Raul P.
Forum Replies Created
-
Forum: Plugins
In reply to: [Fast Velocity Minify] PHP 8.4 ready?Should be fine, but its a matter of testing. Thanks
Forum: Plugins
In reply to: [Fast Velocity Minify] Performance score not improvingHi, that depends.
This plugin is not a install and forget, you need to manually optimize scripts.
First thing you need to check, is if the frontend in incognito mode, when you view source, does it show any files pointing to the cache directory, minified? Or do they show on gtmetrix?
By default, at least the CSS files should be automatically optimized.
If they are not showing up, means there is some error (check the footer, if any html comment shows up).
Sometimes there is server or hosting cache as well, so you may not be seeing the fresh optimized page.
Can you share your url or gtmetrix report ?
Is there zero difference, or just small?
Note that sometimes, the site is just too heavy that even with optimization, it can fall short.Forum: Plugins
In reply to: [Fast Velocity Minify] Hard refreshing a page when developingHi,
If you are doing development, involving editing css or js files, you should never use any plugin that minifies files, and you should never be behind a cdn like cloudflare for example, without having some rule to bypass cache.
Furthermore, all your css and js files need a query param, that changes after each change.
I like to use filemtime on php to match the version to last modified date of the file itself for example.
You should not just use time() or similar, because later your url will keep changing and not be cached.
None of these things are related to any plugin, so for development, just go ahead and disable all cache and minification for all layers (plugins, server side, cdn, etc) and only enable those things on production.Forum: Plugins
In reply to: [Fast Velocity Minify] Private IP of server triggering plugin error in 3.5.2+Hi there,
Sorry to hear about that.
That logic was intended for SSRF Protection, but there was a bug in order of execution so it got blocked before actually processing local files.
Furthermore, considering that people might use this on intranet or have resources over NAT.
But more importantly, WordPress itself does not perform IP-based filtering in wp_remote_get().
I thought it was a good idea for security, but thinking back, if someone can inject arbitrary URLs into wp_enqueue_script(), they likely already have enough access to do worse things, so it makes sense if I remove this check.Update will follow shortly.
Thanks for reporting.
Forum: Plugins
In reply to: [Fast Velocity Minify] Icons & rating stars missing after FVM to 3.5.2Hi there,
Sorry to hear about that, you can try the 3.5.3 release now, which has better support for fonts.
What happened, is that some of the security fixes implemented were too tight, so it could block relative path fonts that shouldn’t be blocked.
ThanksForum: Plugins
In reply to: [Fast Velocity Minify] PHP WarningHi, thanks for reporting. This should be fixed on 3.5.0 now.
Forum: Plugins
In reply to: [Fast Velocity Minify] Icons brokenHi, thanks for reporting. This should be fixed on 3.5.0 now.
Forum: Plugins
In reply to: [Fast Velocity Minify] Issue with css files in version 3.4.2 and 3.4.3Hi, that sounds like page caching (cache plugin, or server side), or maybe file permissions, not the logic on the plugin.
If you run 3.4.1 and delete the cache on FVM from the plugin a few times, does it still work when you go and check on incognito mode and refresh a couple of times?
Because that sort of behavior happens usually when there is some sort of page caching active somewhere, which FVM cannot clear.
When minification is generated, it needs to purge the html page cache so that it generates a new file pointing to the correct minified files.
If it’s server side caching (a lot of providers have this to speed up loading times) it might store the page for a few minutes anytime, either before, after or during FVM creating those files. That would result in inconsistent view, because cache would be pointing to files that might not exist anymore (fvm cache purged, without purging the page cache from server or other plugin), or point to a cached page before FVM generated the files.
Normally, ensuring any page cache is disabled or trying in development mode, staging, etc should show if it works or not.
From 3.4.1 to 3.4.3 the differences are really minimal, essentially a not null check and wp cron check, which would not cause this behaviour.Forum: Plugins
In reply to: [Fast Velocity Minify] FVM does not support AMPHi, it’s not an error, it’s an HTML comment for informational purposes.
