johnpeat

I had to move my Elementor-based site to another host – however I’ve done some research and it does seem that

a – quite a few shared hosts disable file_put_contents() for security reasons
b – it’s used within the WordPress core files!!

My hosting company’s assertion that I simply needed to “fix the code” isn’t really valid given it’s use in the WordPress core – and I’ve no idea what alternatives to it exist anyway

Certainly – anyone “losing” CSS/style from their site should check their error_log to see if this is the cause (this obviously means you cannot use Tools > ReCreate CSS either)

p.s. the site will look fine in the editor (as the CSS is available locally) but when you browse your site outside the editor, it will look rather wonky…

Let’s assume I have a cookie which must be set – but it’s value will be different depending on whether the user ‘accepted’ or not.

For users who don’t “Accept” it needs to be set to one value
If a user has “Accepted” it needs a different value.

Right now I have set that cookie in the HEAD of the page
I can then set it through the plugin for users who ‘Accept’

What I can’t control is whether my setting of the cookie happens before or after the plugin code runs as they’re both in HEAD???

This is why I suggested having a section for running scripts if a user DOESN’T accept – that way, this plugin can solve that issue

I’ve read-up a fair bit on this as well as looking at what other sites/plugins/tools are doing and I’d say you CAN have a Reject Button and you ARE allowed to set a cookie to ‘remember’ that choice so long as you make it clear you’re doing that (and why – e.g. to stop bugging them to Accept)

The ‘user has rejected cookies’ cookie would be an ‘essential’ cookie – one required for the site to function – it’s not ‘tracking’ them and only stores their desire to NOT track them (a core concept in the GDPR!)

A Reject option is a better solution than permanently offering an Accept button – that seems like annoying people in the hope they’ll Accept just to get rid of the box…

End of the day we need practical solutions – a permanent question, massive Privacy Policy and/or lists of 100s of partner/cookies isn’t helpful to anyone, however ‘compliant’ it might be.

By way of an update – it seems most of the really players are now offering comprehensive cookie managers – I’ve enjoying staring at them thinking “Wow, this must have taken MONTHS of work to do!!”

Most are still breaking the rules with pre-ticked boxes and most have an “Accept all and continue” button which is a bit contentious as they don’t tell you what you’re accepting in enough detail but there’s a LOT of material to work with already!!

I’ve been playing with some of the big site cookie managers and their approach to this is usually to request that the user reload the page – which will do that by simply not including the scripts on that load??

You sound like you know-it-all when the reality is that no-one really knows what’s right and wrong here – smart people are asking questions but you’re just yelling and not listening.

You’re absolutely wrong with your earlier assertion about GA – the moment you include GA, cookies from Google ‘track’ people as they move to other websites (and return to yours) – this is absolutely what the GDPR requires you ask before doing – there’s no version of GA which doesn’t do this.

The big players are already offering horrific “Cookie Opt-In” pages with 100s of checkboxes for all their “partners” – they also have privacy policies which run to dozens of interlinked pages – and most of those are still nowhere near ‘compliant’ so what hope the guy who does nothing?

Sure, we can all wing it and see who gets sued for what first – that’s what most people are doing at this point – but as I said earlier, the smart people are discussing this – not shouting everyone else down with zero evidence to support their view…

Base anonymized analytics – “who from where when and what they looked at” is, to my mind, absolutely fine to collect/not personal and not tracking a “person”.

Problems begin when you leave non-temp. cookies so that you can track the same browser later or where cookies from third-parties are used to track people across sites. That is where the GDPR wants you to declare them/allow people to opt-out of them IMO

On that basis, if you use GA I think you need a cookie warning (and you shouldn’t enable GA without that being accepted) but it does seem a lot of people have decided they don’t need to bother with that?

I think the days of unfettered access to analytics are coming to an end – I’m not actually sure that’s entirely a bad thing (some webmasters worry FAR too much about GA) but the effort involved may quickly overcome the benefits at this rate?

• This reply was modified 6 years, 9 months ago by johnpeat.

It’s interesting to take a look at how some of the big players are handling this – if only because what they’ve created is mostly a hot mess!!

Yahoo ran me through an enormous “you must agree to this” speil today before I could login – I particularly noticed this snippet

“You must allow cookies from Yahoo in order to opt out. To make your opt-out apply to every computer you use you must be signed in to your Yahoo account.”

Despite all their noise – I didn’t actually have to click ‘Agree’ or ‘Accept’ to any specific thing which is wrong in my reading of the GDPR

Other monstrosities include CBS’s “Manage Cookies” section – see here for an example

https://www.techrepublic.com/blog/microsoft-office/accommodate-different-headers-and-footers-in-a-word-document/

That’s a scary-long-list of pre-ticked (not allowed!!) options they have (Yahoo/Oath’s was longer but I can’t link to it) – many with no opt-out option (tho a link to a Privacy Policy is offered)

The only solid solution to someone not opting-in is blocking them from your site until they do – I can’t see that one working-out well for anyone tho so we need compromise.

