Esmertec

@jarnovos, the matter turned out to be much simpler than I thought, I simply turned off the plugin and turned it on again, the notification about headers disappeared after this operation) I also installed a free third-party firewall to test the functions. There is one notification left in site health about the need to limit user login attempts.

P.S. I don’t want to buy any functions in plugins yet, since the audience of my site is too insignificant, so I want to get by with minimal costs for now =)) in theory the easiest way out of the situation is to buy the pro version from rsssl =D

Hi @jarnovos, thx for the answer!

An error about incorrect headers appeared after the last update of the plugin, I understand that this may not be an error, but after checking and convincing that the problem is not with my site, I decided to write a small bug report.

Regarding disabling notifications from the plugin, also thanks for the advice, but I don’t want to do this because the RSS plugin notifies about “bad” plugins, which is extremely useful, and constantly monitoring their status is not always convenient.

I don’t think the problem is with any plugin as the error display is very strange and doesn’t look like plugin incompatibilities. My big concern is that the problem may be both in WP itself and in the hosting (my site runs on my server). But I’m checking it out for now. The closest thing seems to be a problem with the theme, which has not been updated for a very long time compared to WP itself

Hey @vmarko! For the sake of interest, I decided to install the latest version 2.2.12, the problem persists. During this time, I have already found an alternative that works just as well, so I’m unlikely to use this plugin again.

Thanks for your support and good luck with the development!

<img src=”https://i.ibb.co/sjCv2SQ/scr.png”&gt;

In order not to produce the same topics, I join the review, the plugin broke after the update..

Error details
===================================
An E_ERROR error occurred on line 32 of the /home/admin/web/geek-speak.ru/public_html/wp-content/plugins/radio-player/freemius/templates/sticky-admin-notice-js.php file. Error message: Uncaught Error: Call to undefined method Freemius::ajax_url() in /home/admin/web/geek-speak.
ru/public_html/wp-content/plugins/radio-player/freemius/templates/sticky-admin-notice-js.php:32
Stack trace:
#0 /home/admin/web/geek-speak.ru/public_html/wp-content/plugins/radio-player/freemius/includes/fs-core-functions.php(50): require_once()
#1 /home/admin/web/geek-speak.ru/public_html/wp-content/plugins/radio-
player/freemius/includes/managers/class-fs-admin-notice-manager.php(195): fs_require_once_template()
#2 /home/admin/web/geek-speak.ru/public_html/wp-includes/class-wp-hook.php(308): FS_Admin_Notice_Manager::_add_sticky_dismiss_javascript()
#3 /home/admin/web/geek-speak.ru/public_html/wp-includes/class-wp-hook.php(332): WP_Hook->apply_filters()
#4 /home/admin/web/geek-speak.ru/public_html/wp-includes/plugin.php(517): WP_Hook->do_action()
#5 /home/admin/web/geek-speak.ru/public_html/wp-admin/includes/template.php(2157): do_action()
#6 /home/admin/web/geek-speak.ru/public_html/wp-admin/update.php(53): iframe_foo

Спасибо, поставил Really Simple Captcha в принципе справляется со своей задачей. Обращался по этому поводу к создателям reCaptcha, ответили, что не тестировали плагины вместе (recapch+wp-recall) по этому интеграция невозможна xD ну в принципе ожидаемый ответ)) Еще есть вопрос по поводу поля пароля при регистрации, перестал отображаться индикатор сложности пароля, постоянно пишет, что пароль не введен. Хотя регистрирует нормально, куда капнуть не подскажите? Заранее спасибо за ответ!

