Gwyneth Llewelyn

@harryfear scroll back a few comments — your answer is there!

For the sake of completeness, here you can read a bit more about the issue:

https://www.cve.org/CVERecord?id=CVE-2024-33629

https://patchstack.com/database/vulnerability/auto-post-thumbnail/wordpress-auto-featured-image-auto-post-thumbnail-plugin-4-0-0-server-side-request-forgery-ssrf-vulnerability

and, of course, from Wordfence themselves:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/auto-post-thumbnail-2/auto-featured-image-auto-post-thumbnail-400-authenticated-author-server-side-request-forgery

It’s unlikely that this vulnerability can be successfully exploited — it’s therefore relatively low-risk. Nevertheless, there is a vulnerability, which most definitely should be patched & fixed ASAP.

Whoops… that’s what happens when taking too much time to answer hehe…

@pierrelannoy thanks so much for the almost-instant-reply!

I can also confirm that 3.8.3 is working again on both websites I mentioned a bit ago.

However….

Interestingly, I cannot seem to be able to activate them from the CLI!

$ wp plugin activate apcu-manager --skip-plugins
Fatal error: Declaration of DecaLog\EventsLogger::emergency(Stringable|string $message, array $context = []): void must be compatible with Psr\Log\LoggerInterface::emergency($message, array $context = []) in [...REDACTED PATH...]/wp-content/plugins/apcu-manager/includes/libraries/decalog-sdk/EventsLogger.php on line 325

(Plugin remains inactive)

But there is no problem whatsoever activating it from the WP Dashboard, so I guess it’s fine!

• This reply was modified 10 months, 3 weeks ago by Gwyneth Llewelyn. Reason: typos!

All right, a little more information from what I can see in my case…

I’ve got a client hosting on Bluehost. The errors I get are quite similar to what @zanduino posted, so I won’t repeat them.

There are just two sites there, both of them using APCu Manager, both also set to auto-upgrade (for almost all, if not all plugins).

As soon as the auto-upgrade facility kicked in (not necessarily at the same time, mind you) — around 04-May-2024, 18:13:57 to 18:23:30 UTC — the site(s) started throwing the error as reported. Note that in my case it didn’t merely affect the Dashboard; the whole site was knocked down, with a message being displayed saying that there had been a critical error.

Fortunately, Bluehost includes the CLI utility wp, so I proceeded to deactivate and then delete APCu Manager:

wp plugin deactivate apcu-manager --skip-plugins
wp plugin delete apcu-manager --skip-plugins
wp cache flush --skip-plugins

Note the need to include the --skip-plugins option, or else APCu Manager’s fatal error will also affect the CLI, and it won’t work.

Also note that merely deactivating the plugin was not enough. This is because apparently APCu Manager adds a few extra hooks to clean the cache, a few wp-cron entries, etc., and these need to be removed as well. Of course, if the plugin crashes with a fatal error, it is not able to clean up after itself. Forcing its deletion is the only way of getting it to work again.

Obviously, this also means that everything will become a tad slower…

I’m not quite sure what exactly is happening. The error being thrown is Uncaught Error: Undefined constant "DecaLog\DECALOG_VERSION". A quick search on Google showed that DecaLog is one facility used by WordPress itself to do some of its own logging as well.

My theory, therefore, was if I placed a ‘fake’ entry on wp-config.php like this:

define( 'DECALOG_VERSION', '1.0' );

then at least I would avoid a fatal error — I’d still get other errors for sure (e.g., ‘wrong version’), but I might at least try to understand things better.

No such luck — creating a ‘fake’ DecaLog version just gets a new fatal error:

PHP Fatal error:  Declaration of DecaLog\EventsLogger::emergency(Stringable|string $message, array $context = []): void must be compatible with Psr\Log\LoggerInterface::emergency($message, array $context = []) in /[PATH-REDACTED]/wp-content/plugins/apcu-manager/includes/libraries/decalog-sdk/EventsLogger.php on line 325

At this point, it was clear to me that further debugging would require much more time than I have available ??