Using AMP is already the optimization, so there is nothing to do with the scripts on AMP.Forum: Plugins
In reply to: [Fast Velocity Minify] Issues with 6.7.2Sorry about that, there was a typo. You should be able to update to 3.4.3 now.
Forum: Plugins
In reply to: [Fast Velocity Minify] PHP deprecated: passing null to str_replaceHi, it’s been a while because I only work on this on my free time, and I haven’t had time for the project in a long time.
Normally, PHP Deprecated errors, only show up if you specifically enable error logging at that level, and it doesn’t affect the normal usage of sites in production (live sites). You should probably not have that level of error enabled on production sites, but it’s up to you.
That error also appears to mean, that you don’t have the correct wp_footer hook on your theme, or at least on some page templates, else it shouldn’t show up (it’s supposed to be there).
That being said, it doesn’t change the fact that the error should be accounted for and fixed, so I have pushed a quick release to sort it out.
I don’t have much time for this plugin at the moment, but it is maintained.Forum: Plugins
In reply to: [Fast Velocity Minify] Is There An Update Coming Soon?Hi, there were no changes that would require an update, so that is why. I will consider an update soon, just for the sake of the version notification.
Forum: Plugins
In reply to: [Fast Velocity Minify] Сritical vulnerabilityHi there,
There are no known vulnerabilities on FVM and the plugin is regularly audited by me and third party services, like WordFence. Furthermore, if you download the plugin again, you can see that the offending code is not part of the source code.
JS files, from any plugin are prime targets for malware, as well as the theme header and footer php files, so the affected file is not relevant when auditing. WordPress core files are often also injected with similar malware, and it is not usually because of a core related vulnerability. The target of most malware that affects WP sites is random, to try to prevent detection. As long as it runs somewhere, is all that it’s needed.
A vulnerability has to occur in some PHP file, usually file upload related, or in some system that accepts api calls or importing of data, or sometimes simply something that accepts any user input, like a form.
Often the culprit is unsanitized user input, so a hacker can inject php code that will run as part of the execution.
Another possibility is a vulnerability at the server level.
If you use shared hosting, that can happen relatively easy if any site on the server get’s infected, even if they don’t belong to you. Malware can spread inside the server, regardless of user isolation (unless they use containers, which would make things more complex for malware, but not impossible).
If there is privilege escalation anywhere on the server, malware can spread to other clients.
FVM doesn’t allow file uploads, and it doesn’t accept POST requests except for admin users, so it is unlikely that it’s the culprit. It does however, merge and minify JS and CSS files, so if those have malware, they will be minified as it is and put in the cache directory.
If /plugins/wp-lozad/js/lozad.js?ver=5.8 is modified, first download a fresh copy and see if the error persists. It would not be the first time that hackers inject malware on repositories, but it’s rare. If the source is clean, then somewhere else allowed the vulnerability to go in.
I would suggest switching hosting and audit all themes and plugins, especially if any code has been custom made, or original plugins or the theme have been customized (meaning, they lack updates).
You can try to use WPScan to find versions of common plugins with known vulnerabilities.
And you can use something like WordFence to scan the whole site for other issues, though be advised, even with WordFence, your site can still have new malware, if it’s not yet part of their signatures.
There are high sensitivity modes to scan the site, but that will require a bit more knowledge to distinguish what is normal and not normal.Forum: Plugins
In reply to: [Fast Velocity Minify] How to exclude one folder within “plugins” folderHi, sorry, you meant the opposite of what I said.
Scripts in this plugin are added manually, because if you add everything they can break (not all scripts support deferring depending on how they are coded).
In this case, instead of using a more generic path, you need to spend some time adding all plugin directories you specifically want to defer, and do not add the ones you want to exclude.
That filter was made that way, to force developers to specify which ones to optimize.
It was though for third party scripts, even if it also works for local scripts.
The logic might be outdated a bit, sorry about that.
In the near future, I plan to review some of the logic and push another update with a few more options.Forum: Plugins
In reply to: [Fast Velocity Minify] How to exclude one folder within “plugins” folderHi, you can exclude anything by a matching path, so adding /plugins/someplugin/ will exclude all, but /plugins/someplugin/somefile.js will only exclude that specific file.