Erick Danzer

Hi @martinstkonvis – appreciate your security consciousness, but as has been noted, a fix was already available when GoDaddy took this action. That means all that was needed was an update. So GD could have emailed users to update or, if they considered it severe enough, force updated the plugin. For many reasons, this is what almost all hosts actually do in such circumstances.

If GoDaddy is going to delete every thing that has a security vulnerability in its recent changelog, it would need to delete a vast array of plugins, themes, and WordPress itself (WordPress alone has had 11 vulnerabilities in 2019 and 38 sql injection vulnerabilities over its history).

As a side note, this particular vulnerability required admin access. While all vulnerabilities should be treated seriously, it’s still worth noting that once someone has admin access to a website, they can pretty much do what they want anyways.

So based on both the specifics of this case and on industry standards for similar situations, I think it’s fair to conclude that this was a poor and unusual approach on GD’s part.

Hi all – we spent some time trying to duplicate this issue but were unable to do so. We had three of our team members configure Woo alongside NextGEN Gallery, try a few different things, but we could never trigger this same issue.

The multiple reports here underscore that there is a conflict, and we can tell from the type of issues being reported that its likely a javascript conflict. But it depends on some specific environmental condition – a woo setting, or ngg setting, or hosting setting, etc – that we’ve been unable to find or duplicate.

If anyone has this issue active on a site, and would like to give us WP and FTP creds, we’ll have a developer take a look quickly. Please submit a bug report via https://www.imagely.com/report-bug/ and reference this thread so we have the context.

Thanks.

Hey Cami – Thanks! We’ve already seen several copies of the email from users affected this morning. But I appreciate the offer, the underlying concern, and instinct for helpfulness. ??

While there’s not much we/I can do about this episode now that its done already, I’d really prefer GoDaddy find a more productive way to manage this type of situation – for us, for other plugin/theme devs, and for users’ own websites.

Maybe you can suggest that to GoDaddy via your own channels. I’ll do the same via mine. Maybe if they hear about it from a few directions, they’ll adjust and find a better way. Thanks again.

Hey all – Erick (CEO Imagely) here. I want to confirm that all you need to do here is update to the latest version. There was a security issue that’s already been fixed.

If GoDaddy has removed the plugin, just reinstall NextGEN Gallery fresh from your plugins page, and you should be good to go.

For the record: this is a very odd policy. The normal way for a hosting company to handle this would be to email users and ask them to update the plugin. If the issue is serious enough, then they can also force update the plugin.

But deleting a plugin in this way just breaks website content. It’s not uncommon to find and fix security issues for WordPress themes and plugins. Based on this approach, GoDaddy would presumably start just deleting plugins/themes each that happens, regardless of whether the underlying issues have been fixed.

I’ve reached out to GoDaddy to discuss.

But for now, just update or re-install, and you’ll be good. Thanks. For our part, apologies for the hassle.

Hey – thanks very much for writing back. It’s helpful, and I can tell your efforts to use the plugin were genuine. I’ll just add a few more thoughts on your follow ups:

1) Sounds like you feel we should be clearer in the WP.org plugin description about what’s free and what’s part of Plus/Pro. We feel its pretty clear, but we’ll review our language to be sure.

2) Not sure on this. I just directly tried your shortcode, and its working for me. I thought initially it may be because you’re trying to ‘sort’ the same images you’re excluding, but even with that, it still works for me. So without seeing your instance, it’s hard to say what the issue is.

3) Yup, it’s true that NGG won’t integrate with most third party slider plugins.

4) While this is doable, sounds like it was hard for you to figure it out, which is valid feedback.

Thanks @andreyti We wish you the best and hope you find a solution that meets your needs.

Hi there! Can you clarify what you’re seeing exactly? We do have hundreds of thousands of users uploading images every day, so it’s unlikely this is a general issue with the plugin. It’s likely something very specific to your environment, such as plugin conflict, a hosting limitation on image sizes, a hosting permissions setting, etc.

If you can give us details on what you’re seeing, we may be able to help you understand what the issue is.

We always appreciate when users take the time to leave feedback. I must admit we’re unsure about the meaning of some of your feedback. For now, I’ll add some general thoughts. If you want to follow up with any more detail, we’d be happy to respond with more specifics.

1) NextGEN Gallery is definitely free. You can download it from WP, install on your site, and use it forever. There are currently about 900,000 free installs. I wonder if the point you’re making is that certain features/options are in the premium extensions for NextGEN? If so, that’s true, but that’s the model used by nearly all WP companies. And we feel safe saying that NextGEN includes more functionality in its free plugin than any other gallery plugin.

2) Image exclusion does appear to be working on Imagebrowser galleries. We just double checked to confirm. To clarify, we’re adding a gallery via the Insert Gallery Window, and excluding images there. If you want to post more detail on what’s not working for you, we’d be happy to check it.

