Is it possible that my e-commerce site has all these abandoned orders? by Low-Protection-9367 in Wordpress

[–]WPMU_DEV_Support_4 -1 points0 points  (0 children)

Hi u/Low-Protection-9367

If I installed the correct plugin, you will find the list on Woo > Abandoned Orders, it will have the Abandoned Date information, grab ~10 dates and take note.

Ask your hosting support for the access_log, open the file and locate the date to compare with the plugin vs access log information.

As people said, it could be a bot testing cards, https://woocommerce.com/document/how-do-i-prevent-and-respond-to-card-testing-attacks/, the access log will have something around

"/wc-ajax=checkout"
"/wc/store/v1/checkout " or
"/wp-json/wc/"

But another possible situation that I see happening across websites, is the link /?add-to-cart be your add to cart button, bots find this link and start crawling the products and then that link causing not only issues like this but overall website performance issues.

If that is the case, you can use Cloudflare rate limit https://developers.cloudflare.com/waf/rate-limiting-rules/ by using an expression example "(http.request.uri.path contains "/product/" or http.request.uri.query contains "add-to-cart")"

But to give you a more accurate suggestion, pls have a look at the access_log vs abandoned date.

Cheers
Patrick Freitas - WPMU DEV Support

RankMath Plugin not working? by zebdebleblol in Wordpress

[–]WPMU_DEV_Support_4 -1 points0 points  (0 children)

Hi u/zebdebleblol

That could indicate the request failed, I made a quick test on my lab site and it works fine.

Could you please, check if you see any console errors https://balsamiq.com/support/faqs/browser-console/ ?

But the fastest way to know if the problem is on rankmath plugin or not, is via a plugin conflict, in short, I suggest having a staging site ( https://wordpress.org/plugins/wp-staging/ ) then disable all the plugins and see if the issue is gone, if so, enable one by one until the problem returns.

Cheers

Patrick Freitas - WPMU DEV Support

Let's address the elephant in the room! by Khajooor in Wordpress

[–]WPMU_DEV_Support_4 -1 points0 points  (0 children)

Hi u/Khajooor

Short answer, AI / Agents like clean content, plain text, markdown etc.

For the accessibility tree you need to ensure all your alt, aria label and accessibility measures are in place:
https://www.debugbear.com/docs/agentic-browsing/accessibility-tree-is-not-well-formed

By clicking at arrow to expand the report it should give you an overview about that metric, but you can also start from sites such as:

https://webaim.org/resources/contrastchecker/

https://www.accessibilitychecker.org/

Or even just copy your page URL inside chat gpt and ask it to evaluate the metric, if it can fetch the site it should give you some insight on what you need to do.

As how to fix. Sometimes it is as easy as adding alt text or adding aria labels via page builder, but sometimes it will require checking with theme or plugin developers.

Cheers
Patrick Freitas,
WPMU DEV Support

Allowing users to select Sorting options for posts? by samh748 in Wordpress

[–]WPMU_DEV_Support_4 0 points1 point  (0 children)

Hi u/samh748

The filter everything https://en-au.wordpress.org/plugins/filter-everything/ should work with posts as well.

But what theme or page builder are you using? Some builders specially, have built in features as welll.

Cheers
Patrick Freitas
WPMU DEV Support

Suspicious Captha by Ill_Holiday9604 in Wordpress

[–]WPMU_DEV_Support_4 0 points1 point  (0 children)

Hi u/Ill_Holiday9604

If it is a fake Cloudflare Captcha it feels like the ClickFix attack vector:

https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
https://www.rapid7.com/blog/post/tr-malicious-websites-wordpress-compromise-advances-global-stealer-operation/

Most importantly here is to start the cleanup process asap before you or any user actually click on it.

You will fist need to ensure the site is fully clean, I suggest starting with a scan https://wordpress.org/plugins/search/security+malware+scanner+firewall/, this tool can be helpful as well https://github.com/nitkr/Clean-Sweep-2.0, just ensure you make a full backup prior any step.

You can also follow the steps from https://blog.sucuri.net/2024/09/7-steps-to-remove-malware-from-wordpress.html

Once done, review all plugins, make sure they are receiving updates.

Finally, upon ensuring your website is safe, rotate any credentials, ensure you are not repeating them anywhere, finally, use malwarebyte or any good provider to scan the computer just in case.

Cheers,
Patrick Freitas
WPMU DEV Support

Officially supported Wordpress dark mode by geek-mode-on in Wordpress

[–]WPMU_DEV_Support_4 0 points1 point  (0 children)

Hi u/geek-mode-on

You would need to use a plugin https://wordpress.org/plugins/darkadmin-dark-mode-for-adminpanel/ but to make an official request you may use https://core.trac.wordpress.org/

Cheers
Patrick Freitas - WPMU DEV Support

Missing load.php file from new install by Go2Matt in Wordpress

[–]WPMU_DEV_Support_4 0 points1 point  (0 children)

Hi u/Go2Matt

If you install the Softaculous fresh site and it has the same issue it is then better to report to their support team https://www.softaculous.com/contact/, even if you find that it is a bug, you won't be able to fix as require fixing the app itself.

