enabled and whitelist the CDN servers? Hotlink protection in cPanel only wants to use website addresses (the https://iX.wp.com additions don’t work), and it looks like Photon acts a little like a crawler? How do I make the 2 work together?

    Thread Starter arcane

    (@arcarcane2012)

    Alright, so I have 4 options here.

    1. In the webserver “visitor” logs, I see requests for those image files from the 192.0.[64-127].[1-254] range, so I’ve whitelisted this in Wordfence. Wordfence does not have a way to whitelist by user-agent. This is done but I don’t think it worked. I don’t see any requests being blocked or allowed via Wordfence’s Live Activity. I think that is key. I should be seeing the requests either allowed or denied and I’m not so I think it’s further up the chain.

    2. (Wordfence) Disable the “Block IPs who send POST requests with blank User-Agent and Referer” option that seems to be working for other plugin issues but this is undesirable because it will have a larger effect than just the photos being available to Photon.

    3. The webserver has hotlink protection enabled. I suspect this might be part of the issue? I don’t recall enabling it but maybe I did around the same time and thought it was the SSL? I had been troubleshooting someone else’s website that had had a data breach so I may have been trying to lock my own site down further. It looks like I can only whitelist this by URL so I’ve added https://i0.wp.com, https://i1.wp.com, https://i2.wp.com, https://i3.wp.com, https://i4.wp.com but I don’t think it’s going to work – enabled just before I posted this reply. Will update if it does.

    4. The last thing I can do is whitelist in .htaccess. I think this line of “code” would work? RewriteCond %{HTTP_USER_AGENT} !*Photon* [NC] This feels undesirable because a user-agent can be spoofed but I can do it for testing.

    Which would you think would work best here? Or did I miss an option?

    Thread Starter arcane

    (@arcarcane2012)

    Hi! I have made a number of changes to photos recently – mostly header/feature image replacements – but this problem existed a long time before that.

    In August/September, I upgraded the site to SSL and this is when the related posts / top posts broke. I gave it a day to catch up during which many photos were missing not just the top and related posts photos. So I turned off photon. That gave me the result of all photos except the top and related photos working. Fast forward to a week ago when I did a whole bunch of cleanup on the site and replaced photos that weren’t sized right for the theme. Then that left only the Top and related posts not working and that’s when I posted.

    Yes, that photo and 4 resized versions still exist and are dated 4/9/2015 when I ftp in to look. It’s the 5th photo on this page: https://archaicarcane.com/stuck-in-the-middle-frozen-slant-o-matics/ as well as the feature image.

    Thank you for helping.

    Thread Starter arcane

    (@arcarcane2012)

    Hi! I have done as requested with the top pages and posts widget as well as related posts. I had changed it back to this when it looked like the thread may not be answered. I will leave it as is for the interim for troubleshooting. Thank you!

    Thread Starter arcane

    (@arcarcane2012)

    Hi, yes this helps me understand what’s happening. I still need to know what the solution is?

    Do I enable photon for a period of time so these photos are archived or do I have to discontinue use of the related posts and Top posts features because it seems that the SSL is too slow on the site to work well with photon?

    ETA: The reason I disabled the image cdn is because it left all images unavailable on the site while the images were being saved to the CDN. This was not especially acceptable to me because I didn’t know how long that would be the case. How could a person estimate how long to expect this mirroring of images to take?

    • This reply was modified 7 years, 3 months ago by arcane.
    Thread Starter arcane

    (@arcarcane2012)

    I totally get that. I did documentation and QA for a software company years ago. It’s never the favorite job so I found that documentation is usually a little behind.

    The main reason for writing this post was to get some of that info out there for the developers and for anyone else crazy enough to make a move similar to what I did. ??

    If there’s anything else I can offer in the way of information to help this get easier for people, just let me know.

    Thread Starter arcane

    (@arcarcane2012)

    The misbehaving site is a low traffic site, so what you say makes sense. I didn’t realize that WP-Cron worked like that. I thought it would be more like cron on the server – as in “timed”. The other site sees a lot more traffic, so it’s faster to report issues to me.

