XyZed

Many thanks. I’ve since found out that the plugin concerned, “retrieves your website URL using the WordPress function get_site_url(),”

Is that editable?

Thanks for your reply. I didn’t mean I don’t know anything about the .htaccess file, I meant that the “check your htaccess file” was very vague. As I mentioned in my last post, I don’t think there is anything wrong with my wordpress installation at all, because it does the same on 3 separate installations, and it also does the same on this very WordPress website.

So my question has evolved into, why doesn’t wordpress direct any requests for the index.php file in the sub folder over to the home page instead of creating a 404?

I’ve just checked the following url https://www.ads-software.com/wordpress/ and that too generates a page not found error. So presumably this is not a fault and “normal?”

But apart from wondering why my SEO tool has told me it’s a broken link I’m wondering why such urls don’t just open home page?

Thanks, though I do not know which .htacces (root or wordpress folder) or what to look for

Am I even right that my_site_url/wordpress/ should redirect to the home page? I have 3 separate websites with wordpress installed in wordpress folders and it’s the same with all 3.

I would expect that my_site_url/wordpress/ would try to open my_site_url/wordpress/index.php and that the index.php file in the wordpress folder would redirect to the home page?

• This reply was modified 1 year ago by XyZed.

Many thanks for your replies. I have /%postname%/ selected.

I also have – WordPress Address (URL) https://www.whitegoodshelp.co.uk/wordpress
Site Address (URL) https://www.whitegoodshelp.co.uk

The site has been up over 10 years, and if I add the /wordpress/ folder to any of the url’s they still go to the page, and the /wordpress/ is automatically stripped out, which shows the redirects are working.

It’s just if I add the /wordpress/ to then end of my site url it generates a page not found. I would expect that the index file in there should direct it to the home page?

Hi Joshua. Thank you for your reply. My site health page reports that my site is using PHP version 7.4.33. Also, the multitude of errors that I was getting from my theme when on version 8* have ceased. So it’s pretty safe to assume PHP version 7.4.33 is running okay.

I decided to change the Wordfence scan settings from the default, “let Wordfence decide the best time”, to manual. I set it to 1 scan per day (which I assume is all that is needed?) And moved the time from 1 AM to 2 AM.

This morning I checked the error logs and there were no further additions. I will monitor it over the next couple of days, but it does appear as if for some reason something was happening at 1 AM that interfered with the scan. Albeit that the scan appeared to complete very quickly afterwards anyway. However, I do not like entries in my PHP error log and would prefer no errors at all.

I’ll report back if anything changes, but for now it does appear that if I have solved the problem.

Thanks George. I think I’ll leave things as they are then. Life’s complicated enough ??

I am very disappointed with Wordfence because despite them also telling me that this is a very minor issue needing multiple event and highly unlikely to affect me, they still flag this issue as a critical issue in their scan. Their scan still recommends that I totally uninstall Tablepress until a patch is released.

This is demonstrably alarmist, and poor advice considering that they have conceded to several different people that it is not a critical issue. So course this damages Wordfence’s reputation for me. How do I know that they are not issuing alarmist warnings about other issues?

I put it to them that I would expect them to be using their own discretion, and their own judgement about this type of issue. Even the original database report that they are using only describes the issue as medium. However I didn’t receive a reply.

Of course I do not object to them flagging the issue. On the contrary I expect them to. I just object to them flagging it as critical and advising me to uninstall the plug-in when they could easily have flagged it as minor and explain the exploit themselves.

• This reply was modified 2 years, 4 months ago by XyZed.

Thanks Mike. I know there isn’t, I should have phrased it better. I meant, what are “they” claiming is the theoretical vulnerability? Thanks for a clear explanation, which has helped me understand it properly. It’s as Tobias said, there’s no vulnerability that isn’t present on wordpress. In other words, anyone gaining unauthorised admin access to a website could add malicious code anywhere. And if they did insert malicious code into a table, it couldn’t cause any trouble unless a user carried out the steps you listed.

On all of my pages, there is no way for anyone to export my table as an option. Does this option exist in the plugin? In other words, if I found a setting in Tablepress could I enable an option for visitors to export my table? If so, I wonder how many users need to do that, and couldn’t it be disabled to solve the problem?

Thanks Tobias. I’m puzzled as to why Excel is involved. I thought all the plugin does is display tables on web pages. How, for example, are they saying there is a vulnerability in my table on this page?
https://www.whitegoodshelp.co.uk/washing-machine-spin-speed-efficiency/

BTW, apart from the principle of it, is there anything you could change to “fix” the issue, which sounds like it would be the easiest solution? Or are you saying that any plugin doing the same job would have the same issue because of the way WordPress works?

That’s great Tobias. I was about to recommend you did that as talking with Wordfence it became obvious that they will flag anything that appears in that database so it’s them you need to deal with.

@tobiasbg) It sounds like it was just an honest mistake. The rules that were given as the reason for deleting are referring to people who, “have the same problem! Can I just reply to someone else’s post with “Me too”?

It describes how because everybody system is different, with a different set of plug-ins to potentially clash, people should create their own thread. I fully understand this, and it makes sense. However, this was not the case here because the problem that we were all posting about was exactly the same problem. We all have different systems, but regardless of what systems we had, we were all been told by Wordfence that we should delete table press.

So I’m assuming that the moderator acted in good faith and did what is normal for this forum, but in reality this was an exception. ??

Many thanks Tobias. I very much appreciate your response. Of all the threads concerning the subject, that was the most relevant and contained the most useful and helpful information. I’ve been posting on forums since about 2000, I’m just not used to having anything deleted like that. At the very least, if a moderator felt it necessary to delete comments that were not abusive or blatant spam they should email, or post an explanation.

I very much appreciate your plug-in, and I expect I’m sure you’ve felt many times that maybe it’s more trouble than it’s worth ?? Myself and the others whose posts were deleted were on your side and only trying to help so it was quite a shock this morning to see the thread closed and comments deleted.

I am still in communication with Wordfence. However, despite replying to me several times they have refused to answer the following questions –

1: If (as they have conceded in an email to myself and one other guy whose post about it was deleted ) TablePress does not represent a critical vulnerability that should result in it being immediately deleted – why when I did a scan this morning is WordPress still reporting it as a critical vulnerability?

2: If there is still a theoretical vulnerability, that Wordfence refuses to withdraw, why was I only notified about it yesterday when I’ve been using the plug-in for over 3 years, and the report you are flagging is 3 years old?

3: The author of the plug-in has stated that there is nothing inherently wrong with the plug-in, and anyone in a position to abuse the plug-in could carry out the exact same abuse virtually anywhere and on any page. I have asked them twice now if this is correct and so far no reply.

Once again thank you for your clarification, which has restored my confidence.

Hi. I’m concerned that one of the threads discussing this Wordfence critical warning (“WordFence Alerts Critical for Vulenrability”), that I, and several others had contributed to, seems to have been censored, and closed to new replies.

This is despite it only containing helpful and supportive replies from myself and others. All my contributions have been deleted. Why is this? Is this not highly unusual and against the spirit of open forums?

There was nothing abusive or critical about any of the posts. There were just posts by concerned users and supporters of table press. I am still communicating with WordFence about this issue, and still supporting the author. But deleting these posts and closing the thread has led me to wonder if there is anything to hide? And quite honestly has struck a blow to my confidence in table press.

• This reply was modified 2 years, 5 months ago by XyZed.