But, who knows, maybe this can give the APCu Manager plugin developers some clues on what’s wrong…

I’ll gladly submit a more detailed list of my configuration on both these sites, if needed for debugging. But from the earlier comments it seems that a vast variety of different setups are giving the same error as well, so I would think that the environment itself is very likely not the culprit (for what’s worth, that server is running PHP 8.3.6 on Apache).

Hi @elviiso,

Firstly, let me thank you for your quick reply (my apologies that mine took some time to write)! I’ve read that FooPlugins had an outstanding support, and now I understand why!

Regarding my own question… just to let you know, I did read your documentation as thoroughly as I could (I can’t promise to have read everything!) before asking here. I totally agree with you that, for new users, whatever they’re using, it’s always best to read first, ask later. Not only you might get an answer to your questions much quicklier, but you will get a good feeling at what the tool/software/plugin can and cannot do.

My question was thus to mostly clarify some more obscure issues on what I’ve read on your documentation. For instance, I saw that albums essentially only supported two ‘templates’, so to speak. However, that’s from the web UI. What about shortcodes? There is a lot going on with your shortcodes (never neglect them in favour of the fancier and possibly-more-easy-to-use but not necessarily more complete Gutenberg blocks or widgets), and so I did a few experiments first. Since I was unable to replicate what I wanted — a single-slide album — that’s when I stumbled upon my limited knowledge and felt I’d ask around ??

But that’s ok. It’s more important, at this stage, to understand what is implemented and what is not. This just means a rethinking of some aspects to work around the limitations — knowing in advance what can and cannot be done is quite useful for that! — instead of grumbling about a “missing feature”. There will always be “missing features” on an off-the-shelf solution. That does not mean that the solution is a deal-breaker! It just means thinking a bit more on how to accomplish a task with the set of tools given to you.

Thanks for the tip for Lazy Loading, but here I just have to add a small warning. There are a few ways to accomplish image lazy loading, and they have been around for a few years. While it goes without saying that you always should have at least one way of doing lazy loading or deferred loading or async loading (however it’s called), there may happen some unwarranted side-effects if you attempt to use multiple tools simultaneously. In particular, in my experience, if you use Jetpack to store images on Automattic’s Site Accelerator CDN (formerly known as “Photon”), and turn Jetpack’s lazy loading feature on (because, well, you should), then you might encounter some issues with other caching/lazy-loading plugins — from the most common cases, such as replacing the image version with a newer one, which then ‘never’ shows up (the old version is deeply buried under several layers of cache), to the more hard-to-debug ones, such as images only appearing correctly on some devices/browsers/screen resolutions but not on others.

As such, I tend to favour a single way of dealing with lazy-loading — even if not necessarily the best one! — while keeping all the others turned off by default; and then, one by one, I turn them on and thoroughly test to see if everything is fine (currently, the site which you might have taken a look at has four levels of lazy loading, including the one provided by FooGallery, which might be overkill — not to mention the triple layer of caching plus browser caching — but so long as everything keeps working, I’m happy to push things to the limit…).

Anyway, it’s worth experimenting a bit, and I think I’ll try the old, clunky, retro Jetpack single-image slideshow, and just give it some CSS love. It has all the possible disadvantages you can think of, except for one: it does not require all the images to be loaded, or pre-loaded, but just gets a handful of them, and that does make a considerable difference — lazy-loading or not! (I just miss the ability of clicking on an image to get the lightbox ?? )

Your URL certainly looks strange to me…

I’d say you could do it at the web server configuration, i.e. let it check for well-known extensions for static assets and inject the proper headers. That way, it’ll be done at a layer closer to Cloudflare and not at the PHP/WordPress layer.

In theory you can also do the same at the Cloudflare level itself, with some cleverly concocted page rules. This might be a better option if you have no access to your web server’s configuration but are free to tweak with Cloudflare.

An issue has been opened on GitHub for this error message.

Where do you see on your logs the ‘Redis Object Inaccessible’ message? All I can see is an error on the all-in-one-seo-pack-pro plugin related to an undefined property in class stdClass (namely, $icons).

