Changes to WordPress apps
-
@marcusquinn said in Changes to WordPress apps:
We've just switch https://healthshop.net to run on Cloudron. 6,000 products, multilingual, multi-everything — and I know we still have a bunch more optimisations to go.
I'm impressed at how fast that loads, the front page, and how fast we can start seeing those products' thumnails coming in. swift...
That's great opti man
Mind to share the box config this site's running on? Where physically in the world is the box located?If ever anyone says WP & Woo can't scale, send them my way
Yeah, that I know for a long time
Honestly, must have tried every other WP hosting on the planet by now - and none of them are truly optimised or even transparent about what they consider optimisation beyond their caching plugin masquerades.
So much so...
Thanks bro.
Andy@micmc Cloudron on Hetzner (Germany). The speed is the same on any spec as it can only use one CPU at a time anyway. Hardware won't fix unoptimised software. Much of the optimisation is selective plugin unloading per page, so that only the plugins actually used on any page are loaded. The shop is Elasticsearch, again on a pretty small VM.
-
@Lonk said in Changes to WordPress apps:
There's only 3 caveats on Cloudron right now as it stands:
Yep, that is why I discussed about the above plugins and mentioned it was working prertty well at the time, Now that they are retired and GPL as well one can update and use them. And maybe just study them and see how ut was done so one can find the solution to adapt it to WP multisite on CLOUDRON.
Andy
@micmc said in Changes to WordPress apps:
Yep, that is why I discussed about the above plugins and mentioned it was working prertty well at the time, Now that they are retired and GPL as well one can update and use them. And maybe just study them and see how ut was done so one can find the solution to adapt it to WP multisite on CLOUDRON.
The three caveats I mentioned.
• URL / Location changing without crashing the site. It’s a fix that needs to be done on Cloudron’s side but I think I can patch it to make this work pretty easily.
• WP-Cron could be made as a primary or network activated plug-in to trigger all of the other sub-site Crons. So that’s possible. But more ideal would be to edit Cloudron’s custom CRON to support sub-sites which should be pretty easy and I’m sure the devs would let me.
• Sub-sites have to be subdirectories, no TLDs or subdomains. This also can only be fixed by addingdomain aliasesinboxanddashboard(the two parts that make up Cloudron). This would be the hardest to add for me though @girish heavily implied he wants to add them himself (he didn’t promise anything tho) -
There was some good discussion (thanks @jdaviescoates !) about how to best handle the two WordPress packages. We are making some changes thanks to the suggestions there.
Our primary motivation here is to just make Cloudron more WordPress friendly and also make it easier for a user to choose the correct app package. I think we can all also agree the following are needed:
- Make WordPress plugins should just work
- Make migrations/imports from existing sites just work. Sadly, many of the migration plugins bring in source code and not just data.
- Make many of the security plugins which do all sorts of crazy things like adjust the admin URL, modify files etc work. While we personally don't "vouch" for such security practices, we can't deny that WP is still the most installed app in our platform and most people install these plugins. In the spirit of picking our battles, we concede this one to the existing WP ecosystem
- Clarify expectations up front when installing the WP app.
With the above in mind: It's clear that it can only be supported in Unmanaged WordPress realistically. But "Unmanaged" as a word has a bad connotation. So, we will rename WordPress (Unmanaged) to WordPress (Developer) (thanks to @Lonk for the suggestion). We can keep the current WordPress (Managed) with the same name since it indicates it's like a managed service with subset of working plugins. This is similar to any other managed hosting WP service where they have lots of restrictions.
Currently, we don't want to remove WordPress (Managed) as such. It still has strong security benefits.
Feature Parity
We will make both the apps be the same feature wise. The only main difference will be whether you can edit core WP updates and how you do WP updates (you can read more text in the DESCRIPTION below). So, we will have the following in both:
- LDAP
- Optional redis, we will make this part of Cloudron 6.0
- SFTP access. For security reasons, this will come with a checkbox that has to be enabled for non-admins to use SFTP in LDAP mode.
- WP CLI
- Plugin auto-update feature work (which is part of WordPress).
DESCRIPTION changes
We will change the description file for both apps. This is the text that pops up when you install an app (not the postinstall, but in the appstore view).
