CoolDavidoff

Thank you, I am using the plugin as well and love it.
Could you say which display problems you found and addressed?
Link to your site, before and after? lol

I have noticed some different problems myself, unfortunately the Russian company behind the plugin seemed unwilling to spend time fixing them. Eg did you notice that some bug in the code saves comment images in folders years back in time?
And that in comment admin we cannot admin the comment image?
And worst, that comment images often get rotated wrongly?

Oh Tomasz thank you so much for your personal reply,
I worded my question asking all existing users to try avoid bothering the author, you. Sorry I did now. You must be all too busy with such an amazing plugin!!

I’d LOVE to get it work as well, like the other reviewers here. Thank you. I wasn’t aware amazon makes emails, cool, i sent you one just now.
Whatever that’s for, Thank you so much.

Indeed it does, thanks.
I installed it, tested it, and plan to write a thorough review – which would be your first, going through the existing reviews…

Now, not to harm your amazing ranking, I thought it’s proper to give you heads up here: Maybe you’d like to reply, or even wish to rectify issues before I review?
At the moment it would be unfair to other plugins if I gave this one 5 stars, you see?

– “Flush Permalinks” button does NOTHING. “View Sitemaps” afterwards, and the SAME OUTDATED sitemaps exist. How do we delete your old sitemaps creations and only have the NEWEST ones available for SE to index?

– I tried your plugin for your much marketed “free content analysis”. Sadly precisely there it lacks everything: the “analysis” it offers is ….

eg “keyword was found 1 times” – yeah, so what, I know that: I put it there! But WHAT are you trying to say? I have no crystal ball, you know?
eg “None of your target keywords were found in Heading 3 (H3).” – And?? The page doesn’t have subheadings because it’s irrelevant for that page. But seeing your red cross I am wondering “is H3 needed nonetheless?” You should write some EXPLANATION there, hm?

Honestly, “content analysis” I thought would be VERY different of what you output there. “Content analysis” means so much more to me (and to other authors).

– “Social” tab: AIOSEO scanned the post for images and showed them. Then you could tick the one you want to use for social sharing. [IDEA] ??
Plus, it always had a default image to share, in case you forgot to select one. [IDEA] ??

In your plugin I neither get to see WHAT currently gets shared, nor a choice what I COULD share. Only “upload” or enter url.
That costs us too much time for each post, you see?

– “Advanced”: “You can not uncheck a parameter? This is normal, it is most likely defined in the global settings of the extension.” – WHERE? I can’t even see those “global settings”? Could you link the words? Like you did with “Looking to edit your blogpage?” ?

– General “Advanced” page: All from “Remove WordPress generator meta tag” and below have no “info” icon anymore, but precisely for those it would help so much to get an explanation from you, you see?
I have now ticked all of them, until I get to hear I shouldn’t?

– “Security”: “Block SEO metabox to user roles” – makes no sense in English: do you mean to say “block FOR” say admin role?, or “LIMIT” the box to the ticked roles? – which is the exact opposite, hence why I have to ask what you mean?

So far, ALL ELSE I LIKE, WELL DONE, CONGRATULATIONS!
So basically, if you could at least fix the xml sitemap error, that would be great. ??

Thank you so much Gido!!
– I reviewed your google link
– will also review the upcoming release (0.9.8)
– and will open a new topic if needed, as you suggest

Thank you

I would like to express my respect for your professional and friendly attitude, Alex. Thank you!
Other plugin authors post false excuses when users say what doesn’t work, but you actually READ and CONSIDER what users write. Kudos to you!

“We want to make a constructor, that is, a plugin that will be built from modules.”
Hm, I always felt your plugin is already a “constructor”, if that is the term. For me, that’s what “Components” in your plugin is.
My impression however is that
– before, hide login was a core part, now it’s gone (in a separate plugin, it seems)
– and the “components” always allowed to activate/deactivate individual parts WITHIN the plugin (without installing separate plugins).

At least that was, and is, my understanding of the plugin, lol.
What is really funny is, you say “Now we just excluded the components Hide login page, because this function is available in almost all plugins to protect WordPress and is rarely used.”, but you removed the component and created an EXTRA PLUGIN just for that tiny thing (so you think it is).

Also note that “smart” users do not install ANY plugin that is absolutely considered helpful or needed. So arguing “this function is available in almost all plugins to protect WordPress” (if true at all??) isn’t wise: users DON’T want to install two plugins that widely overlap. If you think it’s basic functionality then leave it in, unless you want that users choose another plugin over yours altogether. Just my 50cent.