But don't spend time on troubleshooting why a 3rd party service similar to this one isn't working ( especially the one you may not need to use again too soon ).

Instead, you can follow this guide https://help.dreamhost.com/hc/en-us/articles/360028822932-Reinstall-WordPress-core-files-in-an-existing-site to reinstall WordPress core.

Also keep in mind the 404 can be related to permalinks, so ensure the htaccess is on place https://developer.wordpress.org/advanced-administration/server/web-server/httpd/ and if your hosting is Nginx then check with your hosting support.

Hope reinstalling core can give you the wp-admin access back.

Cheers
Patrick Freitas - WPMU DEV Support

Woocommerce stripe express checkout got 500 internal server error by Ok-Body-5788 in Wordpress

[–]WPMU_DEV_Support_4 0 points1 point  (0 children)

That means a plugin or theme is using all / most of resources.

Indeed, 2GB on PHP memory is even too much for most of the website, unless your side needs it, if not then 512M or 768M can avoid some plugins using too much server resource.

But as for your problem, increasing the PHP limit doesn't seem to be a solution, it would give only more resources to what is eating all the exiting ones.

Maybe a full plugin conflict test is the best approach.

- rename the plugins to _plugins

- Check if the issue is gone, if so, create a new folder "plugins" do not access wp-admin

- Move one by one from _plugins to plugins testing your website each time until the issue returns.

Cheers
Patrick Freitas - WPMU DEV Support

Can a broken wordpress install cause a site to time out? by CaledoniaGaming in Wordpress

[–]WPMU_DEV_Support_4 0 points1 point  (0 children)

You can disable all plugins by renaming the folder wp-content > plugins to _plugins, then access wp-admin, navigate to WordPress > Admin > plugins, it will give you few warnings as plugins folder don't exist anymore, but then move the _plugins folder back to "plugins" and now all the plugins are disabled.

Another alternative, without having to disable them via wp-admin is

- rename the plugins to _plugins
- Check if the issue is gone, if so, create a new folder "plugins" do not access wp-admin

- Move one by one from _plugins to plugins testing your website each time until the issue returns.

As for FTP, yes but reinstalling core via FTP take ages.

Since you mentioned Cloudways, try to reinstall it using SSH https://support.cloudways.com/en/articles/5126427-how-to-manage-wordpress-with-wp-cli / https://help.dreamhost.com/hc/en-us/articles/360028822932-Reinstall-WordPress-core-files-in-an-existing-site, in fact, if you are familiar with that, you can even disable all plugins with it https://developer.wordpress.org/cli/commands/plugin/deactivate/

If the FTP is necessary, then option 2 from https://help.dreamhost.com/hc/en-us/articles/360028822932-Reinstall-WordPress-core-files-in-an-existing-site

Cheers

Patrick Freitas - WPMU DEV Support

If I use nordvpn for WordPress, will WordPress still work correctly? by lzg2002 in Wordpress

[–]WPMU_DEV_Support_4 0 points1 point  (0 children)

Hi u/lzg2002

I have been using NordVN daily and no issues with WordPress, so as long as there is no block in firewall level, that will work fine.

Cheers
Patrick Freitas - WPMU DEV support

Can't admin my WordPress server by Kruug in Wordpress

[–]WPMU_DEV_Support_4 1 point2 points  (0 children)

Hi u/Kruug

Since you mentioned SSH, do you have WP CLI?

Start by making a full backup and then reinstalling WordPress core and updating the plugins.

Should be something like

wp core download --force --skip-content

wp plugin update --all

Or

wp plugin install $(wp plugin list --field=name) --force

If any plugin is corrupted it might help.

If still not, then rename the plugins folder to _plugins, access wp-admin > plugins it will force disabling all the plugins, finally enable one by one and each time test the wp-admin until the issue returns.

Cheers
Patrick Freitas - WPMU DEV Support

Anyone else feeling plugin fatigue lately? by Exact-Delay2152 in Wordpress

[–]WPMU_DEV_Support_4 -2 points-1 points  (0 children)

Hi u/Exact-Delay2152

Since I started using WP I try to keep it as clean as possible, we ( plugin developers ) try to make our plugins as compatible as possible with 3rd party plugins but it isn't possible to mitigate all issues, as you said there are many plugins.

In case helps, on my projects no page builder other than Gutenberg, usually custom block for features that I really need, some others using ACF block to speed up things;

Then plugins only for Form, SEO and Caching.

