Rant about WordPress

Your review has been successfully completed.

Congratulations, the plugin hosting request for App for Cloudflare® has been approved.

Within one (1) hour your account (digitalpoint) will be granted commit access to your Subversion (SVN) repository.
Click to expand...

Well that was a journey...

117 days from initial submission to approval.

It wasn't a full 117 days for them to start looking at it (it was 61 days until they first looked at it), then there was a few weeks of going back and forth on the naming.

Hi, thanks for pointing out this information about Cloudflare®, we checked that and obviously you are correct about the way of using Cloudflare trademark.
Click to expand...

...then they didn't like the slug even though it adhered to their guidelines so that was another couple weeks of going back and forth.

A couple nonsensical things they didn't like in the code, but it was simpler to make changes where the end result was the same vs. argue with the reviewers.

A couple issues with escaping vs. sanitizing that were worked out (I've been spoiled with XenForo where everything is escaped and sanitized by default and you have to go out of your way to not do it). In WordPress, it's the opposite (everything is NOT sanitized/escaped by default, so it's easy to miss something).

Either way... I can push it to wordpress.org SVN repo whenever I'm ready now. :)
 
digitalpoint said:
Well that was a journey...

117 days from initial submission to approval.

It wasn't a full 117 days for them to start looking at it (it was 61 days until they first looked at it), then there was a few weeks of going back and forth on the naming.



...then they didn't like the slug even though it adhered to their guidelines so that was another couple weeks of going back and forth.

A couple nonsensical things they didn't like in the code, but it was simpler to make changes where the end result was the same vs. argue with the reviewers.

A couple issues with escaping vs. sanitizing that were worked out (I've been spoiled with XenForo where everything is escaped and sanitized by default and you have to go out of your way to not do it). In WordPress, it's the opposite (everything is NOT sanitized/escaped by default, so it's easy to miss something).

Either way... I can push it to wordpress.org SVN repo whenever I'm ready now. :)
Click to expand...
Yay finally...
I also agree with @Miri use joomla instead.
or dreamweaver/indesign from adobe.
 
Okay well... hopefully it works as expected. 😬

wordpress.org

App for Cloudflare®

Utilize Cloudflare to the max (caching, settings, rules, analytics, cloud storage, email management, protect admin area).
wordpress.org wordpress.org

I also rolled out the site that goes along with it... https://appforcf.com/

Has some interesting things like a XenForo marketplace I built from scratch (handles sales, licensing, renewals, subscriptions, it's integrated into XenForo's node system, etc.)
 
Wildcat Media said:
Looks good! Once funds improve here, I'll get the premium version as I need the R2 buckets for a couple of my WP projects. 👍
Click to expand...
If you are curious how the R2 stuff works on the WordPress side, it's more or less the same as XenForo.

1696536106439.webp


1696536055224.webp


If you have R2 enabled, media uploaded ends up in R2. One thing that's a little different is the old media still works without moving it to R2. The media browser will show an orange cloud for media that's on R2.

1696536208578.webp
 
digitalpoint said:
One thing that's a little different is the old media still works without moving it to R2.
Click to expand...
That is a good idea--if you remember, I have a multisite install, and I would not move the media (images) over to R2 for some of the lower-use sites on the network right away. I like the orange cloud indicator. The project I'm using is for photography and some of the images can be quite large, which is why wanted to store them in R2 buckets.
 