And so I solved my problem with security headers, I remembered about this topic. saw the notification letter on my email))

when using your OWN host, with the HestiaCP site control panel, you need to do the following:
Nginx.conf SSL PCI compliance section delete completely, instead write the following:

# SSL PCI compliance
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/dhparam.pem;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM";
    ssl_ecdh_curve secp384r1;
    ssl_session_timeout  10m;
    ssl_buffer_size     1400;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling_verify on;
    resolver DNS1 DNS2 valid=300s ipv6=off;
    resolver_timeout    5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Expect-CT "max-age=7776000, enforce";
    add_header Referrer-Policy "no-referrer-when-downgrade";
    add_header Content-Security-Policy "upgrade-insecure-requests";

Apache2.conf In the “Global configuration” section, add the line Include conf-enabled/security.conf, after which we open the security config (/etc/apache2/conf-enabled/security.conf) and add lines to the very end:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
# Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
# Older versions
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options: "SAMEORIGIN"
Header always set X-Content-Type-Options: "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Expect-CT "max-age=7776000, enforce"
Header always set Referrer-Policy: "no-referrer-when-downgrade"
Header always set Content-Security-Policy "upgrade-insecure-requests"
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

ATTENTION, in order for the header settings in Apache to work, you will need to enable headers_mod if you have not already done this, to enable it in the console enter the command:
# a2enmod headers

Well, in the end, you need to make a change to the .htaccess file, although as far as I understand this was no longer necessary because changes were made at the server level, but still. Looking for a section <IfModule mod_headers.c> if it is not there, we add it ourselves, and specify in it the same parameters that were specified in the apache2 security configuration:

<IfModule mod_headers.c>
    Header set Referrer-Policy "no-referrer-when-downgrade"
    Header set Strict-Transport-Security "max-age=63072000"
    Header set X-Frame-Options “SAMEORIGIN”
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Expect-CT "max-age=7776000, enforce"
    Header set Content-Security-Policy "upgrade-insecure-requests"
</IfModule>

restart nginx and apache2 services, all headers will work fine!

Hi @markwolters!
i use hestia cp, it runs apache2 – web server, nginx – reverse proxy server. In this control panel, there are a little strange rules, .htaccess does not accept header rules (the site crashes with a 500 error), so I had to add them to the configuration of apache2 itself. My site uses caching, so, unfortunately, the alternative method does not work…

Hi @markwolters!
I am a hosting provider as the web server is running on my pc. I have a suspicion that the rules still work, because the warning in wordress says that the rules are missing in the file .htaccess. How do I check if the headers are doing the right thing?

Hi @markwolters! The main nginx settings are on my server at /etc/nginx/nginx.conf, I added the server block to the http tag but the problem persists…
my nginx.conf:

http {
    server {
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Content-Security-Policy upgrade-insecure-requests;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    add_header Expect-CT 'enforce; max-age=7776000';
    add_header X-Frame-Options "SAMEORIGIN";
    }

I am using debian 10, maybe I need to install some additional module? I have installed nginx-extras only.

ok, this is just a proposal from me, if it can be implemented in the future, it will be great, if not, then we will be content with what we have. Thanks again for the work done!

Thx! A simple solution to the problem turned out to be, I’m happy! =)

• This reply was modified 4 years ago by Esmertec.

Ок, обращусь в mail.ru. Хостинг тут не причем, т.к. я и являюсь администратором своего хостинга. Письма roundcube (встроенный почтовый сервер) отправляются без проблем. По этому раз не в плагине проблема, дело в сервере mail.ru.

Hi @rogierlankhorst,
This is probably not a problem, but I have a separate server, the monitoring of which can work only on http, the easy ssl plugin converts absolutely all my links to https, which is why monitoring gives an error, because it simply does not work at https.

I took your advice, and he helped me, but I hope in new versions of the plugin you will give the opportunity to add links through the building of the plugin itself, and not by editing the file functions.php

function rsssl_exclude_http_url($html) {
  $html = str_replace("https://www.domain.com", "https://www.domain.com", $html);
  return $html;
}
add_filter("rsssl_fixer_output","rsssl_exclude_http_url");

P.S. My monitoring uses the same domain as the main site, but on port 8000, so it does not cause problems with mixing ssl =)

Thank you for your work and have a great day! I hope my wishes will still appear in future versions of your product ??