Also, unless you have deliberately redacted the logs posted here, besides what @tillkruess already pointed out (you’re including the same .so modules more than once, which is a Bad Thing — who knows if PHP is actually loading the correct ones?), that referrer starting with https://.com is highly suspicious.

@techiebraj I’m sorry if I appear to be rude, too, but your attitude confuses me a bit…

1. You claim (several times, in fact) not to understand much of ‘coding’, and, despite your nickname, it’s clear you understand very little about anything else that requires WordPress to run. None of that is an issue, of course, but you have to understand that Redis Cache is a very advanced plugin which does require quite a bit of expertise to correctly set up and maintain. There are warnings by @tillkruess regarding the required level of expertise needed to successfully operate Redis Cache everywhere. Nevertheless, you insist(ed) to use the plugin. It’s in your right — but don’t expect that any level of support you may receive is enough, in a few lines, to be able to overcome a lack of knowledge that requires years to accumulate! Please respect those that did take the trouble of accumulating all that necessary knowledge — and at least accept that some things are simply way too hard to explain in an easy-to-understand way, for anyone who lacks the required background.
   Technical support is not the same as getting a university education in IT and computer science! Placing such high demands on anyone giving tech support is highly unrealistic (and self-delusional, since you will never get that kind of support, no matter how much you pay for it).
2. While you acknowledge the existence of a paid version of the plugin, which you assume that will give you a higher level of support, you nevertheless judge @tillkruess by the kind of support he gives for free. Now that is mostly unfair — you can’t expect, much less demand, that something gotten for free is at the same quality level as a paid service. If it were so, why would you bother about paying for something you get for free? Unless you think that “paid support” is the same as “free support”, just faster? Well, if that’s the case, that’s your own assumption; however, don’t expect this to be true just because “you want is to be so”. It’s up to the plugin developer to establish what kind of support you get for free, and what you get for the paid version — not up to you.
   Instead, you should judge how accurate are the answers you do get from free tech support. And taking into account that this thread is 2 pages long, and that @tillkruess has not left any of your questions unanswered, and even provided alternative sources for answers, what more do you expect?
   To be 100% honest with you, and of course your mileage may vary, in my experience, I have gotten far worse answers on paid tech support for many other services. You might argue that I should change providers in that case. That’s true, I should — if we lived in a perfect market where all providers and their services had plenty of competitors to choose from. Sometimes you don’t have that choice, so you’re stuck with whomever provides the service you need.
   All of that is irrelevant to the discussion, though. @tillkruess establishes the precise terms under which he provides support, for free or for a fee. The only thing I can say is that the free support, compared to most paid support, is actually well above average — even if it seems that you think otherwise.
3. Thus, such claims as:
   “I was trying to solve issues related to this plugin and wanted more detailed reply instead of one-line answer without a proper explanation.”
   are really unfair. You got way more detailed replies — via links to whole pages explaining what you wanted to know. In different ways. And you got such answers quite often. So, one might wonder:
   • Did you really read all the documentation that @tillkruess gave?
   • Did you understand that documentation? (If not, why do you persist in using a plugin that requires deep technical know-how to install and maintain?)
   • … or you basically ignored it all, expecting a long and detailed explanation here on the support forums perfectly tailored for your specific needs — all of that for free?

So, you do not only expect tech support for this plugin to explain how it works, but you even expect the plugin maintainer to teach you how to operate complex subsystems of your operating system, far beyond the scope of this plugin or even WordPress itself. Here is an example:

‘What do you mean by “Monitoring Redis server”? How to do that & fix the timeout error?’

If you don’t even know how to monitor a Redis server — which, granted, is not an easy beast to properly manage — why would you expect that you could “get away” with installing this plugin and get everything working flawlessly from scratch?

You’re essentially saying, “I don’t know how to pilot a commercial aircraft, but I have a motorbike driver’s license. Please explain me in detail how to operate this airplane by providing me the necessary instructions”.