I've also installed the WordPress plugin. Looks good so far. :)

I'd love a function to block login from endless brute force attempts. 2 tries per on admin accounts, before it switches IP and tries again. I already added turnstile to wp-login but somehow that doesn't stop them.
BTW I used a plugin to add CloudFlare turnstile to all login forms, including Elementor and gravity forms: It would make sense to have your plugin add it.
wordpress.org

Simple Cloudflare Turnstile – CAPTCHA Alternative

Add Cloudflare Turnstile to WordPress, WooCommerce, Contact Forms & more. The user-friendly, privacy-preserving reCAPTCHA alternative. 100% free!
wordpress.org wordpress.org
 
Alpha1 said:
I've also installed the WordPress plugin. Looks good so far. :)

I'd love a function to block login from endless brute force attempts. 2 tries per on admin accounts, before it switches IP and tries again. I already added turnstile to wp-login but somehow that doesn't stop them.
BTW I used a plugin to add CloudFlare turnstile to all login forms, including Elementor and gravity forms: It would make sense to have your plugin add it.
wordpress.org

Simple Cloudflare Turnstile – CAPTCHA Alternative

Add Cloudflare Turnstile to WordPress, WooCommerce, Contact Forms & more. The user-friendly, privacy-preserving reCAPTCHA alternative. 100% free!
wordpress.org wordpress.org
Click to expand...
Why allow unauthorized users ANY attempts? Lock the admin down with Zero-Trust Network Access (similar to how the XenForo version does it for XenForo admin area). The Pro version has an auto-config button to set all that up for you, but nothing preventing you from setting it up on your own in Cloudflare's dashboard.
 
You are right about zero trust. That is handy and we will set that up after third party devs dont need access anymore.

Users/customers need to be able to register and login. Therefore there will need to be login form access. Those login screens get hammered for brute force.
 
If it’s an automated process hitting the login, maybe use a page rule to add a challenge to the page? It’s more or less Turnstile without needing to code it on your end. Can just add it inline to the network request.
 
digitalpoint said:
The Pro version has an auto-config button to set all that up for you, but nothing preventing you from setting it up on your own in Cloudflare's dashboard.
Click to expand...
In the XF version, it was nice that the addon automatically populated Zero Trust with our admins' email addresses to access the admin area. For XF install, I deleted all the addresses except for two of my own.

I just took the time to set one up for one of my WP networks. It doesn't take many configuration options to get it to work. The only limitation is that I can only add five domains at a time. This network has eight sites under different domains, so I need to set up a second one for the remaining three domains.

I do feel better that I can lock down all of my WP sites this way. Accesses can't even get past Cloudflare now. 👍
 
Alpha1 said:
I've also installed the WordPress plugin. Looks good so far. :)

I'd love a function to block login from endless brute force attempts. 2 tries per on admin accounts, before it switches IP and tries again. I already added turnstile to wp-login but somehow that doesn't stop them.
BTW I used a plugin to add CloudFlare turnstile to all login forms, including Elementor and gravity forms: It would make sense to have your plugin add it.
wordpress.org

Simple Cloudflare Turnstile – CAPTCHA Alternative

Add Cloudflare Turnstile to WordPress, WooCommerce, Contact Forms & more. The user-friendly, privacy-preserving reCAPTCHA alternative. 100% free!
wordpress.org wordpress.org
Click to expand...

digitalpoint said:
Why allow unauthorized users ANY attempts? Lock the admin down with Zero-Trust Network Access (similar to how the XenForo version does it for XenForo admin area). The Pro version has an auto-config button to set all that up for you, but nothing preventing you from setting it up on your own in Cloudflare's dashboard.
Click to expand...
Adding a 2 second delay or more between attempts in addition to zero trust will also stop brute force attacks in their tracks. In fact, no reason for the delays not to increase. I've seen Android phones implement this, making one wait an increasing amount of minutes, escalating to something like 30 minutes between attempts. Very effective.
 
FTL said:
Adding a 2 second delay or more between attempts in addition to zero trust will also stop brute force attacks in their tracks.
Click to expand...
Not sure the 2 second delay will add much since they would need to first authenticate as an authorized Zero Trust user for the underlying network request to even make it to your server.
 
Wildcat Media said:
In the XF version, it was nice that the addon automatically populated Zero Trust with our admins' email addresses to access the admin area. For XF install, I deleted all the addresses except for two of my own.

