“Nulled” WP Rocket when I got the original?!

Now here’s what happened to me last night. Follow me closely, as this will explain why you might get a very specific error message upon activating the plugin on staging or production environment one day, that would imply you have a nulled unlicensed plugin.

I installed my original licensed WP Rocket on my local development environment. As it was an older package, I decided to update it first, and then push it to staging. And so I did.

Once I pulled the latest code from my repo on staging and activated WP Rocket, I tried to configure the plugin, but got this message instead:

License validation failed. You may be using a nulled version of the plugin.

A tiny detail I need to mention here – the staging environment is not reachable publicly, as I’ve protected it behind a basic authentication wall.

So, it turns out that if you install WP Rocket in one place and then move it to another, protected WordPress instance, the plugin will not be able to work, as it will assume that the user is trying to configure a compromised plugin with malicious code inside.

How did I fix this?

I removed the new version of the plugin, then installed the original one, without activating or updating it on my local environment. Activated it staging and it worked just fine there.

Expired transients don’t get deleted on protected sites

I found it the hard way.

My database is rather small. It’s actually less than 20 Mb in total. That’s of course, if I exclude the 1.4Gb of data that I have in wp_options alone. Most of if being transients. Most of which have expired some time ago.

I’ll spare you the story of how I came to the conclusion, but will skip straight to it:

If the whole site is hiden behind a basic authentication (htpasswd) wall, then there is a very good chance the wp-cron will not be running. And if it’s not running, it will not run the process for deleting expired transients, which would lead to causing the database clogging.

Generating a new administrator user in WordPress through SQL

If you need access to a website, built on WordPress, but you have SSH access only, you could still cope with the situation with a few line in the command line.

Here are the steps you need to follow:

  1. Find the database credentials. They are usually in wp-config.php file under the web-root directory of your WordPress based website.
  2. Connect to the database, using the credentials from the configuration file, using the following command
  3.  Switch to your database:
  4. Create your user:
  5. Check the id of the newly created user. Try to guess the right SELECT, and if you can’t, go standing face to the wall and repeat a hundred times “I should not mess with the database if I don’t understand basic SQL.”. Seriously.
  6. Make your user an administator with this:

    Now you should be able to login with your username and password.

Recovering missing Facebook comments (and like counts) after switching to SSL

You might notice that you are missing your Facebook comments once you switch to HTTPS from serving your site initially on HTTP. The problem is with Facebook not linking the old URLs with the new ones, which is why you might have to do some additional work in order to have your comments back.

It’s important to notice that you’ll still have your Facebook comments form and you might even have some new comments there from after you switched to using SSL, but the old ones from before that would be gone. Not irreversibly, though.

Here is the solution I found in a couple of WordPress.org Forum threads. It worked great for me:

  1. Install and activate Really Simple SSL plugin (https://wordpress.org/plugins/really-simple-ssl/);
  2. See if your dashboard breaks. It did on one of my sites due to some weird environment edge case.
  3. Add a custom replacement for HTML attributes that would contain  the address of the website with HTTPS, instead of HTTP:

Oh, it’s usually the same problem with Facebook likes, so don’t worry that much if all of a sudden you lost all your Facebook like stats on your like buttons in the site. Same solution should fix this too.

Some good sources for starting your knowledge path in SEO

A friend of mine sent a list of resources to a client of mine and CC’ed me in the conversation. I do find these resources really helpful, which is why I decided to put them here. We are not affiliated to any of the sources.

SEO 101: 
WordPress SEO hints by the authors of the most popular WordPress SEO plugin: https://yoast.com/wordpress-seo/
SEO Blogs:
 

“Sorry, you are not allowed to access this page.” on News Cherry theme options page

The problem

It happened to a client of mine just recently – they tried to change something in the theme options, but they couldn’t, as reaching out to http://their-site.com/wp-admin/admin.php?page=options.php produced

“Sorry, you are not allowed to access this page.”

message. The theme is News Cherry by Bdaia, found on ThemeForest.

The solution

Turns out the theme is using the native WordPress file editor, which is used for editing themes and plugins through  the admin panel. So once we’ve disabled this through iThemes Security -> WordPress Tweaks, it stopped working for accessing the theme options. If iThemes Security is not present or the option there is disabled, it would be a good idea to check your wp-config.php file for

and set it to false. It’s a good setting to be enabled, so News Cherry is to be blamed for forcing you to lower your guard.

A proper plugin for flipping pages of a book or booklet (list of 8 tested and reviewed plugins)

Here is the list of the plugins that I tested:

Those booklet plugins that actually are useful

WP Booklet – super-simple and easy to work with, has a post type and a shortcode, a short list of options and that’s it. Oh, and it loads images upon opening the page from the booklet, instead of loading all of the at the beginning. It could work with PDF, if pdfinfo was present on my server.

This is the best free plugin from wordpress.org/plugins that I could find and test, creating a decent responsive booklet “slider”. Or do some call it flipbook?

Here are some others that could do the trick:

Digital Publications by Supsystic – looks pretty good, has loads of options and is close to being responsive as a final result. Admin interface is rather messy, but once you get the hang of it, it’s easy to setup a booklet from a set of pictures or pages (custom HTML and CSS are also useful here, but not required).