Again, thank you very much!!

“2 months, 2 weeks ago”

Any update on this from Frederick or Gido would be much appreciated.
No file exchanges are needed, all raised W3TC issues can easily be reproduced in any new installation, incl. the Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 14. The default protections will be applied.

No problem if you can’t resolve any of it: At least DISABLE all interference of W3TC with http response headers if W3TC can’t handle it correctly (it can’t, as documented). Limit caching to what caching is meant to do. Hm?

“Removing a component from the main plugin does not destroed the site, just access to the admin panel becomes the default.”
This is factually wrong. Login was impossible after your plugin changes!

“we warned users that it is worth overloading the component that hides the login page and highlighted this warning in red”
This has nothing to do with the plugin flaw and harmful business decision of the plugin maker that I reported. Besides, “overloading the component” requires guesswork what you might mean.

“Really simple ssl” No we do not have that plugin “really simple ssl” because real ssl is much simpler than adding a plugin for that, tsss.

“unfortunately I myself am very upset that this update had a lot of problems.”
Appreciated that you admit it. I suggest not to make “updates” that corrupt sites of users that had installed your plugin, instead sell those as UPGRADE.

Either way, what plugin authors normally do if they want or have to turn some functionality into a separate plugin, is, they prompt in RED *before* someone CAN update the plugin. You did not, as mentioned “There was no warning message upon updating, so I credulously proceeded”.

Whatever, mistakes can happen, and you admit it was one, so let’s forget it. Please think: Does the distinct login url really justify an extra plugin???
Why didn’t you leave such a tiny feature within the core plugin?
Be aware that any webmaster other than a noob DOES ALL HE/SHE CAN TO AVOID AN ADDITIONAL PLUGIN.

Okay Paul and all, so I just tested this sociallocker and it still doesn’t work unfortunately:

– it does prevent loading the locked part
– but keep page loading forever, doesn’t stop loading “sth”??
– and the locked part just is blank, no locker widget, nothing anyone could “share”

Can you please try as well, on a fresh install?

Myself I am not going to go bug searching because I know Steve is right, these “locker” plugins are buggy like hell, and if it doesn’t work out of the box (like wp-sharely) then it is too difficult to use for most anyone user.

I appreciate Steve’s review, hadn’t heard of the others, had looked at this one here months ago and not even the demo page was working, so I thought “hey, why pay for that?”.

Now I see, in line with what Paul posted about error fix, the demo page works again, so I may give it another try.

But here’s sth for Steve: There is a social locker that worked wonderfully, lots of settings options too: wp-wharely, a private paid one, from some dutch guy.

Then they stopped maintaining it and promptly fb changed some api stuff and the plugin stopped working. I think twitter and g+ still worked but our users used fb unfortunately. So we took the plugin out.

>>> Since the time we took the plugin out, guess what?
NO ONE shared anything! 12 social share buttons, but without “force” actually no one shares (in our sector). So much for how NECESSARY a functioning social locker plugin is.

So, coincidentally before Paul fixed his plugin, I hired a guy to fix wp-sharely/fb api.
Then I can compare that with this here, and report back.

Great, you are a huge benefit to wordpress forum, thank you ??

Hey look, I can now actually summarize my suggestions for Frederick and you, what to implement (may I say?) asap? lol ??
Sorry that it took me a few posts here before my head cleared.
So, two suggestions please:

1) There must be a way to NOT “overrule” a user’s own security headers (incl CSP), currently w3tc does, and I did read Frederick’s reasoning but (may I say so?) don’t agree on that point, no.
Can you ask him to cache AFTER the functions.php has been executed?
Reason: Most users (if they have an idea) will use functions.php for it (it’s simplest, quickest). But currently w3tc completely ignores one’s settings (= cannot cache that, he says).
Well, it CAN add to its cache the settings from “browser cache” page, so I am sure there’s a workaround here, for someone so skilled to CODE W3TC…! ? Yep.

2) Whether or not you and he agree on point 1) (= regardless), an absolute must is that w3tc excludes the /wp-admin path pages from adding Security Headers declarations to its cache.
Think: There’s “millions” of plugins and themes for wordpress, and there’s no way I (anyone?) is ever able to devise a workable security headers section when using w3tc if w3tc does not exclude wp-admin pages (where frankly it doesn’t make sense ANYWAY).