    I’m almost at the point then where I may leave the rest of the outstanding delays until I really feel like it needs to be addressed. It doesn’t seem to be stopping WF and updates coming anymore and the rest of the delay is not something that others see – just me and hopefully I’ve resolved enough of the issues and sped it up enough that I won’t get distracted between pages anymore. ??

    Thread Starter arcane

    (@arcarcane2012)

    The response time is still slower than it should be but better than it was. I think it’s a perfect storm of things. The fact that disabling cURL and the setting in gai.conf made a difference tells me I found some of it. I’m still convinced that my site is still not communicating properly via SSL. I did find that the misbehaving site was “mis-configured” in ISPConfig as far as SSL – it had the default settings not the information relevant to the site. I changed that but no change to load times. In fact, it was the only thing I found that was different between the 2 sites.

    Interestingly (I noticed this last night when I logged in) if I log into the misbehaving site – a few minutes later WF will start to scan and then I’ll get the notification that there are updates to do, even if the first thing I did when I logged in was to check for updates only to be told that there weren’t any. I bet if I waited longer still that the WP update would have applied too.

    That seems to point to cron and probably the SSL problem…yes?

    I will remove WordFence and reinstall it shortly here. Thanks for the suggestion.

    Thread Starter arcane

    (@arcarcane2012)

    Just an update:

    I have a new rabbit hole to charge down. One of the 2 sites is updating or at least alerting me to updates and WF is running. The other isn’t. That seems to indicate that it’s a site configuration problem that’s left and not a system configuration. I think the precedence and the cURL settings made a difference but tomorrow morning, I’m going to compare all of the rest – ISPConfig settings and everything in WP and see where the difference is. I’ll report back on what I find.

    Thread Starter arcane

    (@arcarcane2012)

    Just an update:

    I have a new rabbit hole to charge down. One of the 2 sites is updating or at least alerting me to updates and WF is running. The other isn’t. That seems to indicate that it’s a site configuration problem that’s left and not a system configuration. I think the precedence and the cURL settings made a difference but tomorrow morning, I’m going to compare all of the rest – ISPConfig settings and everything in WP and see where the difference is. I’ll report back on what I find.

    Thread Starter arcane

    (@arcarcane2012)

    See? And this is exactly why I -do- ask here. ?? I hadn’t considered WP-Cron but I will investigate and let you know on that.

    I did disable all WP plugins including WF with no change to the behavior. Tinkering in that panel though sometimes spurs the ability to get a proper status for plugins and updates which I find extremely odd.

    With regard to the timeouts and IPv6, I followed a long rabbit hole from another thread – through some TRAC tickets – that lead me to changing the precedence of the 2 protocols. I did set precedence in /etc/gai.conf – to tell it that I want to use IPv4 first.

    uncommenting this:

    precedence ::ffff:0:0/96 100

    I’m reluctant to “break” support for IPv6 because I know my ISP quite well. They have a habit of not announcing big changes, they’ll just do it, their support desk won’t know why stuff just exploded, my server will “break” and then I’ll be back to trying to figure out what went wrong. ?? This way seems more sanity saving. Changing the precedence though seems to have helped the speed for sure. Load times for pages seem to be about a 1/3 what they were (ranging on average from about 8 – 12 seconds vs. 30 or more)

    I’m still waiting to see if WF will fire by itself today. I’m going to give it about another 24hrs, then troubleshoot WP-Cron if necessary.

    Thanks for the other place to check and the validation that I was headed in the right direction! I will report back once I see if WF scans by itself today or if I have to go further to troubleshoot. It’s hard when it’s only updates because I have to wait until I know there are some, then if they’re applied automatically while I’m troubleshooting, I don’t necessarily know what “fixed it” but having the WF issue that seems tied to it… at least I have somewhere to go with it in the meantime.

Viewing 15 replies - 1 through 15 (of 23 total)