Photo Book Gallery – loads the booklet pretty slowly, probably because it loads all images prior to displaying anything from it. Apart from this it has tons of options and a Pro version. Out of the box, the booklet, represented by a set of photos and a set of display options, doesn’t seem to be responsive, but is still better than most of the other plugins out there and can definitely be used in a production environment after some fiddling with the settings. Most probably could be used by people ignorant of the power of CSS.

WP jQuery Pager – a very basic solution that allows you to flip images, listed by ID in a shortcode. Navigation buttons are present, but nothing more. Some styling would be needed, as this thing is definitely not responsive, but hey, for a 5 year-old plugin it’s cool that it works at all!

Worthless, useless or bad booklet plugins

Interactive 3D FlipBook – a demo plugin undercover. Already reported to the Plugin team in WordPress.org for distributing a crippled version of a premium plugin (sold in CodeCanyon). While working with the UI of the plugin is pretty easy, it limits your booklet to 10 pages only, and if you leave it open for some time, it will hog your CPU heavily. Well done, Ivan, for being an douche by abusing at least two rules for publishing a plugin in the Directory and giving 5-star reviews to your plugin from at least 3 accounts.

[livebooklet] and [simplebooklet] -both of these do not work, if they ever did. Using the shortcode leads to forced PDF download. In the markup you could see an iframe of the PDF, so they never actually did anything more than just embedding a PDF in the page.

Easy Page Flip – has some basic options for the booklet which is presented as a custom post type, which requires a gallery to be embedded in it. Not responsive and rather ugly, so you’ll need to fix all that with (tons of) extra CSS.

MainWP WordFence extension overview

What is the MainWP WordFence extension

The MainWP WordFence extension allows you to scan your child sites for security issues, monitor live traffic and to manage Wordfence settings across your network and all from your Dashboard!

Price: $39

Overview

It is created to scan easily all child sites for malware, security issues and monitor live traffic. You can scan all sites with one button, see results in the MainWP Dashboard, block or unblock users or set scheduled scans. MainWP WordFence is intuitive and very easy to use. It requires the WordFence plugin being installed on the child site.

In combination with MainWP Sucuri and MainWP Vulnerability Checker extensions it provides you enough information to keep you sites secure and protect them from low level (script kiddie) attackers.

MainWP Vulnerability Checker Extension overview

What is MainWP Vulnerability Checker Extension

MainWP Vulnerability Checker extension uses WPScan Vulnerability Database API to bring you information about vulnerable plugins and themes on your Child Sites so you can act accordingly.

Price: Free

What is WPScan

WPScan is a black box WordPress vulnerability scanner.

It is a linux script, created by Sucuri to check WordPress for vulnerabilities. It has it’s own database with known security issues. The script is very powerful and allows you to:

  • Enumerate all users
  • Enumerate all themes
  • Enumerate all plugins
  • Check all themes against the database of vulnerabilities
  • Check all plugins against the database of vulnerabilities

Overview

MainWP Vulnerability Checker extension works the same way. It checks all installed themes and plugins (and their versions) and compares them to the entries in wpvulndb. If it finds one, it will notify you in the dashboard. You can check a single site or perform bulk scan.

You can avoid the security issues that this extension is looking for by keeping everything up to date, but if manage a large amount of sites, this task becomes easier said than done.

Anyone can check any plugin or theme for known vulnerabilities because the wpvulndb database is open. Researchers are disclosing these issues after the vulnerabilities have been patched. It is a good place for research if you check whether a plugin had many vulnerabilities in the past and how quickly they have been patched. Unfortunately the database has been used by attackers who have found outdated plugin or theme and are looking for known way to compromise the site.

Resources on WordPress MainWP Vulnerability Checker Extension overview MainWP Vulnerability Checker
Security issue in one of the plugins

MainWP Vulnerability Checker gives you another point of view of your sites. In combination with MainWP Sucuri extension and MainWP WordFence it provides you enough information to keep you sites secure and protect them from low level (script kiddie) attackers.

MainWP Sucuri extension overview

What is MainWP Sucuri extension

The MainWP Sucuri Extension uses Sucuri’s proprietary SiteCheck Tool to scan your sites. SiteCheck provides web-based malware scanning of your web sites using the latest in fingerprinting technology. It gives you a quick way to determine if your web applications are out of date, exploited with malware, or even blacklisted by popular search engines all directly from your MainWP Dashboard!

MainWp Sucuri is really easy to use. It adds SECURITY SCAN tab to each site’s Dashboard.

Price: Free

What it can do

MainWp Sucuri helps you scan your sites for security issues and offers you a quick way to fix them. According to it’s creators, it can:

Scan For:

  • Malware
  • Malicious javascript
  • Malicious iframes
  • Drive-By Downloads
  • Anomaly detection
  • IE-only attacks
  • Suspicious redirections
  • Blackhat SEO Spam
  • Spam

Also Check For

  • Web Server Details
  • List of Scanned URLs
  • List of Javascripts Included
  • List of iFrames Included
  • List of External Javascripts Included

The scan results tells you also if there are some other issues like directory browsing, accessible readme.html etc. It scans for things, attackers check in the fingerprinting stage of an attack and helps you hide them.

In combination with MainWP Vulnerability Checker and  MainWP WordFence  it provides you enough information to keep you sites secure and protect them from low level (script kiddie) attackers.

Issues

This extension is really good, but it has some problems that need to be fixed. One of the is the false positives. If the scan find readme.html file in the root directory, Sucuri flags it as an issue even if the file is not accessibe (returns 403 Forbidden). Similar thing is happening with the directory browsing results.