WordPress (Managed) - See https://git.cloudron.io/cloudron/wordpress-managed-app/-/blob/master/DESCRIPTION.md
WordPress (Developer) - See https://git.cloudron.io/cloudron/wordpress-developer-app/-/blob/master/DESCRIPTION.md
@girish said in Changes to WordPress apps:
Make WordPress plugins should just work
I believe it is okay to have a greylist of unsupported plugins anyway, all providers that use docker or other forms of LVM have it, because there are plugins that cannot work on some platforms by their nature, due to lack of a PHP library or for security and stability reasons.
For example you can't use a server with LS, OLS or Nginx and WP-Rocket Cache, they go into conflict.
this for example is the list provided by Kinsta (some plugins are there because they use too many performances others because they are incompatible).all-in-one-wp-migration allow-php-execute backupbuddy backwpup better-wordpress-minify cache-enabler codistoconnect dynamic-widgets eww-image-optimizer exec-php inactive-user-deleter jch-optimize litespeed-cache login-wall p3 p3-profiler pagefrog rvg-optimize-database snapshot updraft updraftplus wonderm00ns-simple-facebook-open-graph-tags wordpress-gzip-compression wordpress-popular-posts wordpress-rss-multi-importer wp-db-backup wp-db-backup-made wp-optimizeMatteo. R.
Founder and Tech-Support Manager.
MooCloud MSP
Swiss Managed Service Provider -
@girish said in Changes to WordPress apps:
Make WordPress plugins should just work
I believe it is okay to have a greylist of unsupported plugins anyway, all providers that use docker or other forms of LVM have it, because there are plugins that cannot work on some platforms by their nature, due to lack of a PHP library or for security and stability reasons.
For example you can't use a server with LS, OLS or Nginx and WP-Rocket Cache, they go into conflict.
this for example is the list provided by Kinsta (some plugins are there because they use too many performances others because they are incompatible).all-in-one-wp-migration allow-php-execute backupbuddy backwpup better-wordpress-minify cache-enabler codistoconnect dynamic-widgets eww-image-optimizer exec-php inactive-user-deleter jch-optimize litespeed-cache login-wall p3 p3-profiler pagefrog rvg-optimize-database snapshot updraft updraftplus wonderm00ns-simple-facebook-open-graph-tags wordpress-gzip-compression wordpress-popular-posts wordpress-rss-multi-importer wp-db-backup wp-db-backup-made wp-optimize -
And here's WPengines list of disallowed plugins too just fyi
-
I want to trust in Cloudron developers and therefore I am going to use Wordpress Managed for our clients.
Having said that, I would like to ask about @girish wrote at this point: "Make many of the security plugins which do all sorts of crazy things like adjust the admin URL, modify files etc work. While we personally don't" vouch "for such security practices, we can't deny that WP is still the most installed app in our platform and most people install these plugins. In the spirit of picking our battles, we grant this one to the existing WP ecosystem
".As I see in that text the words "crazy things", "personally don´t vouch for such security practices" or "picking our battles" I understand that Cloudron developers do not like this type of plugins very much. So I would like to ask:
1-Is a security plugin necessary in wordpress managed?
2-If the answer is yes, what would be the plugin that Cloudron would recommend and that works well in WP Managed ?. I know that wordfence may be the best, but this plugin requires a waf file in the WP root, so it may be discarded (I don't know).
3-If there is a recommended plugin, are there any configuration tips for cloudron? What security features should we activate and which ones are not necessary?Thanks
On the other hand, I see that there is talk of cache plugins. I usually use "Fastest cache". At the moment it has not given me problems in Cloudron.
-
I want to trust in Cloudron developers and therefore I am going to use Wordpress Managed for our clients.
Having said that, I would like to ask about @girish wrote at this point: "Make many of the security plugins which do all sorts of crazy things like adjust the admin URL, modify files etc work. While we personally don't" vouch "for such security practices, we can't deny that WP is still the most installed app in our platform and most people install these plugins. In the spirit of picking our battles, we grant this one to the existing WP ecosystem
".As I see in that text the words "crazy things", "personally don´t vouch for such security practices" or "picking our battles" I understand that Cloudron developers do not like this type of plugins very much. So I would like to ask:
1-Is a security plugin necessary in wordpress managed?
2-If the answer is yes, what would be the plugin that Cloudron would recommend and that works well in WP Managed ?. I know that wordfence may be the best, but this plugin requires a waf file in the WP root, so it may be discarded (I don't know).
3-If there is a recommended plugin, are there any configuration tips for cloudron? What security features should we activate and which ones are not necessary?Thanks
On the other hand, I see that there is talk of cache plugins. I usually use "Fastest cache". At the moment it has not given me problems in Cloudron.