Or perhaps even: “Look, I never did brain surgery, and I’m not even a doctor, but I know how to skin chickens and to cook them. All I need is a few pointers to detailed information on how to remove this tumour from my daughter’s brain, and I should be able to do that.” — and then complain that you don’t get “adequate tech support”.

You might argue that this is not the same — and it isn’t, since, at least, nobody’s life is in risk if your WordPress installation doesn’t work — but the level of requirements is at a similar order of magnitude.

It is said that, on average, humans take around 10,000 hours of training to become qualified in their job. This is a reason for so many things — from university degrees to flying commercial airplanes, but also meditation! — require that amount of time. It’s not a simple coincidence, nor is it something “we just discovered recently”; while individuals may take longer (or much less) than the average, one might wonder — how much time did you spend in learning operating systems, their services, and how to configure and maintain them, in order to provide the application level with flawless performance in any circumstance?

Yet you expect that, with a few exchanges of messages on a public forum, you can skip those thousands of hours of accumulated knowledge, if you only get the right answer.

There is no such thing. There is no “magic pill” that will fix everything you need, merely by pressing the right button or clicking the right link. No amount of information given here on the forums — or even on the paid tech support! — will be able to do that.

Why do you seem to expect otherwise?

Finally, there is a reason why I bother to write these paragraphs. I have absolutely no connection to either @tillkruess, his company/organisation, or WordPress, or anything relevant to this. I’m just a happy user of this particular plugin, and I’m aware it’s not that easy to use. I’ve been using WordPress for around 20 years and maintaining my own server(s) to support WordPress websites (among many other things, of course); nevertheless, a tiny misconfiguration on Redis Object Cache was enough to get all my sites down. It was all my fault for having skipped one essential line of information, which was clearly written on the plugin documentation. But which I had ignored. Therefore, I had to suffer the consequences.

Was it the plugin’s fault — or @tillkruess’s? No, neither. The information was there. I just skipped it. I got what I deserved ?? It was a very simple and basic fix, mind you, but that’s because I do consider myself to be reasonably experienced in this kind of things (especially in dealing quickly and effectively with “emergencies” — servers and sites being unexpectedly down and requiring immediate attention).

I’m also quite willing from learning from my own stupid mistakes, and admit that my knowledge is not infinite, so that I’m always learning something new every day. Getting Redis Object Cache working on two dozen sites at the same time was a challenge for me — and I didn’t get it right the first time, but quickly learned why.

And I didn’t repeat my silly mistake on subsequent installations of this plugin in other sites (I might have committed more mistakes instead, but this is just me — I never claimed to be good at doing what I do, just that I have experience doing so, which is often considered the same thing, but it’s not). But that’s because I do have an open mind and a willingness to learn new things — instead of complaining if those “new things” don’t work like I want them to work and blaming others for my lack of knowledge and experience, when all it takes is to be willing to learn to correct my own mistakes. Which is not the same as refusing to ask for help — because someone else’s insights might just be the “missing link” to get me pointed correctly towards a solution!

That being said, your attitude is not merely “gross”, as @tillkruess mentioned. It reeks of trolling — for whatever reason. You have pushed the plugin developer along a route that was inevitably leading to a conclusion — that you would not use this plugin — and pretended that all of that was due to the developer’s “lack of reply”, when this long discussion thread clearly shows otherwise. If you needed that long thread of discussion to justify to your own bosses why you’re not using this plugin, or because you are actually promoting a different plugin and needed some artificially-constructed “proof” about why your solution is superior to Redis Object Cache, well — we cannot know, can we?

All we can know is that you’ve wasted the developer’s precious time with a lot of questions but had no real intention of reading (or following through) the answers. That’s unfair to all other users, who might really have questions with the plugin and really want to use it, they just need a gentle hint in the right direction. It’s also unfair to paying users (disclaimer: I’m not one of them!) who might feel that @tillkruess is spending way too much time giving precious tech support to someone who doesn’t really wish to use this plugin at all — while they are paid customers and expect @tillkruess to be more available to them (this is just pure conjecture, since, as a free user, I don’t know the precise terms of the agreement between the developer and the paid users, and have no way of claiming anything regarding to the expected level of tech support availability on a paid plan).

