Editing AVIF Images in WordPress Media Library Produces 0 KB File

Hi all,

I've run into what appears to be a bug in the WordPress app where editing AVIF images results in a 0 KB file being written — essentially a blank/corrupt output. Uploading AVIF files works fine, and cropping WebP images works as expected, but any edit operation on an AVIF file fails silently with no error shown to the user other than the display showing a missing image.

Steps to Reproduce

1. In WordPress, go to Media Library and upload an AVIF image
2. Open the image and click "Edit Image"
3. Perform any crop operation and save
4. The resulting file is 0 KB and fails to load — the new image is effectively corrupt

This also affects setting a site favicon when the source file is AVIF (since it usually requires an image crop).

Environment

• Cloudron-managed WordPress
• Active image editor: WP_Image_Editor_Imagick
• ImageMagick version: 6.9.12-98 (Q16, x86_64)
• Imagick PHP extension: 3.7.0
• ImageMagick supported formats: (list too long, see screenshot at bottom of post)
• GD version: 2.3.3 (no AVIF support compiled in)
• GD supported formats: GIF, JPEG, PNG, WebP, BMP, XPM (no AVIF)

Screenshot included at bottom of post for whole Media Handling section of WordPress Site Health.

Suspected Cause

While ImageMagick 6.9 lists AVIF in its supported formats, reliable AVIF encode/write support appears to have been incomplete in the IM6 branch — the failure seems to occur at the re-encode step after editing. GD 2.3.3 is present but was compiled without libavif/libaom support, so there's no fallback path available either.

It's worth noting that IM6 is in maintenance mode — the version currently in the WordPress app (6.9.12-98, from 2023) isn't even the latest IM6 release, which is 6.9.13-38 as of January 19th (per https://imagemagick.org/archive/releases/). Whether the issue lies specifically in the ImageMagick version, the PHP Imagick extension, or the underlying libavif/libaom libraries not being compiled in, I'm not certain — happy to dig into this further if the team has ideas.

Possible Fix

Updating to ImageMagick 7.1.x in the WordPress app Docker image may resolve this. I appreciate IM7 isn't in the standard Ubuntu apt repos and would likely require compiling from source — so this isn't a trivial ask. That said, IM6 is effectively in legacy mode at this point, and IM7 brings broader improvements beyond AVIF support. As AVIF becomes increasingly common on the web, this is likely to affect more WordPress users on Cloudron over time.

If there's a different suspected cause or a simpler fix (aside from not using AVIF, lol), I'd be very open to exploring that too. Happy to provide any additional diagnostics if anything else is needed.

Thanks for looking into this!

in case it helps, here is an image of what is displayed in WordPress Media Library after cropping an AVIF file in it:


Media Handling screenshot from Site Health:

@girish , maybe this is a good feature for 9.1?

@girish I see it now, that’s great, thank you!

@imc67 I checked just a bit ago but didn’t actually see any update to the Developer one yet. Maybe I checked too early. Hopefully we see it soon so we can update the plugin.

Looks like just a short bit ago version 3.11.3 is out now.

https://github.com/oidc-wp/openid-connect-generic/issues/633#issuecomment-3894814402

I've released 3.11.3 which provides a setting for the issuer url. This seems like the the most reliable way to ensure each site can adjust depending on their IDP.

That's fantastic, thank you @girish!

@ccfu I tried in double-quotes but there was no difference, still throws the same error. Single-quotes too.

I noticed that when I try to set an email display name for a Cloudron app like WordPress that it won't allow values with commas in it. I'm trying to set the legal business name, but for some reason this is not working. The error I see in the user interface is mailbox display name is not valid. Interesting it accepts the ampersand (&), but not the comma (,) characters.

Is this intended behaviour though? It seems like a defect to me because I can't imagine why commas are not valid "From Display Name" characters, but wanted to double-check. To my knowledge, commas are allowed in an email "From Name".

I think Cloudron needs this database software for a few apps too that are in the Wishlist, such as Rybbit, Plausible, Dub, and more.

• Main Page: https://rybbit.com
• Git: https://github.com/rybbit-io/rybbit
• Licence: AGPL-3.0 license
• Dockerfile: Yes
• Demo: https://demo.rybbit.com/
• Documentation for Self-hosting: https://rybbit.com/docs/self-hosting

---

• Summary: Privacy-first, cookieless Google Analytics replacement that's lightweight and GDPR/CCPA compliant by default. Features include real-time analytics, session replay, conversion funnels, user journey tracking, web vitals monitoring, and built-in bot detection. Self-hostable with a modern, intuitive dashboard that works seamlessly across all devices.

---

• Notes: Lots of great features, including a session replay which I think is really cool, along with the ability to view PageSpeed Web Vitals details on every page. IMO, it seems much more detailed than Umami without being overwhelming (balances a really nice UI and small analytics script file size like Umami), while still having a mature feature-set like Matomo. It also has a Umami data importer for easy transfer too. It also (and almost most importantly to me) looks really good on mobile devices when viewing data statistics, whereas Umami is a bit underwhelming in that department for users who like to view statistics while on the go.

---

• Alternative to / Libhunt link: https://selfhosted.libhunt.com/rybbit-alternatives
• Screenshots:
  
  

@marcusquinn said in Sharing custom SpamAssassin Rules:

Nice, so which would you recommend?

For the Cloudron DNSBL list? I personally am using Spamhaus and Abusix's Exploit list to completely reject only the most obvious of spam, leaving the rest to be filtered via SpamAssassin to the inbox or junk folder.

zen.spamhaus.org
{API_KEY}.exploit.mail.abusix.zone

I stumbled across this page this evening: https://docs.umami.is/docs/enable-redis

It seems like Umami can take advantage of Redis for some performance improvements. Just wondering if maybe this should or could be added to the Umami package in Cloudron.

