gxxaxx

Admin user can login.
We don’t have memberships on the site.

Thank you for the reply.
I will look into also blocking xmlrpc.php
Might help.

FYI, I am currently using a limit on login attempts plugin and a security monitor.
The whole .htaccess thing is an attempt to add an additional layer of protection.
Thanks again.

bcworkz,

Thanks for the reply. I will think about implementing the auth_cookie_valid. However, since I haven’t touched php for about 10 years not sure I want to jump into that puddle. No telling how deep it is. By the way I do appreciate how complete the hint was — giving the name of the server array and best practice for jumping ship with the wp_die. Thanks.

From the sounds of your reply it seems that the password guessing that is happening on my site is not through the cookie mechanism.

Does it seem like these password guessers are somehow getting around the .htaccess instructions? Or, does it there some other mechanism for the password guessing?

Hello Cais,

No I have not contacted Bitdefender on this issue. I have some previous history trying to report false positives. It usually ends up in an impasse.
Claude: Yo guys, I have found a false positive recently. Can you have a look at it?
Bitdefender: How do you know it is a false positive?
Claude: I downloaded the plugin straight off the legit companies repository.
Bitdefender: How do you know they were not hacked or went to the darkside?

That is not the exact transcript. But, you get the point. Way too much pushback from them. Especially since I don’t actually know that your repository wasn’t hacked. Been a little of that going around.

I think this is something you’ll need to look into.

I just discovered that our plugin is working in Chrome but not Firefox. Will check on a few installations to see if this holds true on other computers.

On the support page: https://peadig.com/wordpress-plugins/facebook-comments/ the following code is indicated as being inserted into the document:

<div id="fb-root"></div>
<script>(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) {return;}
js = d.createElement(s); js.id = id;
js.src = "//connect.facebook.net/en_US/all.js#xfbml=1&appId=YOUR_APP_ID";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>ent.getElementById('fb-root').appendChild(e);
}());
</script>

The actual code inserted on my site is:

<script>
(function(d, s, id) {
  var js, fjs = d.getElementsByTagName(s)[0];
  if (d.getElementById(id)) return;
  js = d.createElement(s); js.id = id;
  js.src = "//connect.facebook.net/en_US/sdk.js#xfbml=1&appId=145483842240169&version=v2.3";
  fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
</script>

Seems like the extra </script> is a mistake in the support page.

However, the missing ent.getElementById(‘fb-root’).appendChild(e); looks like a good candidate for causing my comment section to be missing.

Is this the deal? Or, perhaps there is something else entirely going on?

In any case, I have exhausted the semi-useful poking and prodding I’m able to do.
Hopefully better minds than I will have a clue.

The FB Object Debugger was complaining that I had two app_id
Investigating I noted that Facebook Comments plugin was adding the following:
<meta content=”xxxxxxxxxxxxxxx” property=”fb:app_id”>
with the correct id (not the xxx)

But, Like & Send plugin adds the following lines to the header:
<meta content=”” property=”fb:app_id”>
<meta content=”” property=”fb:admins”>

Disabling the Like & Send will remove those lines from the header.
However, that does not fix the missing comments, they are still missing.

I’ll look forward to that.

Don’t know about you, but that plugin makes me a little nervous. In the fact (which they strongly read before you get the 1.1 version of the reglevel plugin) they “strongly recommend you use the Role Manager plugin for WordPress.” Well, the Role Manager plugin has not been updated (at least on the sourceforge.net page linked to by reglevel) since WordPress 2.0
Seems a little out of date.

Thanks for the alternate solution.
That can definitely work.

I suppose to round out the situation, it might be a good idea in the admin panel to not list the hidden fields with a checkbox to include in the form.

You could test for hidden and just not put the checkbox and instead say something about hidden with a link to some help on what and why etc.

At the moment, one is allowed to check the box indicating that you want a hidden field to show in the form…. and, well it can’t.

Unless you want to intentionally tease the users ??

It was a text field. Last name actually.
My fields are:
email
first
last hidden, not required
source hidden, not required

But I think the code more or less demonstrates the issue.

With a simple test on if (!$var[‘public’]), the only controller for display not being none is to use the visible and not-visible attribute. At least that is what it looks like to me.

The option is not being considered at this point. So near as I could tell the option was having no control. Of course I could be misreading the nature of $var[‘public’]. I thought it was only controlled by the database definition and not wordpress options.

How soon do you expect your next release.
We look forward to a better version and would like to know if we can afford to wait, or perhaps we must find something else.

To finish off the mailchimp hack I added the following to my functions.php

function mailchimpSF_signup_form_hiddenvars($atts) {
extract ( shortcode_atts( array( 'hname' => '', 'hvalue' => '', 	'content' => '', ), $atts ) );
	if (isset($hname) && $hname != "" && isset($hvalue) ) {
		$hname = strtoupper($hname);
return <<<EOD
		<input type="hidden" name="mc_mv_{$hname}" value="{$hvalue}" />

EOD;
	}
}

This code is personalized to my installation. Others may want to use different parameter names and value names.

The shortcode I use looks like the following:

[mailchimpsf_form hname="susource" hvalue="ebook"]

The ‘susource’ must be setup in your list — through the mailchimp gui.

I’m sure that some folks with more experience with wp could hack together a better solution. I was in a tight spot and this works for the moment. Hopefully with a little open community attitude we can get this worked out so that it’s possible to customize the hidden vars in a mailchimp signup form on wordpress. It is a trivial 1 line change in standard html. But on wordpress this was the solution that worked for me.

Hope it is use to others. And maybe something along this lines gets incorporated in future release of plugin.

To continue the hack to make the hidden vars work I modified mailchimp_widget.php

On or about line 55 after the the mcsf_action line I added added the following:

<input type="hidden" name="mcsf_action" value="mc_submit_signup_form" />
<?php
	if ( function_exists( 'mailchimpSF_signup_form_hiddenvars' ) ) {
		echo mailchimpSF_signup_form_hiddenvars($args);
	}
?>
<?php wp_nonce_field('mc_submit_signup_form', '_mc_submit_signup_form_nonce', false); ?>

Fixed.
Sorry for any confusion.

Turns out this was my introduction to a feature of TwentyTen that I just didn’t know about. I’d been using Auto Post Thumbnail for awhile with no trouble. Because all of my thumbs were less than 940 wide.

This one image was wider than 940, thus the custom header option of TwentyTen finally kicked in.

Made the thumb smaller than 940, so now it does not show. Later I will find a more elegant fix — such as child theme.