themarkpiatt

OK, as an update, it is not as a big deal as I thought. The problem seems to only be occurring in the Opera browser. That is the browser I have set up for anonymous browsing. After checking in Chrome, Firefox, and Edge, its working as intended so I am not worried about it. More of an FYI I guess.

OK, I have found the culprit, its a plugin conflict, specifically with perfmatters.

In perfmatters, under the Assets tab, having script manager turned on breaks WP Armour.

If you are not familiar with perfmatters, script manager “Gives you the ability to disable CSS and JS files on a page by page basis.”

Not sure why enabling that breaks WP Armour.

Under this same section, I also have the following turned on for the whole web site:

Defer javascript, Include Jquery, Delay javascript, Remove unused CSS.

As long as I don’t turn on Script Manager, WP Armour works. Now I need to see if turning Script Manager off breaks anything. So I have a bit of testing to still do. Since I am not disabling CSS or JS on individual pages, I don’t think having this feature turned off will break anything, but you never know.

I am wondering, what are the JS or CSS files that WP Armour is using? I could try to exclude those from being defered, delayed, or removed. maybe that will fix the issue.

I stopped using DUO to get around the issue but discovered that this issue is not just affecting DUO, but it is also preventing anyone from commenting on a blog article (including myself).

I just purchased WP Armour Extended thinking that maybe that will fix the problem, but it didn’t.

When I check the spammer IP tab, it has my IP address listed in there. I have tried from multiple devices, but they all get blocked.

I have even whitelisted my IP address, but WP Armour still blocks it.

Another thing that is interesting, it doesn’t affect the support email that users can communicate with me.

I guess the next thing I will try is setting up a staging site and seeing if another plugin is interfering.

So for now, I am keeping it disabled and dealing with the spam. I have some other options for dealing with spam that I have used in the past (creating my own honeypot field and googles slow option), but WP Armour is the most elegant solution that I had found.

I consider this a non-issue.

If an administrative account has been compromised, you have a bigger problem then someone injecting dangerous code into a table, hope the CSV gets exported by and admin, and hope someone (a site admin) then loads that file into Excel and hope they allow the code to be run.

I was concerned when I first received the notification but when I read the reason, I knew it shouldn’t be a concern. And now thanks to Tobias and his explanations, its exactly as I suspected.

Thank you Tobias for your quick handling of the situation.
To fix the “non-problem” would mean to break much of the functionality of Tablepress.

I personally have not used formulas in my tables, but I may at some point. I am the only site admin for my site so the only way dangerous code would get in there is if my site is hacked. Since I have never exported the tables, I will never run the dangerous code.

If my site is hacked, I would become aware of that issue from other means, not from exporting a bad CSV file.
Mark