@imc67 said in Sharing custom SpamAssassin Rules:

@msbt said in Sharing custom SpamAssassin Rules:

Thanks a bunch for the list @d19dotca! Quick question about the rest of the setup though: Do you still have entries in the Email ACL DNSBL Zones or is that empty because everything is handled in the custom rules? Like those:

zen.spamhaus.org
bl.mailspike.net
noptr.spamrats.com
dnsbl.sorbs.net

Or is that empty on your side?

I think this is still a relevant question, @d19dotca your spam-rules are amazing, however you are "calling" ACL DSNBL's that are not default in a Cloudron install (https://docs.cloudron.io/email/#dnsbl) so I guess that they are not working until you add them?

I asked ChatGPT to analyse your latest rules and it advised to add the below ones to the DNSLBL Zones ACL (https://my.domain.com/#/email-settings). Is that in your opinion correct to make them all work?

zen.spamhaus.org
bl.mailspike.net
noptr.spamrats.com
all.spamrats.com
backscatter.spameatingmonkey.net
bl.spameatingmonkey.net
netbl.spameatingmonkey.net

So just to clarify… if you add those to the DNSBL list in Cloudron mail settings, it will completely reject mail that has a hit on any of those services. That mail setting in Cloudron is used by Dovecot/Haraka, not SpamAssassin. The reason you don’t want all those DNSBLs there is because not all of them are super accurate (some are too aggressive), which is why they’re in the SpamAssassin rules instead.

Basically the DNSBL list for Cloudron should only be if you want anything that has a hit to be outright rejected and never arrive in your mailbox (not even the junk folder). I prefer to keep that to just Abusix and SpamHaus myself because they have proven to be very accurate in the sense that they return no false positives, so they’re “safe” in rejecting only the most obvious of spam.

Then everything else that passes through that part will simply be scanned by SpamAssassin against the other DNSBLs in the custom rules and are therefore not rejected but just categorized as either spam or ham. It’s safer that way.

But also totally up to you. If you trust the other DNSBLs, then certainly feel free to add them to the Cloudron DNSBL list, but just know that doing so will most likely result in rejected/dropped messages that you’ll never know about until you look at the mail sever logs.

Ultimately… the DNSBLs in the custom SpamAssassin rule set doesn’t really have anything to do with the DNSBL setting used in Cloudron, as they are different levels of filtering and unrelated to each other.

Hopefully that makes sense. I’m just waking up while writing this so let me know if I can clarify further as I may not be explaining myself perfectly, lol.

Update: I think the theory on the plugin name change was the right area.

In the Cloudron SSO plugin, I changed this line (line 27 in cloudron-sso.php):

* Requires Plugins: openid-connect-generic

to be this instead...

* Requires Plugins: daggerhart-openid-connect-generic

Then I was able to enable the Cloudron SSO plugin and this resolved the issue, I was able to login again via SSO.

Tagging @girish for visibility.

Been having this same issue. It seems like WordPress app package was updated with the new plugin version, but the Plugin list didn't update so I figured it'd be okay to update it manually now that the new image was used, however it still seemed to break where the Cloudron SSO was showing as unable to be used since it's dependency was inactive or removed.

I disabled the OIDC plugin and Cloudron SSO in the hopes of sort of re-triggering its usage but it just fails to load the Cloudron SSO now all together. I noticed the folder name changed for the openid-connect plugin, in case that is part of the root cause. It used to be named openid-connect-generic (which is what Cloudron SSO is referring to still), and now it's daggerhart-openid-connect-generic. So I suppose the Cloudron SSO just needs to be pointing to daggerhart-openid-connect-generic instead now?

Looks really interesting!

Quick question: Do you find yourself paying for Claude Max, or Claude Pro, or just use API calls only for a pay-as-you-go (not necessarily for this project but just in general)? I was a ChatGPT Plus subscriber and while it has some nice features that Claude doesn’t have which make my life a bit easier compared to if I only used Claude web/desktop, in my testing I do enjoy Claude’s answers so much better in most cases. But the limits they have on their Pro plan I run into constantly so I think I need Max but it’s hard to justify that significant increase in cost. I wish they had something in the middle.

@IniBudi Yes just copy & paste, but remember to replace the API key for Abusix if you want to use Abusix (otherwise just remove the section for Abusix). Everything else is good to copy & paste.

@murgero Thank you so much!

For the manual spam training, I find the script I shared earlier tends to work well for me, it's been helping me on my inbox at least when it comes to the BAYES scores it assigns to messages.

It takes a while though I found before I started noticing real benefits from it, so you likely need to run it several times (maybe a week or two apart each time) before it seems to really become smarter.

@girish Totally understandable. Thank you for the workaround.

Description

Cleaning backups in 9.0.13 doesn't seem to remove the .backupinfo files associated with the new backup integrity features of 9.0.

In my case, the backups are encrypted, in case that makes any difference to how the backup info files are generated. So the files are something like app_<app_name>_v3.11.5.tar.gz.enc.backupinfo. I have many of these files remaining after cleaning up some backups. The larger backups are gone as expected thankfully, but the backup info files remain.

I use a s3 backend for my backups (iDrive e3 specifically).

Steps to reproduce

1. Run backups for a period of time.
2. Set a smaller retention window that there are backups and initiate a "Cleanup backups" task from the Backups page.
3. Monitor the s3 storage backend (this may work on other backends too), and watch the files disappear except for the .backupinfo files.