"Import Folder" does'nt work the same way after v2.0

Hi all – An option to preserve images in their original folder is now included in the latest full releases. Thanks for your patience. Let us know if you have other issues.

@duce: Thanks for your note. Yes, import functionality is still limited to the wp-content folder. We’ve had quite a bit of internal discussion about this, and it was changed for security reasons. There are some serious security concerns in allowing the plugin to access and mess around in the root directory (and all other folders) of a website. The original request to change this feature came from Automattic.

The plugin will continue to read any galleries you’ve previously added from the root or other folders.

Sorry, but you are missing my point.
Even though its possible to convert the 10+ websites that currently run the Nextgen gallery system, going forward from that point it will NOT honour adding images using FTP and then importing from the specified folder in root. It will mean the images has to now be loaded in the “wp-content\some dumbass folder which already shows a potential hacker that you are using wordpress because it can only be set in a wordpress sub folder” and meaning all images indexed in search engine will display the path “domain.tld\wp-content\dumbass-folder\damn-picture.jpg”

And as a matter of security.. I do not even use FTP. If you are really concerned about security address the core issue why websites gets hacked. Simply because noobs have no idea to set file and folder permissions and FTP clients allow for such silly mistakes, let alone the amount of FTP credentials that gets stolen daily off users pc’s.

It is neither your, nor Automattic (whoever this may be) nor my job to try and secure people’s website. If it is a real concern then create documentation advising on how to secure websites and the dangers of folder permissions and locations. And at least start the documentation with: Stop using FTP at all cost, it is lazy, stupid and causes security concerns.

@duce: I honestly do think I understand your point and what you’re going for. I think the issue is just that we’ve decided not to allow imports from below wp-content, and that’s functionality that was important to you, so we’re causing you real pain. But I’ve outlined our reasons, and the reasons are legitimate. Automattic, by the way, are the people who make WordPress.

I’m sensitive to disagreeing too hard with you because I know we’re causing you pain, but I think it *is* part of our job to do what we can to improve security for our users’ websites, at least as far as our plugin is concerned. That applies even if people aren’t using ideal security practices (indeed, a large percentage of users aren’t, so we really have to take that into account).

I’d also disagree that moving images to another folder outside wp-content disguises that you are using WordPress. It’s very easy to tell a WP website just by looking at the source code of the home page, regardless of where images are uploaded and stored.

As I mentioned, my goal isn’t to disagree with you, and I recognize our decision has real consequences for you, and that you know what you’re doing. I’m just trying to underscore why we made the decision in the hopes that you (and others who read this) will understand, even if grudgingly.

Thanks and best (Erick).

Obviously that means the end of the road for me and many other photographers using WP and Nextgen. Pity Photocrati lost the plot trying to re-invent the wheel with changing Nextgen so dramatically. I was quite optimistic starting out. Even considering purchasing the Pro version. Now, unfortunately that is not an option anymore.

*PS: And I disagree that you can see its WP by looking at the source code of the home page. There are multiple things you can do to hide it perfectly. Most high level business websites running on WP does not show it in the least.

Duce,

If you are running un linux server, have you tried to do a link of your pictures folders in the wp-content folder ?

I did this already for the 1.9.13

Maybe it will still work on the 2.00.33

@duce
How do you have all your galleries outside of wp? My default folder is wp/wp-content/gallery and it can’t go any lower from the UI, but I’d also like them outside of wp.

Theres a fork of v1.9.13 been developed and maintained, I don’t think this lot will ever get v2 sorted, I tried installing it again on a test site, crashed the site and lost all the galleries, forget it.

Try this:
https://www.ads-software.com/plugins/nextcellent-gallery-nextgen-legacy/

@mcfester: I’m still running v1.9.13 on all those websites. I tested on one website with the new version and it literally duplicated images a number of times to the new stupid folder.
Even tried editing some of the files in the latest versions to no avail. It just defaults back to this silly way even though it does not change the location you specified in the settings.
One of the websites do over 2 million hits a month with over 17Gig’s of images. They must be insane to think I will give this a try and lose all that hard work of years building it!
Thanks for the link.. Will check it out. ??

@hephoto: Nope, run *BSD servers and what you are referring to are symlinks probably? Using a symlink in something like that is not advisable as it might attract a few other nasty things.
A neatly crafted attack on your galleries just might reveal underlying base system info. I’m not 100% sure, but logic tells me not to try it.

Hi all – we’ll think about this some more. I have the sense we’re having to make a hard decision here between what’s best for security for the many vs what’s genuinely needed for a few to accommodate existing working routines.

I think we’ve made the right decisions, but if we got a sense that the ability store images outside of wp-content was really that important for a large enough group of users, we might consider changing it back, at least for non-multisite installs.