I just took the time to set one up for one of my WP networks. It doesn't take many configuration options to get it to work. The only limitation is that I can only add five domains at a time. This network has eight sites under different domains, so I need to set up a second one for the remaining three domains.

I do feel better that I can lock down all of my WP sites this way. Accesses can't even get past Cloudflare now. 👍
Click to expand...
Ya, the WordPress version does the same (auto configures and populates based on the admin emails). But ya... I don't trust WordPress at ALL. I'd say it's way more important to lock down your WordPress admin upstream of the application (WordPress) with Zero Trust than it is with XenForo. But that's just me... :)
 
digitalpoint said:
Ya, the WordPress version does the same (auto configures and populates based on the admin emails). But ya... I don't trust WordPress at ALL. I'd say it's way more important to lock down your WordPress admin upstream of the application (WordPress) with Zero Trust than it is with XenForo. But that's just me... :)
Click to expand...
I agree--WP is the Internet's punching bag.

I've had to test things a few ways to make sure everything is secured. I'm working on only a single domain now, but checking any way I know of to log in so that nothing gets past it. Initially, I had Zero Trust working on domain.com/wp-login.php, but if I go to domain.com/wp-admin, which redirects to wp-login.php anyway (with a redirect string tacked onto the end of it), it goes right to my WP login. So, I had to add both wp-login.php and wp-admin entries under domains for the Zero Trust Application. And so far I seem to be trapping whatever I am trying.

One oddity is that the CF challenge page is showing the domain of my XenForo installation on this same CF account. It's not deal-breaking but just a minor OCD annoyance.
 
Wildcat Media said:
One oddity is that the CF challenge page is showing the domain of my XenForo installation on this same CF account. It's not deal-breaking but just a minor OCD annoyance.
Click to expand...
Ya... it's definitely not ideal. I vaguely remember reading somewhere they were going to address that, but I don't recall where I read it. It's also possible I dreamed it.
 
digitalpoint said:
Ya... it's definitely not ideal. I vaguely remember reading somewhere they were going to address that, but I don't recall where I read it. It's also possible I dreamed it.
Click to expand...
Honestly, they could just get rid of it. Maybe substitute it with a name of our choosing? It shows in the URL also. On the other hand, the only person seeing it is myself and maybe just a few other who use it. Nothing I'm losing sleep over...
 
Wildcat Media said:
Honestly, they could just get rid of it. Maybe substitute it with a name of our choosing? It shows in the URL also. On the other hand, the only person seeing it is myself and maybe just a few other who use it. Nothing I'm losing sleep over...
Click to expand...
You definitely can change the subdomain (but it's still for your Cloudflare account as a whole). If it's named after a XenForo installation, it's probably just the name you gave it when it first asked you the subdomain. Either way, the Team Domain can be changed at any time...

1696563235066.webp
 
digitalpoint said:
Not sure the 2 second delay will add much since they would need to first authenticate as an authorized Zero Trust user for the underlying network request to even make it to your server.
Click to expand...
It can be added to the zero trust authentication step though and anyway, there's always a way through any defence, no matter how hard, so I maintain that it can still be useful at the end server level.
 

Similar threads

ELiTEx
  • Question Question
Inquiry about XFtoWP Plugin Support Status
Replies
5
Views
828
Opus X
Opus X
Anomandaris
  • Suggestion Suggestion
Subdirectory Slugs For Threads Like Wordpress
Replies
2
Views
100
Arantor
Arantor
Alpha1
  • Suggestion Suggestion
Embed XenForo widgets on WordPress or other software
Replies
3
Views
453
btmgreg
btmgreg
X
  • Question Question
XF 2.2 Embed XenForo between Wordpress Header/Footer
Replies
1
Views
406
Mr Lucky
Mr Lucky
DarkGizmo
  • Question Question
XF 2.2 Combining Wordpress & XF
Replies
1
Views
302
Paul B
Paul B
Top Bottom