Tag: Wordpress

Resolving WordPress Media Upload Issues Caused by Cloudflare

A couple of months ago, I started receiving this error when trying to upload media to WordPress:

“The server cannot process the image. This can happen if the server is busy or does not have enough resources to complete the task. Uploading a smaller image may help. Suggested maximum size is 2560 pixels.”

Both my WordPress settings and config files and my server settings and config files were all correctly set up, so I was stumped as to why I was receiving this error message.

It turns out the issue was Cloudflare’s Web Application Firewall rules.

In Cloudflare’s WAF settings, two “Managed rules” were enabled: Cloudflare Managed Ruleset and Cloudflare OWASP Core Ruleset. These rulesets block the execution of the admin-ajax.php file that WordPress uses to process media uploads. This file is potentially needed for many use cases and should generally not be blocked.

The solution was to add a custom managed rule that skips the execution of those rules if admin-ajax.php is being accessed.

I added a new rule called “Allow admin-ajax.php” with the following setting:

URI Full contains admin-ajax.php

    Then, set that rule to “Skip all remaining rules” and place it as the first managed rule that runs.

    ClassicPress

    ClassicPress is a fork of WordPress 4.9 that offers a classic WordPress experience with better security, less bloat, and no blocks.

    ClassicPress is a community-led open source content management system and a fork of WordPress that preserves the TinyMCE classic editor as the default option.

    Take one quick look at the ClassicPress admin dashboard and, if you’re a WordPress user, you’ll see something instantly familiar. That’s what our community wanted. Something that looks and works like their favorite CMS…but better. And if you are one of the many people who are still using WordPress 4.9 or the Classic Editor plugin, here’s 10 reasons why you should consider switching to ClassicPress.

    I’m happy using the latest version of WordPress (including the blocks), but I get the appeal of the Classic WordPress functionality. It’s one of the beautiful things about Open Source that people can have choices like this.

    Organize Series Plugin for WordPress

    Organize Series (apparently rebranded as PublishPress Series) is a plugin for WordPress that allows users to organize related posts together so readers can easily discover the related posts.

    For example, I recently did a series of posts on a line of DC Comics greeting cards from the 1970s. Since there were so many such greeting cards, I divided these into five separate posts.

    Someone discovering one of the posts via Google, etc., may not easily find the other four posts. With the Series plugin, I can make that more visible to visitors like this:

    DC Greeting Cards Series Example
    DC Greeting Cards Series Example

    PublishPress recently purchased the plugin and has a series of “Pro” enhancements that adds shortcodes, the ability to add a post to more than one series, etc.

    Local Gravatars Plugin for WordPress

    Local Gravatars is a WordPress plugin designed to minimize potential privacy issues around Automattic’s Gravatar service.

    The plugin will get your users gravatars and host them locally on your website.

    Your visitors will get the gravatars directly from your website instead of the gravatar CDN, therefore increasing privacy and performance.

    To avoid cluttering the filesystem and to allow refreshing gravatars, the files get flushed on a weekly basis (interval can be modified using a filter).

    To avoid performance issues server-side, the download process for gravatars is limited to a maximum of 5 seconds (value can be modified using a filter).

    In an interview at WP Tavern, the plugin’s author, Ari Stathopoulos, outlined the sort of risk he’s trying to reduce with the plugin,

    “And when I visit a site that uses Gravatar, some information is exposed to the site that serves them — including my IP,” said Stathopoulos. “Even if it’s just for analytics purposes, I don’t think the company should know that page A on site B got 1,000 visitors today with these IPs from these countries. There is absolutely no reason why any company not related to the page I’m actually visiting should have any kind of information about my visit.”

    The Local Gravatars plugin must still connect to the Gravatar service. However, the connection is made on the server rather than the client. Stathopoulos explained that the only information exposed in this case is the server’s IP and nothing from the client, which eliminates any potential privacy concerns.

    WordPress WPS Hide Login Plugin

    WPS Hide Login is a WordPress plugin that obfuscates the login page for a WordPress install.

    It doesn’t literally rename or change files in core, nor does it add rewrite rules. It simply intercepts page requests and works on any WordPress website. The wp-admin directory and wp-login.php page become inaccessible, so you should bookmark or remember the url. Deactivating this plugin brings your site back exactly to the state it was before.

    Honestly, I did this more to stop an annoyance than anything. There are tons of bots out there that try to do credential stuffing and dictionary attacks against even tiny sites like mine.

    They’re unlikely to get past my strong password and 2FA, but it was getting annoying to see the constant stream of “user X has been locked out for 4 hours.”

    I used the WPS Hide Login to set my login page to a random 16 character alphanumeric string that would be essentially impossible to guess.