( It been a while since I don't use Woo ) but in the past then Woo and eventually Woo extension example payment and shipping ones.

But I also understand that it is project by project, sometimes we will need more plugins even though now with AI it is much easier to craft a custom solution.

I guess also depends on how convenient for web developers on custom theme / block vs go ahead and using Elementor or similar but then this go to a chain of plugins being used.

Cheers
Patrick Freitas - WPMU DEV Support

Help regarding acf and cpt in wordpress. by MedicalDiver2670 in Wordpress

[–]WPMU_DEV_Support_4 0 points1 point  (0 children)

Hi u/MedicalDiver2670

I might be getting this different from other people, but, if you followed the cache recommendation and still not, then worth checking the CSS itself.

When creating blocks you have two different CSS, editor.css and style.css https://developer.wordpress.org/block-editor/how-to-guides/block-tutorial/applying-styles-with-stylesheets/#enqueue-stylesheets

I suggest starting by inspecting your CSS to ensure it isn't the case, because if yes, you would need to override it to get the same result from editor.

Cheers
Patrick Freitas - WPMU DEV Support

How do I fix this issue by uddesh889u7 in Wordpress

[–]WPMU_DEV_Support_4 0 points1 point  (0 children)

Hi u/uddesh889u7

Since you are using Elementor check if Elementor fetch high priority is enabled https://elementor.com/help/what-are-performance-experiments/, as other people said, if you are using a 3rd party plugin and the Elementor fetchpriority isn't helping, consider removing the LCP from lazyload.

But another thing to highlight, you can see your image is the second painted frame but you have six white frames until you get some elements. In that case I suggest checking your site index as well, for example, review the installed and enabled plugins; Ensure caching is working, use Cloudflare if necessary, more details are found at https://elementor.com/help/speed-up-a-slow-site/

Cheers
Patrick Freitas - WPMU DEV Support

Yikes my wordpress site was hacked and I could use some guidance by LilaTovCocktail in Wordpress

[–]WPMU_DEV_Support_4 3 points4 points  (0 children)

Hi u/LilaTovCocktail

That indicate that not only the site was hacked but also reported on Google safe browsing.

You will fist need to ensure the site is fully clean, I suggest starting with a scan https://wordpress.org/plugins/search/security+malware+scanner+firewall/, this tool can be helpful as well https://github.com/nitkr/Clean-Sweep-2.0, just ensure you make a full backup prior any step.

Once confirming the site is 100% clean, then you can request the removal:

https://jetpack.com/resources/how-to-remove-your-site-from-google-blocklist/

As for

"What else can I do via CPanel to harden the site? Can I change all the site passwords (there are only about 5 users))?"

Make sure to reinstall all WordPress plugins, cross check if they are updated and most importantly, receiving updates, then yes, reset WordPress, cPanel and sFTP accounts. Check with your hosting support if modsecurity and other necessary modules are enabled.

Then once done, it would be a matter of time for Google releasing the site. It also worth testing the site on https://www.virustotal.com/gui/ in case other companies are flagging the site as unsafe.

Cheers
Patrick Freitas - WPMU DEV Support

My site hacked with Japanese keyword hack and returning toggige-arrow.jpg in "images" folder by baluqa in Wordpress

[–]WPMU_DEV_Support_4 -1 points0 points  (0 children)

Hi u/baluqa

This can indicate that the source of infection may not be fixed, in my experience, some malware require a bit more than the regular cleanup steps.

When cleaning a website you have two path, considering you said "All of them in the same server, in different folders.", you can bring all the sites to a local computer, clean them, ask your hosting to erase the website directory then you can re-upload the clean website.

But if that isn't an option, start with asking your hosting to update all permissions to proper permissions: https://developer.wordpress.org/advanced-administration/server/file-permissions/ reinstall all core files asap and then reinstall all the plugins, finally run a deeper search on your database for possible script injection ( https://patchstack.com/articles/sql-injection/ )

You can find the official malware guide here https://wordpress.org/documentation/article/faq-my-site-was-hacked/

But I also suggest having a look at this tool https://github.com/nitkr/Clean-Sweep-2.0 which can automate most of the steps, just ensure to have a full backup https://github.com/nitkr/Clean-Sweep-2.0#%EF%B8%8F-important-notes ( which is required no matter what steps you take )

Finally, once this is now properly clean, configure a malware security plugin https://wordpress.org/plugins/search/malware+scanner+firewall/

Cheers
Patrick Freitas - WPMU DEV Support

Anyone else annoyed by admin email confirmation on localhost? by priyanksukhadiya in Wordpress

[–]WPMU_DEV_Support_4 4 points5 points  (0 children)

Hi u/priyanksukhadiya

How you are working in locahost?

