@imc67 said in Wordpress apps: authLdap plugin Cross-Site Request Forgery:

There is a new version with one of two issues patched

And I note that the other issue "only impacts multi-site installations and installations where unfiltered_html has been disabled."

As per https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/authldap/authldap-258-authenticated-administrator-stored-cross-site-scripting

Also from that page, it sounds like it is only people who are already logged in Admins and above could take advantage of it:

makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

So if you trust your Admins it doesn't really seem to be an issue (in my case this is normally only me and I both trust myself and don't have the tech skills to take advantage of this potential exploit), hence why the author of the authLDAP plugin doesn't seem to bothered by it.

Are you seeing any errors in the browser console or app logs when that happens?

@plains-digital 😂 Good luck with that. Client asked me to help with their site. Built with Divi. Literally the worst builder mess I've ever seen.

@marcusquinn said in IndieWeb plugin(s) - interesting concept for WordPress -> MicroPub:

What is the IndieWeb?

The IndieWeb is a people-focused alternative to the "corporate web".

Your content is yours

Yeah, pretty much the idea behind adopting and deploying FOSS apps also.
And all indie folks in soul should also be member of this very interesting forum, namely Indie Hackers.

Just stumbled on this, thought people might find interesting.

👍
EDIT: Forgot to mention, that plugin is a great find @marcusquinn

@girish said in Set php.ini memory allocation to match Cloudron memory allocated:

@micmc If it helps: setting memory limit for an app (at the Cloudron level) is like creating a virtual server with that much memory. So, if you allocate 2GB, it's like creating a 2GB server. Inside this 2GB server, there is apache running.

Wow, that's amazing!
And, with the rest of the explanation, it makes it more clear of how this works and how we can better know what we are doing while trying to cope with apps' memory.

I am using this one too - very happy with it 🙂

Allright, thanks !!

@girish From 150 to 256, from 256 to 512, now 1024 Mb... Now I deactivated Wordpress Redis Plugin and stopped service under App > Services.

Yeah, deep in the rabbit hold on research on this. There's nothing that distracts me more than something that has a score attached to it 😂 (not competitive all all 🙂 )

Trying to get a clean sheet of green on this:

https://inspectwp.com

Given WordPress is perhaps the most popular self-hosted app of all, be great to have the Cloudron setup as perfect as possible, particularly for WordPress. So many more expensive options out there charging per site. Lots of wins possible from being able to proclaim the best WP setup possible 🙂

@girish Thank's Girish

On an unrelated note, there's an option in WP dash > Updates to have it auto-install new releases. I noticed some of my sites have that enabled and some don't. It's not a problem, but I mention it because maybe that should be disabled/hidden somehow since this should be handled by the packaging updates.

image.png

Edit: just noticed your latest reply, so I guess WP was auto-updating most of my sites and I thought the packaging was doing that.

Yet, it's very simple to install so I can't see why you went through all the hops.
Just install the plugin, then put in the SMTP credentials found in credentials.txt in the app root in "Other SMTP", done. Host is Mail, port 2525 no SSL nor TLS.

@girish said in ECONNREFUSED:

@MarchinBunny there was a malware in WordPress. Something like https://stackoverflow.com/questions/76268370/wordpress-error-because-mo-files-inside-wp-include .

Exactly, what I expected right from the start of the thread.

But there are lots of plugins in your site, it could be anything.

And, yes some malware could be running in the background for years before one find out.

@RazielKanos said in Malware in my Wordpress:

Once a system was infected it is best to set up everything new

And above all, DO NOT install themes and/or plugins which provenance is doubtful.
In WordPress this is 99% the source of 'malware' problems.

@therealwebmaster See https://docs.cloudron.io/apps/wordpress-developer/#php-settings

@RazielKanos 👍 or rename to say .htaccess-backup, then compare new to old.

@marcusquinn I use these commands, via Terminal MySQL Access:

//display active users select user_login, user_nicename, display_name from wp_users; //change user_nicename UPDATE wp_users SET user_nicename = 'myusername' WHERE user_nicename = 'admin'; //change user_login UPDATE wp_users SET user_login = 'myusername' WHERE user_login = 'admin'; //change display_name UPDATE wp_users SET display_name = 'myusername' WHERE display_name = 'admin'; //change user email UPDATE `wp_users` SET `user_email` = "myemail@email.com" WHERE `wp_users`.`user_login` = "myusername"; //change admin password UPDATE WORDPRESSDATABASE.wp_users SET user_pass = MD5('NEWPASSWORD') WHERE user_login = 'myusername';

@girish Thanks, that makes some memory-saving sense, too. My specific issue was just at having the addon enabled, but the plugin disabled, as it makes sense to have it on a live site that isn't being developed, but not during development.

@BrutalBirdie You're right, directory browsing is blocked at the server level. I just spotted these missing files and thought a simple no-harm way to cover the same for all instances.