BikeGremlin I/O NEWS

Status
Not open for further replies.
As the title says - the latest news, info, and updates.

daily news GIF by CL


Comments are disabled for this thread, since the idea is to allow you to follow this and get updates with news only.

You can use other existing forum sections to comment stuff, including the news & info posted here.

At the time of writing, 2023, October 16th, the latest BikeGremlin news up to date has been published on:
io.bikegremlin.com/newsletter/

From now on, any further news updates will be posted as replies to this thread.

You can register a BikeGremlin forum account and subscribe to this thread to get email notifications about any new news. :)
 

WooCommerce database format finally fixed​

woocommerce-high-performance-order-storage.jpg


Anyone running a larger WooCommerce shop knows the amount of custom... well, "fiddling" is the right word, needed to keep it running smoothly.

With WordPress' blogging roots, it was built to use posts database entries for the products as well. For years, this has been the Achilles' heel of WooCommerce as a web-shop platform.

Now, in October 2023, WooCommerce has introduced the "High-Performance Order Storage" or HPOS (IT people just love acronyms 🙃 ).

This creates new database tables (with their own indexes) for storing the orders information. WooCommerce is now performant and scalable (for huge shops) out-of-the-box.

In my experience with a few existing shops, the update to the new system went smoothly.

Some more details about this can be found on the WooCommerce blog:
https://woocommerce.com/posts/platform-update-high-performance-order-storage-for-woocommerce/
 

New website favicon policy by Google​

According to the latest Google's documentation, it is no longer enough to just upload a favicon to your website's root directory.

Now, you must place an invisible link to your favicon's .ico file in your home page's header. Here's an example of what that link looks like for this forum:

Code:
<link rel="icon" href="https://www.bikegremlin.net/favicon.ico">

The path to the favicon file can be either absolute or relative. Here's an example of a relative path, with the favicon file named "favicon.ico" and placed in the website's root directory:

Code:
<link rel="icon" href="/favicon.ico">

The general criteria for the favicon file (resolution, format etc.) hasn't changed.

The relevant link:

https://developers.google.com/search/docs/appearance/favicon-in-search

Update 2024:
I wrote a brief tutorial:
How to add favicon link to the WordPress header?

Relja
 
Last edited:

Cloudflare problems​

Cloudflare service is having some problems at the moment.

A huge number of websites uses Cloudflare's proxy, DNS and CDN - including BikeGremlin websites and forum.

I'm not sure anyone knows what exactly went wrong or when it will be fixed.

Incident report (WayBack machine link)
 

PHP 8.3 version is out​

Latest & greatest PHP 8.3 version has been published:
https://www.php.net/releases/8.3/en.php

Here's the official update docummentation:
https://www.php.net/manual/en/migration83.php

Apparently, there are some "breaking changes" so developers (including the WordPress theme and plugin ones) will have a lot of work on their hands in order to assure their stuff works on the new version.

The upside is that it will surely bring a 0.001% better performance and security, just like the other most recent updates. :)

My recommendation is to wait for at least 6 more months until it is all patched, and then double check if your software fully supports and works stably on the latest (by that time probably patched at least once) PHP version.
 

Elementor 3.18.0 vulnerability​

Apparently, it is still unpatched** (**see the note below) and allows users with a "Contributor" or higher access rights to upload and execute code on the server.

WordFence says: "It may be best to uninstall the affected software and find a replacement."

I think that this may not be necessary if your site's users with Contributor or higher access rights are trusted.
WordPress user hierarchy:

  • Super Admin – somebody with access to the site network administration features and all other features. See the Create a Network article.
  • Administrator (slug: ‘administrator’) – somebody who has access to all the administration features within a single site.
  • Editor (slug: ‘editor’) – somebody who can publish and manage posts including the posts of other users.
  • Author (slug: ‘author’) – somebody who can publish and manage their own posts.
  • Contributor (slug: ‘contributor’) – somebody who can write and manage their own posts but cannot publish them.
  • Subscriber (slug: ‘subscriber’) – somebody who can only manage their profile.
WordFence report on the issue:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/elementor/elementor-3180-authenticatedcontributor-arbitrary-file-upload-to-remote-code-execution-via-template-import

Note​

At the time of writing, Elementor patch 3.18.1 is published, and its changelog says:

* Fix: Improved code security enforcement in File Upload mechanism
* Fix: Error appears on front when using various 3rd party plugins and Themes
* Fix: Reverted Elementor Editor is slow when using Safari 17 and Firefox on macOS

I'm yet to confirm if the noted security problem was really fixed with the patch.

UPDATE:
The vulnerability has been patched in Elementor 3.18.2 version.
 
Last edited:

WordPress 6.4.2 Maintenance & Security Release​

It's a very good idea to update your WordPress to the version 6.4.2 this ASAP.

The 6.4.2 patch fixes a potential remote code execution vulnerability that, according to WP.org (BikeGremlin bolded the text): "is not directly exploitable in core, however the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installs."

Note:
I could not confirm this, but it seems reliable enough info, and as far as I could test, the 6.4.2 patch is stable and works fine.