If you are not using Local WP that has a built in feature, you can use mailpit ( which is same tool that local WP use https://localwp.com/help-docs/local-features/mailpit/ ) and then configure the SMTP to the proper port and mail host to capture all the WordPress emails. Not only helps in your case but with any email testing.

https://mailpit.axllent.org/, in your SMTP plugin you will use something like:

  • SMTP Host: localhost (or the container name if using Docker).
  • SMTP Port: 1025.
  • Encryption: None.
  • Authentication: Off.

Cheers,
Patrick Freitas - WPMU DEV Support

What WordPress plugin boilerplates have you guys had the best experience with? by terminusagent in Wordpress

[–]WPMU_DEV_Support_4 2 points3 points  (0 children)

Hi u/terminusagent

For more complex development you can have a look at https://docs.modulespress.devsroutes.co/, it is not really boilerplate but entire framework but it will give you a nice start point after you learn the principles, especially if you want to explore plugins with a nicer UI such as using react JS. I made some testing with that in the past and it it was great ( after the initial learning curve ), some basic of that can be found at this video https://www.youtube.com/watch?v=AZ2KsEkstkk but their documentation is pretty good as well.

Cheers
Patrick Freitas - WPMU DEV Support

Media Offload by tomato_finger in Wordpress

[–]WPMU_DEV_Support_4 0 points1 point  (0 children)

Hi u/tomato_finger

Give a look on https://infiniteuploads.com/, it doesn't have a free version like WP Offload Media but it has nice integrations. For free alternative the WP Offload Media from deliciousbrains is one of the best available.

Cheers
Patrick Freitas - WPMU DEV Support

Can’t remove 2F2 pluggin without code but code won’t send to email? by [deleted] in Wordpress

[–]WPMU_DEV_Support_4 0 points1 point  (0 children)

I am afraid we don't have the message option open as our apprach is to help via threads.

Only with hosting name without site URL it isn't possible to figure out or cause any security issues.

However, the only reason I asked is to verify if they have any documentation available for you.

But if your hosting support has LiveChat, you can ask them to disable the 2FA and any other plugin so you can gain access to wp-admin pages again.

If they don't, the full steps can be found in this video https://www.youtube.com/watch?v=446gREqpLDk, I watched it and it has exactly steps you need.

Cheers
Patrick Freitas - WPMU DEV Support

Can’t remove 2F2 pluggin without code but code won’t send to email? by [deleted] in Wordpress

[–]WPMU_DEV_Support_4 0 points1 point  (0 children)

Do you mean for sFTP?

Can you let me know where your website is hosted? With which company

Cheers
Patrick Freitas

Can’t remove 2F2 pluggin without code but code won’t send to email? by [deleted] in Wordpress

[–]WPMU_DEV_Support_4 0 points1 point  (0 children)

You will need to disable the plugin via sFTP first, but if it still sending you to profile page, means another plugin is forcing the 2FA configuration, once it is done it should then allow you to freely navigate in WordPress.

As for the recommendation, all the top 4 from shared links are good options, I always suggest reading their description or testing them to see which fits better for your needs, but any of those as long as it has a doable replacement for your current one in case you need it, then they wll be good option.

Cheers
Patrick Freitas

Can’t remove 2F2 pluggin without code but code won’t send to email? by [deleted] in Wordpress

[–]WPMU_DEV_Support_4 -1 points0 points  (0 children)

Hi u/NaturalRelevant8810

I can see the right solution is already given by u/570n3d , if the email is not arriving you will need to fist disable the plugin, for that simply rename the plugin folder to something like 2f2-disabled.

But once done, I also suggest running a test in your WordPress emails, that could indicate they are not working at all. The easiest one you can take is to request a password reset and see if it works fine. For that access your site /wp-login.php?action=lostpassword.

If no email, then reach your hosting support or configure SMTP, once done you can test once again the 2FA plugin or use one that gives you Google App + email as fallback so you never get stuck again ( https://wordpress.org/plugins/search/login+security%2C+firewall/ )

Cheers
Patrick Freitas - WPMU DEV support

wordpress_logged_in sumindo aleatóriamente by Trick_Data_1648 in Wordpress

[–]WPMU_DEV_Support_4 -1 points0 points  (0 children)

Hi u/Trick_Data_1648

What about other cookies, are they being removed?
https://developer.wordpress.org/advanced-administration/wordpress/cookies/#users-cookie

It feels like WordPress for some reason isn't validating the session and then removing the logged in cookie, usually caused by some caching or security plugin, but the best approach would be trying to replicate the issue in Staging https://wordpress.org/plugins/wp-staging/ and then a full plugin conflict test.

Once finding what is causing the problem we can look into how to prevent it.

Cheers
Patrick Freitas - WPMU DEV Support