In the meantime, it also occurs to me we can provide a specific code patch to those of you who want to be able to navigate from root upward. You’d need to make this code adjustment after each update, so it’s not ideal, but it does provide the few who need it with the ability to browse outside of wp-content while keeping better security in place for the majority who don’t.

I’ll check into this and get back to you.

Dear Photocrati,

Please really consider giving us (the users) the option to use an image folder outside the wordpress directory.

For me it’s not about people seeing that i use wordpress (they can see that on my website). It’s that I have two websites on my domain and want to show images on both those websites.
With the current limitation of the plugin I need to create two copies of the same image to be able to show them on both my websites.

It would be great to see an option to allow access outside the WP directory – just the option, so disabled by default, but if you really want it you can enable it (I don’t know if that is possible of course, but that would make your plugin secure, except for the users who knowingly choose to enable the option).

If that option would be available I would only need to have one copy of the image on my server and use that copy on both website while still using the Nextgen Plugin!

Thanks for at least considering the option!

PS: Thanks for adding the “Keep images in original location” option!!

Thanks for the additional thoughts/vote, @paul Chevalier.

Just a quick update. Right now, after talking about this, we’re thinking that we may adjust behavior so that by default it’s still wp-content and up only, but give users the ability to set access all the way to the root folder by adding a specific line to wp-config. This would allow us to keep a more secure default while providing an upgrade-safe way to change the setting for those who really want it.

A developer is looking at this now and I’ll keep you posted. Whatever we introduce for this will be in the next update. If you have other thoughts or feedback, let us know. Thanks (Erick).

Another new feature I don’t like about the import folder is after a folder has uploaded theres no notification, just the window that shows the upload closes, it doesn’t even give a link to edit the gallery.
Before the page would refresh and say something like “uploaded folder name successful 12 images – edit gallery”, this way if I have to leave the computer during an upload when I return I know where I left off, and when importing many folders its easy to lose track if the page doesn’t tell me whats just been imported.
Anybody else feel the same about this?

I echo mcfester’s request.. As I’m uploading round 1000 to 1500 images and on average 6 new galleries at a time it is quite important to know where you were working when called away from your pc.

As for the security aspect: (fresh brain today and less irritated)
The default where the uploader checks first is “wp-content” correct.
Now please do check what all you see where you can traverse using that uploader. “plugins”, “themes” , “all other plugin upload directories”.
And you are trying to tell me that is safe? What if any or one of those themes or plugins have a security vulnerability in them?
At least when you start in a folder in the root of your website there is nowehere else to go, at all.

Thanks for considering and yes I think adding a line to wp-config is the way to go with this. Really only advanced user will be able to do it and I am quite sure most will be happy with it.

As for making it easy/secure for the majority.. Just this week I had long chats with two web developers that without me saying anything talked about how silly nextgen has become and they not using it in future developments.

All – We’ve made available the possibility to import from above the /wp-content/ folder with our latest (beta) release.

Please see this page: https://www.nextgen-gallery.com/nextgen-gallery-latest-beta/

You will need to place the following anywhere in wp-config before:
/* That's all, stop editing! Happy blogging. */

define( 'NEXTGEN_GALLERY_IMPORT_ROOT', dirname( __FILE__ ) . '/' );

Thanks!

– Cais.

Great! Thanks! Now you moving in the right direction. ??

Just tested it on one of my smaller sites with 18 galleries and found a bug though.

When you upload images into a folder that has a space in between then NextgGen automatically changes the path from “New Folder” to “NewFolder” in the database reference/link to images during importing.
However when you check the gallery path when in Manage Gallery it still shows the path where images are: “New Folder”. This can not be edited though. When you browse the image gallery then the thumbnails won’t display and when you click on an image it can also not find the image.

So I went and edited the path on the server side to “NewFolder” and the images and thumbnails displayed correctly.

However, after that, when using Singlepic in a post the image does not show. When you click on the image it does show the image in the lightbox pop-up.

Also when you edit the gallery and click on save NextGen then automatically creates a new folder “New Folder” as is referenced in the original path and also creates a sub directory in that folder “dynamic”. None of these folders contain image files in them.

As a quick fix I simply edited all references of “New Folder” to “NewFolder” in the database itself. This fixed it for now.

Please let me know if you need me to test anything else please.

And thank you very much for listening to us and adding this functionality. You have definitely retained me as a client. Soon as this is polished up and I successfully switch one of the bigger sites to the new version will I buy the pro version. ??

@duce – We would like to make this a lot better still and your feedback is helping to sort out this issue but would it be possible for you to submit a Bug Report (https://www.nextgen-gallery.com/report-bug/ … please reference this topic) so our developers can get a closer look at your particular case, especially since you have found a potential work-around.

We would appreciate access to a set of log in and FTP credentials for the WordPress installation as well, please include those with the Bug Report!

Thanks!

– Cais.