That plugin I mentioned allows you to link scripts to opt-in options – so you can literally not include GA (or any other tracking code) if someone chooses to not have it. I like that idea and I’m using it for now – but it may not be feasible for everyone (some sites just stop working without this stuff??)

p.s. there is one case where you could avoid asking users to consent and that is if they are blocking cookies (Do Not Track or similar)

I have no idea if this is technically possible but it is, of course, technically not allowed to check this which is even more frustrating

Just once it would be nice if someone making laws knew the slightest bit about the thing they’re making laws about

I feel that Bart is overreaching with some of his assertions…

The fact that Cookies are stored on a person’s PC (and not by the website – something the EU still doesn’t really understand despite passing 2 laws controlling them) means that ANY cookie is technically ‘personal and identifying’

That does mean that the fact the GDPR REQUIRES consent is frustrating – because all we can do is keep asking people to consent – we can’t store the fact they haven’t consented (as that’s personal and identifying!)

This is why none of the Cookie Plugins offer a Reject Button I guess?

I reckon this ‘Always ask the user to consent” approach – with added levels of explanation/detail (as per this plugin) is the best way forward

OR – you can be like Bart and maybe be one of the first to legally test this in court – someone has to do that – it’s your choice!

p.s. I do agree that we should stop talking about Cookies – partly because there are other tools we need to cover but mostly because it’s a silly word which annoys me intensely ;0

• This reply was modified 6 years, 9 months ago by johnpeat.

I’ve looked further into this and our first recovery seems to have failed due to a disk-space issue – not sure why, there’s no lack of space so I decided to just retry it.

The 2nd attempt failed with what I guessed was PHP version difference/issue (yes, we got that warning) so I fixed that and…

The 3rd attempt completed without error!

I editted the database to correct the site URL and it seems to be fine – which is awesome!

The message you get when recovering to a different URL is worrying tho

“This backup set is from a different site – this is not a restoration, but a migration. You need the Migrator add-on in order to make this work.

You can search and replace your database (for migrating a website to a new location/URL) with the Migrator add-on – follow this link for more information”

I get that it’s technically “migration” when the site URL changes but there are MANY cases where the domain and physical location of a site may differ (esp during system recovery)

I’d still expect restoration to work, abeit that I need to do some work to make the site available. – maybe it should say something like

“You are changing URL – for the site to work you will need to correct the site URL in the database manually OR you can use our amazing Migration Plugin which will do that for you as well as search/replace links and references and lots, lots more – click here for details”

That’s my 10p – thanks for working tho!!

The No 1 issue I’ve had with WP sites is them being compromised to use as ‘junkmail gateways’ – so when I see anything asking for an email address, alarm bells ring.

You don’t make it clear WHY you’re asking – you also don’t ask for any credentials to send notifications (no-one in their right mind would allow ‘open’ sendmail on a WP install??)

The “repeatedly asking for the email” bug is so widespread I can’t be bothered to troubleshoot it – out of 20 sites I looked at yesterday, 18 of them exhibited it but 2 were fine and they’re on the same server/platform/versions so it’s clearly not as simple as the version of something (the sites all work OK/new posts/pages work so the DB is fine)

One site even stated it had failed to acquire a WordFence API key, which is really odd because I’m sure it’s had one for months!! Even after a reinstall, that error persisted so I just uninstalled WordFence at that point.

Plugins which make work for me won’t stay enabled for long – I cannot keep on-top of 50+ sites running flaky/moody code, not enough hours in the day – I install ‘security’ plugins to deal with security, not open potential holes or annoy the end-users.

The problems with a security plugin soliciting personal information are so obvious I shouldn’t really need to highlight them to anyone!?

The last few releases of Wordfence have all had issues with this – I’ve lost count of the emails I’ve had from users who were repeatedly being asked for email (even tho they’d already entered it) – this seems to relate to issues with the “Show Tour” popup recurring (REALLY annoying) – sometimes uninstall-reinstall fixes it – sometimes an upgrade breaks it again – I’ve wasted too much time with this now.

At first I had assumed “operator error” but I’ve since created lean WP (4.9.4) installs where I’ve installed WordFence and seem this for myself. I install/setup WordFence, enter a random email (declining the mailing list) – logout – login – and it’s asking me for email again – showing me the Tour again – hard to trust software which clearly isn’t working.

Whoever had this “collect emails” idea isn’t smart anyway – unless you DESPERATELY need email notifications/forms etc., disabling email is the No1 security tip for WordPress surely??

Ah – that’s cool, at least it’s doable – thanks for the quick response (and sorry for the slow reply!)

We made no modifications to the free or pro theme at all – we simply built a site with OneTone and then bought and installed OneTone Pro

As Pro is a new theme we had to redo a lot of Customizer settings – we asked if there was a way to export/import those (and got no reply) – we asked for tips on moving from ‘free’ to ‘Pro’ (and got no reply) and we emailled asking what we were paying for (and got no reply)

So – as my original review says, the themes are fine (tho be aware you need to redo customizer settings when you upgrade to Pro) but the support is non-existant.