Changes to WordPress apps

marcusquinn

@micmc Cloudron on Hetzner (Germany). The speed is the same on any spec as it can only use one CPU at a time anyway. Hardware won't fix unoptimised software. Much of the optimisation is selective plugin unloading per page, so that only the plugins actually used on any page are loaded. The shop is Elasticsearch, again on a pretty small VM.

Lonk

@micmc said in Changes to WordPress apps:

Yep, that is why I discussed about the above plugins and mentioned it was working prertty well at the time, Now that they are retired and GPL as well one can update and use them. And maybe just study them and see how ut was done so one can find the solution to adapt it to WP multisite on CLOUDRON.

The three caveats I mentioned.

• URL / Location changing without crashing the site. It’s a fix that needs to be done on Cloudron’s side but I think I can patch it to make this work pretty easily.
• WP-Cron could be made as a primary or network activated plug-in to trigger all of the other sub-site Crons. So that’s possible. But more ideal would be to edit Cloudron’s custom CRON to support sub-sites which should be pretty easy and I’m sure the devs would let me.
• Sub-sites have to be subdirectories, no TLDs or subdomains. This also can only be fixed by adding domain aliases in box and dashboard (the two parts that make up Cloudron). This would be the hardest to add for me though @girish heavily implied he wants to add them himself (he didn’t promise anything tho)

MooCloud_Matt

@girish said in Changes to WordPress apps:

Make WordPress plugins should just work

I believe it is okay to have a greylist of unsupported plugins anyway, all providers that use docker or other forms of LVM have it, because there are plugins that cannot work on some platforms by their nature, due to lack of a PHP library or for security and stability reasons.

For example you can't use a server with LS, OLS or Nginx and WP-Rocket Cache, they go into conflict.
this for example is the list provided by Kinsta (some plugins are there because they use too many performances others because they are incompatible).

all-in-one-wp-migration
allow-php-execute
backupbuddy
backwpup
better-wordpress-minify
cache-enabler
codistoconnect
dynamic-widgets
eww-image-optimizer
exec-php
inactive-user-deleter
jch-optimize
litespeed-cache
login-wall
p3
p3-profiler
pagefrog
rvg-optimize-database
snapshot
updraft
updraftplus
wonderm00ns-simple-facebook-open-graph-tags
wordpress-gzip-compression
wordpress-popular-posts
wordpress-rss-multi-importer
wp-db-backup
wp-db-backup-made
wp-optimize

girish

@MooCloud_Matt Thanks, this is a good list to keep in mind for support.

jdaviescoates

And here's WPengines list of disallowed plugins too just fyi

https://wpengine.com/support/disallowed-plugins/

mdreira

I want to trust in Cloudron developers and therefore I am going to use Wordpress Managed for our clients.

Having said that, I would like to ask about @girish wrote at this point: "Make many of the security plugins which do all sorts of crazy things like adjust the admin URL, modify files etc work. While we personally don't" vouch "for such security practices, we can't deny that WP is still the most installed app in our platform and most people install these plugins. In the spirit of picking our battles, we grant this one to the existing WP ecosystem ".

As I see in that text the words "crazy things", "personally don´t vouch for such security practices" or "picking our battles" I understand that Cloudron developers do not like this type of plugins very much. So I would like to ask:

1-Is a security plugin necessary in wordpress managed?
2-If the answer is yes, what would be the plugin that Cloudron would recommend and that works well in WP Managed ?. I know that wordfence may be the best, but this plugin requires a waf file in the WP root, so it may be discarded (I don't know).
3-If there is a recommended plugin, are there any configuration tips for cloudron? What security features should we activate and which ones are not necessary?

Thanks

On the other hand, I see that there is talk of cache plugins. I usually use "Fastest cache". At the moment it has not given me problems in Cloudron.

jdaviescoates

@mdreira said in Changes to WordPress apps:

I want to trust in Cloudron developers and therefore I am going to use Wordpress Managed for our clients.

Everyone has different needs, and whilst I also trust the Cloudron developers I still don't really see the point of WordPress Managed.

IMHO there are just so many instances where a client will want or need a plugin that isn't compatible with managed that it makes it pointless (also, even aside from clients, I like to always install WordFence because it makes my life so much easier, and that doesn't work with Managed as you've noted).

mdreira

@jdaviescoates Yes, I understand you perfectly. I am not questioning whether WP managed-developer is better or worse.

I'm just asking about the topic of a security plugin with WP Managed.

I just want some advice from the Cloudron developers, because I don't have enough knowledge to discern this.

girish

I should probably not have been negative about the WP Developer app In the past, the app was called "WP Unmanaged app" and some of the wording is from the times when we tried to discourage people from using it.

From a security perspective, the managed WP app is better because the WP core code is readonly. This means plugins you install or some bug in some PHP code cannot tamper with the core code base. The downside is that some plugins don't work with a readonly WP. If you already know the plugins you will ever need in advance, I would go with managed WP app and only use the Developer app if something doesn't work.

mdreira

@girish I understand.

So..

1-Is a security plugin necessary in wordpress managed?
2-If the answer is yes, what would be the plugin that Cloudron would recommend and that works well in WP Managed?
3-If there is a recommended plugin, are there any configuration tips for cloudron? What security features should we activate and which ones are not necessary?

Thank you!

d19dotca

@mdreira said in Changes to WordPress apps:

1-Is a security plugin necessary in wordpress managed?

I use the Developer package for WordPress so can't speak for the Managed version too much, but my general advice would be the following:

• Generally speaking, it'd best to only install plugins when you know you have a need that isn't already addressed in the system. Thus, knowing your exact needs would come before choosing any particular plugin. My rule of thumb personally is not to install a plugin unless I understand why I need it and what I want to achieve with it.

• Security is a huge umbrella with probably hundreds of different sub-categories / uses. So for example, it'd be good to know if you are wanting to be notified of any irregular file changes, block specific functionality in WordPress, lockdown user accounts with custom permissions, change the login page URL, rate limit logins, or a mix of those or a whole bunch of other ones.

• It's good to copy an existing WordPress site (or a default one) to test new plugins on to see if they will interfere with your current setup, avoiding testing in any live production website.

Aside from the above, I'd honestly recommend just using the Developer package of WordPress. I know that goes against Girish's recommendation but there are at least several of us "power users" in Cloudron that feel there's no real upside to the Managed package other than a little bit more security by default. Eventually, whether it's sooner or later, you'll likely have the need to use a particular plugin that will need to modify files or access certain files, in which case you'll then have to do a bunch of work to migrate from the Managed package to the Developer package, so IMO you may as well just start on the Developer package to begin with unless you have very basic needs for WordPress and don't plan on growing it at all. And you won't want to be caught in a project that's time-sensitive to then find out you need to now also migrate an entire website to a new app instance type. I learned that lesson the hard way myself.

By the way, every app has its own category in the forum. You may be better served to create a separate and dedicated post in the WordPress (managed or developer) categories. This thread in particular is pretty old and is generally on a different topic than "security plugins" for WordPress.