@mdreira said in Changes to WordPress apps:
I want to trust in Cloudron developers and therefore I am going to use Wordpress Managed for our clients.
Everyone has different needs, and whilst I also trust the Cloudron developers I still don't really see the point of WordPress Managed.
IMHO there are just so many instances where a client will want or need a plugin that isn't compatible with managed that it makes it pointless (also, even aside from clients, I like to always install WordFence because it makes my life so much easier, and that doesn't work with Managed as you've noted).
-
@mdreira said in Changes to WordPress apps:
I want to trust in Cloudron developers and therefore I am going to use Wordpress Managed for our clients.
Everyone has different needs, and whilst I also trust the Cloudron developers I still don't really see the point of WordPress Managed.
IMHO there are just so many instances where a client will want or need a plugin that isn't compatible with managed that it makes it pointless (also, even aside from clients, I like to always install WordFence because it makes my life so much easier, and that doesn't work with Managed as you've noted).
@jdaviescoates Yes, I understand you perfectly. I am not questioning whether WP managed-developer is better or worse.
I'm just asking about the topic of a security plugin with WP Managed.
I just want some advice from the Cloudron developers, because I don't have enough knowledge to discern this.
-
I should probably not have been negative about the WP Developer app
In the past, the app was called "WP Unmanaged app" and some of the wording is from the times when we tried to discourage people from using it.From a security perspective, the managed WP app is better because the WP core code is readonly. This means plugins you install or some bug in some PHP code cannot tamper with the core code base. The downside is that some plugins don't work with a readonly WP. If you already know the plugins you will ever need in advance, I would go with managed WP app and only use the Developer app if something doesn't work.
-
I should probably not have been negative about the WP Developer app
In the past, the app was called "WP Unmanaged app" and some of the wording is from the times when we tried to discourage people from using it.From a security perspective, the managed WP app is better because the WP core code is readonly. This means plugins you install or some bug in some PHP code cannot tamper with the core code base. The downside is that some plugins don't work with a readonly WP. If you already know the plugins you will ever need in advance, I would go with managed WP app and only use the Developer app if something doesn't work.
@girish I understand.
So..
1-Is a security plugin necessary in wordpress managed?
2-If the answer is yes, what would be the plugin that Cloudron would recommend and that works well in WP Managed?
3-If there is a recommended plugin, are there any configuration tips for cloudron? What security features should we activate and which ones are not necessary?Thank you!
-
@girish I understand.
So..
1-Is a security plugin necessary in wordpress managed?
2-If the answer is yes, what would be the plugin that Cloudron would recommend and that works well in WP Managed?
3-If there is a recommended plugin, are there any configuration tips for cloudron? What security features should we activate and which ones are not necessary?Thank you!
@mdreira said in Changes to WordPress apps:
1-Is a security plugin necessary in wordpress managed?
I use the Developer package for WordPress so can't speak for the Managed version too much, but my general advice would be the following:
-
Generally speaking, it'd best to only install plugins when you know you have a need that isn't already addressed in the system. Thus, knowing your exact needs would come before choosing any particular plugin. My rule of thumb personally is not to install a plugin unless I understand why I need it and what I want to achieve with it.
-
Security is a huge umbrella with probably hundreds of different sub-categories / uses. So for example, it'd be good to know if you are wanting to be notified of any irregular file changes, block specific functionality in WordPress, lockdown user accounts with custom permissions, change the login page URL, rate limit logins, or a mix of those or a whole bunch of other ones.
-
It's good to copy an existing WordPress site (or a default one) to test new plugins on to see if they will interfere with your current setup, avoiding testing in any live production website.
Aside from the above, I'd honestly recommend just using the Developer package of WordPress. I know that goes against Girish's recommendation
but there are at least several of us "power users" in Cloudron that feel there's no real upside to the Managed package other than a little bit more security by default. Eventually, whether it's sooner or later, you'll likely have the need to use a particular plugin that will need to modify files or access certain files, in which case you'll then have to do a bunch of work to migrate from the Managed package to the Developer package, so IMO you may as well just start on the Developer package to begin with unless you have very basic needs for WordPress and don't plan on growing it at all. And you won't want to be caught in a project that's time-sensitive to then find out you need to now also migrate an entire website to a new app instance type. I learned that lesson the hard way myself. By the way, every app has its own category in the forum. You may be better served to create a separate and dedicated post in the WordPress (managed or developer) categories. This thread in particular is pretty old and is generally on a different topic than "security plugins" for WordPress.
-
