Additional information: There is no API_Secret in the ENV file in the standard app package. Depending on your thousands of clients, it takes some time to migrate. For me, it was done in less than 5 minutes.
The only moment of confusion was: when installing IN v. 5. you have to fill in the name of the company in a modal frame. After the migration it took me a few seconds to realise that there is a multi-company option in IN v. 5 and I had to switch to the "other" (migrated) company (which has the same company name).
1-Is a security plugin necessary in wordpress managed?
I use the Developer package for WordPress so can't speak for the Managed version too much, but my general advice would be the following:
Generally speaking, it'd best to only install plugins when you know you have a need that isn't already addressed in the system. Thus, knowing your exact needs would come before choosing any particular plugin. My rule of thumb personally is not to install a plugin unless I understand why I need it and what I want to achieve with it.
Security is a huge umbrella with probably hundreds of different sub-categories / uses. So for example, it'd be good to know if you are wanting to be notified of any irregular file changes, block specific functionality in WordPress, lockdown user accounts with custom permissions, change the login page URL, rate limit logins, or a mix of those or a whole bunch of other ones.
It's good to copy an existing WordPress site (or a default one) to test new plugins on to see if they will interfere with your current setup, avoiding testing in any live production website.
Aside from the above, I'd honestly recommend just using the Developer package of WordPress. I know that goes against Girish's recommendation 👼 but there are at least several of us "power users" in Cloudron that feel there's no real upside to the Managed package other than a little bit more security by default. Eventually, whether it's sooner or later, you'll likely have the need to use a particular plugin that will need to modify files or access certain files, in which case you'll then have to do a bunch of work to migrate from the Managed package to the Developer package, so IMO you may as well just start on the Developer package to begin with unless you have very basic needs for WordPress and don't plan on growing it at all. And you won't want to be caught in a project that's time-sensitive to then find out you need to now also migrate an entire website to a new app instance type. I learned that lesson the hard way myself. 😉
By the way, every app has its own category in the forum. You may be better served to create a separate and dedicated post in the WordPress (managed or developer) categories. This thread in particular is pretty old and is generally on a different topic than "security plugins" for WordPress.
@mehdi yes we now decided to simply not have anonymous contributions there, but for anyone interested, just send us a mail with the intended username and language to contribute to. I've also updated the docs accordingly.
I never got around to setting up pi-hole, but now that this is available, I have been testing this for a week or so now as my primary DNS for my work machine. It's incredible how ~25% of my internet access is... junk 😕
I will switch over my full home network to use this over the weekend!
@rmdes it does look nicely in many ways, but I like how I can easily have a custom homepage on YOURLS and it also does the job I need it to do. E.g. I've got it installed at ud.coop but have a custom homepage there. I set-up appname.ud.coop redirects for most apps I've got (because it means I don't have to type uniteddiversity.coop on my mobile all the time) but also occasionally actually use it to make short urls like ud.coop/ukmediacoops 🙂
I wonder if there is a simple way to customise the homepage for Kutt too...