We have just been through sth that lacks words allowed in this forum….
so tough that job is with w3tc (and only with w3tc, because other caching plugins I know don’t offer this at all, hence they don’t “overrule” any settings in functions.php, I believe?).
All the time we get “surprised” with inexplicable new challenges, so much so that plugins stop working (obviously) because a single declaration “forbids” them. Which crashed in certain cases the entire site (eg membership plugins…).

So, 2) is a MUST. Until that is resolved, we can only either a) stop using w3tc, or b) use it but have to forgo all security headers that we *already* have in functions.php anyway (but w3tc as said “overrules” them).

Thanks so much Gido!!

Hey Gido are you a user too? And so friendly helping others? Impressed, thank you!
Doesn’t look here you work for Frederick?

Thanks again man! Okay I will. Hey I found another (may I say quietly? bug?):

w3tc, current version, seems to replicate into “frame-ancestors” what it finds in “frame-src”, can you reproduce this?

So: I delete “frame-ancestors” directives, enter correct one, reload page (browser cache), and again populated with same as frame-src – which frankly is wrong, they aren’t the same ??

Gets more weird though: Next please Export your settings, check the file with notepad++, and you see it DID overwrite it.

So now you refresh browser settings once more, cause you can’t believe it, and what do you see?

Again/still “frame-ancestors” is wrongly populated with “frame-src” directives.

Now that’s weird, huh?

In the meantime I found out:

w3tc has some issues with browser cache settings, and this is what generates the non-existent js and css links, as well as more issues:

2) When we tick “Prevent caching of objects after settings change” then any new settings should become effective, because caching is prevented via query string (and “Remove query strings from static resources” is UNticked of course)

The don’t become effective though: I had added some CSP directives to script-src and others, and just now I see WHY the console errors still show up: despite refreshing, browser restart, cache clearing, and what not, the browsers still pick up the old cache without those additions.

So seemingly “Save Settings &Purge Caches” is not reliable?

Worse, with these settings pages don’t display correctly, eg background images show up in wrong places.

3) When we UNtick “Prevent caching of objects after settings change” (and “Remove query strings from static resources” is UNticked of course) then pages display correctly again, BUT the caches still won’t clear: pages still have the old CSP directives.

Has anyone tested this deep into w3tc ongoings?

Okay I have found WHERE it gets injected, I have not found how to stop that though as w3tc does not list them under browser cache where the security headers get entered.

Here’s where w3tc injects them:
x-powered-by:W3 Total Cache/0.9.7
pragma:public
link:</wp-content/cache/minify/c9f75.js>; rel=preload; as=script
link:</wp-content/cache/minify/8cba1.js>; rel=preload; as=script
link:</wp-content/cache/minify/69faf.js>; rel=preload; as=script
link:</wp-content/cache/minify/82053.js>; rel=preload; as=script
link:</wp-content/cache/minify/1c235.css>; rel=preload; as=style

found thanks to https://tools.keycdn.com/curl

I must be blind: I cannot see that been set anywhere in w3tc, so they must get auto-generated in the backend?
Why does w3tc do that when minify is OFF?
Anyone can shed some light?

That may be in some installation yes, it is not in ours though, no. Earlier I meant I searched the entire db, 100% certain, the files are not referenced in the db. Nor in htaccess.
As cache files won’t get programmatically hardcoded into php files, I am wondering where else they may be called from?

Also wondering, why w3tc newly creates those “default” cache files despite that minify is disabled?
That part certainly shouldn’t be, right?

Thanks for your reply.
Before I forget it again, there is a syntax error reported in security headers section of browser caching:

Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 14. The default protections will be applied.

Now back to your questions.
Yes, upon the last removal we did all of that. Upon interim removals (during testing) likely not.

I tested this a bit more now on the weekend: w3tc seems to create “default” cache resources even if minify disabled? Look:

GET …/wp-content/cache/minify/dd14f.default.include.b88444.css 404 ()
GET …/wp-content/cache/minify/dd14f.default.include-body.613814.js 404 ()
GET …/wp-content/cache/minify/dd14f.default.include-footer.3a2d34.js 404 ()

Could that have caused it?
Either way, does anyone have an idea how to delete references to non-existent files when you can’t easily find where they get referenced?

They are not in the db, that we know. I am confident they are inflicted by one wrong setting in browser cache?
However, tried both, Prevent caching of objects after settings change, ticked and unticked.
Minify is disabled throughout. During earlier testing of course it was on Manual mode. Does that maybe not get entirely cleared when you deactivate minification afterwards?