3) We’re not quite sure what this refers too. Sounds like maybe you’re trying to get some third party plugins to work directly with NextGEN images?

4) This one is true – you can’t directly copy a gallery. But you can create a new gallery, and copy over images from your existing galleries. So same result, but with an extra step. We haven’t ever had a request for ‘copy gallery’ functionality. If we saw some broad support for this, we could add it to our list of potential new features.

Thanks!

Hey @squazz and others who may read this,

There’s some truth to this review and we think this is reasonable feedback. But we do want to provide some context.

First, what we’re doing is enforcing *the version of jQuery that WordPress itself includes.*

There are good reasons to do this. The entire developer ecosystem around WordPress expects this version, and builds around it. For that reason, in most cases, it is considered poor practice to change the version of jQuery. When you do, you’re likely to break a lot of plugins, and possibly even some core WordPress behaviors. Most cases where we’ve seen this, it has been in the context of poorly coded themes or plugins, which when installed, break the code of other themes/plugins that are all using the WP version.

That’s not to say there may not be some legitimate use cases, especially for users managing their own environments (as opposed to theme/plugin devs who are forcing changes in the jQuery version everywhere their products are installed).

We’ll look into providing a work around in our own code for that.

Second, on security fixes and concerns… As a rule, if there are legitimate security concerns with the version of jQuery that WordPress packages, we would expect WordPress to address that. Otherwise, WordPress itself is keeping 10s of millions of websites in a vulnerable state. And WordPress is fairly security conscious about these things.

@squazz – on that front, I don’t know which specific security issues you’re concerns about, but assuming they are valid, your critique is also a broader one about WordPress for packaging a version jQuery that’s not secure. If you haven’t, you may consider addressing it with WP folks directly.

–
In any case, thanks for taking the time to add your feedback.

@uldis23 – Can you confirm… Is your issue solved now by changing lightboxes? If not, can you clarify what if any issue you’re still having?

I wanted to add that we’ve been able to duplicate this now. We’ll solve it for the next release.

Hey @joshbiz – Any way you would be willing to give us access to one of those sites? While we’ve had a few reports of people experiencing this, we can’t actually duplicate this issue ourselves. The notice is always dismissable for us.

If we can see it, we should be able to resolve it quickly and push an update in the next release.

If you’re up for that, submit a bug report at https://www.imagely.com/report-bug/

Put ‘For Erick’ in the title and link to this forum thread if you can.

@grandslambert – Yup, good point and I’d agree.

Hey all – just a quick update. The latest release does change some implementation for random galleries. We ended caching of random galleries on individual pages or posts. As of now, we are still caching random galleries for 30 minutes for widgets. So for widgets, you’ll get a fresh batch of images every 30 min or so.

We are talking about adding an option to turn that off for widgets, so widgets would return to their prior behavior of no caching.

As I think I’ve laid out, one major point to make: the use of true randomized widgets in the side bar is a major performance issue. The function call needed to go through all your images and select a random batch is costly, and when you put that random widget on the sidebar, that call is made every time any visitor loads any page on your site. If you have any substantial traffic, the cumulative cost of all those calls can be a major performance drain.

That’s the reason we’re still caching the widget. We’ve lowered the amount of cache time to 30 minutes, but that’s still plenty to prevent the performance drain.

The next step will be to add an option to turn off that caching. It’ll come with a performance warning though. We did consider alternative ways of ‘faking’ random galleries, but there were some implementation concerns for each approach we considered. Right now, we’re not looking at that.

For those of you wanting true random galleries via widget area – I assume you’d still continue to use them if we added the option, despite the performance concerns above?

FYI – if you’ve been using them in the past, you’ve been encountering the performance consequences already, and just weren’t aware. That’s why we fixed / adjusted it as we did. We’ve assumed performance > true random widgets.

Note again: we are not caching random galleries on pages or posts, because the effects of the random function calls don’t repeat on every page load site wide, and thus don’t have the same performance drain.

@ecormier – Thanks for the response. And no worries. You have the right to feel frustrated and post your experience.

I do have to be honest and say we’ve never heard of this kind of issue before, and I can’t imagine how it would occur. That’s not to question your situation – I assume you saw it as described, and you sound technically competent.

In any case, I’m glad you got it resolved. We wish you the best.

@ecormier – Perhaps you can clarify your issue? NextGEN can be removed from your WordPress website like any plugin: go to Plugins, find the plugin, click Deactivate and then Delete.

If this process is not working for your, is it possible you have a broader issue with your WordPress installation?

One deactivated (or deleted) no plugin code will run, so it should be impossible to see any part of the plugin user interface, including notices.