The full report on WP.org website:
https://wordpress.org/news/2023/12/wordpress-6-4-2-maintenance-security-release/
 

LiteSpeed Cache 6.0 is out​

One of the best (if not the best) WordPress caching plugins got a new major release: version 6.0.
My tutorial on how to configure LiteSpeed Cache for WordPress.
LiteSpeed does a lot of stuff and it does it well. Better than any other caching plugin I've tried (and I've tried a lot of them). OK, maybe WProcket, a paid plugin, comes close, on some sites it even has a slight advantage.

However, the plugin's complexity means that problems can occur with updates. There are many different hosting server setups and other WordPress plugins. So it is objectivelly quite difficult to find every bug and problem during the beta testing phase. Hell, below, you can see a (short) list of problems I've had with LiteSpeed updates, despite having tested in a staging environment before pushing it to live - I had just missed to notice those problems in time.
My problems with LiteSpeed updates:
This is why I would suggest you wait until the first patch is released before updating (6.0.1). Having said that, it's fair to note there is one security-related patch:
"CloudFlare CDN setting vulnerability patch. (Gulshan Kumar #541805)"

As far as I know, this is not a critical ("serious") vulnerability, but the final decision about whether to update is yours.

A list of updated stuff:

6.0 – Dec 12 2023​

  • 🌱Image Optimize Parallel pull. (⭐ Contributed by Peter Wells #581)
  • 🌱Cache CLI Crawler.
  • 🌱Cache New Vary Cookies option.
  • 🌱Media New Preload Featured Image option. (Ankit)
  • Core Codebase safety review. (Special thanks to Rafie Muhammad @ Patchstack)
  • Purge Purge will not show QC message if no queue is cleared.
  • Purge Fixed a potential warning when post type is not as expected. (victorzink)
  • Conf Server IP field may now be emptied. (#111647)
  • Conf CloudFlare CDN setting vulnerability patch. (Gulshan Kumar #541805)
  • Crawler Suppressed sitemap generation msg when running by cron.
  • Crawler PHP v8.2 Dynamic property creation warning fix. (oldrup #586)
  • VPI VPI can now support non-alphabet filenames.
  • VPI Fixed PHP8.2 deprecated warning. (Ryan D)
  • ESI Fixed ESI nonce showing only HTML comment issue. (Giorgos K.)
  • 🐞Page Optimize Fixed a fatal PHP error caused by the WHM plugin’s Mass Enable for services not in use. (Michael)
  • 🐞Network Fix in-memory options for multisites. (Tynan #588)
  • Network Correct Disable All Features link for Multisite.
  • 🐞Image Optimize Removing original image will also remove optimized images.
  • Image Optimize Increased time limit for pull process.
  • Image Optimize Last pull time and cron tag now included in optimization summary.
  • Image Optimize Fixed Elementors Slideshow unusal background images. (Ryan D)
  • 🐞Database Optimize Fix an issue where cleaning post revisions would fail while cleaning postmeta. (Tynan #596)
  • Crawler Added status updates to CLI. (Lars)
  • 3rd WPML product category purge for WooCommerce. (Tynan #577)
You can register a BikeGremlin forum account and subscribe to this thread to get email notifications about any new news. :)
 

Advanced Database Cleaner PRO plugin bug​

I found what looks like a bug in this plugin, version 3.2.7.
For more details about this plugin, see my article about WordPress database optimisation.

To make matters worse, the official changelog has no info about the past few updates:
https://docs.sigmaplugin.com/article/41-adbc-pro-changelog
Update:
The changelog has been updated with the 3.2.7 version release notes.

1) WordPress Plugin version:
Advanced DB Cleaner PRO 3.2.7

2) What I did:
With the previous plugin version (before the update):
- I did a scan of Tables, and Options, selecting the "Scan all items" option.
- Checked to confirm there are no orphans.
- Then, I updated the plugin to 3.2.7 version and ran the scans again.
- After the update, the plugin found these "Orphans" that I don't think are orphans really:

Advanced Database Cleaner PRO scan false positives


I've notified the developers and am waiting for further info.
Update:
I got feedback from the devs. They plan to publish a major release in "two months" that will "be much more accurate and with more information about detected orphans."
Can't wait. :)

Relja
 
Last edited:

Blesta vulnerability patch - critical​

If you are running the Blesta billing panel (my article about how to install, configure & secure Blesta), it would be a very good idea to update to the latest security patch ASAP.

The latest patched version is 5.9.2 (for the 5.9.x Blesta versions), but if you are running an older version, you could go:
  • 5.8.3 patch for the 5.8.x version.
  • 5.7.2 patch for the 5.8.x versions.
Those running Blesta 5.0.x to 5.6.x versions should upgrade to a full 5.9.2 update.

For more details (and patch downloads), see:
https://www.blesta.com/2024/02/08/security-advisory/
 

Authy kills their desktop app in March 2024​

My sincere apologies to anyone who took my advice to use Authy.

Some 12 hours ago I found out they've decided "End of Life (EOL)" their desktop app, which was the only reason why I used and recommended Authy over other alternatives.

Now, the biggest Authy drawback, the lack of TOTP key export option is going to make the migration painful, long and tedious for most folks.

Relevant discussions:
Update:
I went with the "ente Authenticator":
https://apps.apple.com/us/app/ente-authenticator/id6444121398
KeePassXC works wonderfully as a desktop solution (for any operating system):
https://keepassxc.org/

It works OK, but more importantly, it lets me easily see and export/import any 2FA Keys.
 
Last edited:
Status
Not open for further replies.
Back
Top Bottom