In other kinds of support forums, @techiebraj, the way you conducted yourself from the very beginning would be seriously considered an elaborate form of trolling, and, as such, deemed to be against the Community Standards — leading to some degree of restrictions (at least temporarily) in participating in these free forums, mostly to give you some time to read more about how they work and what is reasonable to expect from them.

But I also believe that online communications, especially if it’s not made in your native language (which I can assume to be the case of us three!), are prone to misunderstandings and wrong assumptions about the true reasons why someone wrote something in that way. As such, since those ambiguous messages might be a genuine lack of fluency in the language, conveying the wrong intention behind them, I tend to be lenient and mostly ignore them — unless the perpetuator seems to persist in their intention, even when having been warned.

You got fair warning from @tillkruess — you’re coming out as rude, and if that’s not your intention, I’m sorry, but that’s how it looks to us. And we have no real reason to believe otherwise, since you didn’t show any willingness to change your behaviour, but consistently persist in demanding “better” tech support for free (or even paid for!) when it’s quite clear, from your own answers, that you haven’t got the required level of know-how to operate this plugin in your own environment, and have no intention (or ability!) to do so. These are all hallmarks of certain types of trolling — and if you’re not deliberately or consciously doing that, let this be a fair and honest warning: be careful in the way you type things, because you’re just giving others the perception that the only reason you have to continue to post pleas for help in this support forum is for trolling.

Again, I apologise if I also come out rude to you. Please consider everything you’ve asked for on this thread, the answers you got, the way you made certain demands and placed the burden to meet those demands on the developer — and then try to apply some detachment and ask yourself: “what would a third party make of this conversation?”

That being said — enjoy the LiteSpeed plugin ?? After all, it’s an all-in-one optimisation plugin, which might even be used with its own CDN, and Redis support is just one of the many local resources that it can leverage in order to achieve faster rendering speeds…

• This reply was modified 1 year, 6 months ago by Gwyneth Llewelyn.
• This reply was modified 1 year, 6 months ago by Gwyneth Llewelyn. Reason: Polishing answer for the 'new' Gutenberg-style block comments
• This reply was modified 1 year, 6 months ago by Gwyneth Llewelyn. Reason: Still trying to get these comment forms to behave! Added a link to trolling and how to identify it
• This reply was modified 1 year, 6 months ago by Gwyneth Llewelyn. Reason: It's really hard to get paragraphs inside lists!
• This reply was modified 1 year, 6 months ago by Gwyneth Llewelyn. Reason: Missed finishing double-quote (") and decided to add even more italics

I’m glad you’ve fixed things on your own site, but… would you care to share your solution with the community?

If that is a problem, I have it, too; it has been like that for a long. long time now… to the point where I cannot be sure if it’s bug or actually expected behaviour, also known as “a feature” ??

@yogieanamcara I’d love to know what you’ve discovered as an alternative! I like Multisite Enhancements a lot, but, like all of you, I also have a bit of concern about the lack of more recent versions…

I blame it all on Wordfence, which is so keen to report on the tiniest things that may be wrong! ??

• This reply was modified 1 year, 6 months ago by Gwyneth Llewelyn. Reason: Adding a paragraph with some humour :)

Thanks for looking into it, @vupdraft ?? I see that this change made it into version 1.23.8, so everything should be fine now!

Thank you for the detailed instructions! I was slightly worried due to the alert of my security plugin (Wordfence) which flagged WP Data Access version 5.3.9 as being affected by a vulnerability — but also said that 5.3.11. had fixed it. The only question remaining was… well, why didn’t the auto-update work? Why can’t I even force a manual update, and why do none of the other plugin/system daemons (I have many, checking for those things…) find an upgrade — when it’s clear, from the WP plugin page, that there is a new version. Baffling!

Your thorough instructions, however, did the trick of upgrading flawlessly to this latest version — without any loss of data whatsoever. Whew! Thanks for the great support!