Ben Meredith

Hey @senjoralfonso!

A lot of things to respond to here, so pardon the novel of a reply. Perhaps grab a coffee to help get you through it!

I’ll list out my interpretation of what you’re saying here with some comments:

Before it was simple, now it is not.

This one is hard to stomach, to be honest. The old user interface had about 4 times as many “options” in the settings in order to get connected to a mail provider. A top priority of ours since taking ownership is to make it simpler to get connected to a mail provider. Some of the settings in the old UI were no longer best practice for connecting to an SMTP provider, and therefore removed. Other settings were not as useful and have been removed. It’s wildly simpler now. Also, it has documentation now.

Before it was styled like “WordPress GPL” and now it is not.

If you open WordPress to a block-editor page, you see a markedly different design than the traditional back end UI. I don’t think I’m going out on a limb to say that the admin UI for WordPress is dated at this point. In the wider WordPress ecosystem there is ongoing debate about how list tables need to be replaced, and what that design will look like. Here’s a discussion about “Data Views” that we are following closely from back in June: https://make.ww.wp.xz.cn/core/2024/06/13/data-views-update-june-2024/

We’re certainly not the only ones to start the trend toward making the admin screens look more modern, and will gladly follow the wider WP ecosystem if a consensus appears around what direction things are going. For now, we just decided “make it look better” was a priority.

Before it worked, now it… doesn’t?

You don’t come right out and say that the product doesn’t work now, but I felt an implication that maybe you thought that, so I wanted to address that particular elephant. Easily the biggest change that this plugin is going to get is *attention* going forward. An entire team of Quality Assurance folks took turns testing the plugin as a part of this 2.0 release, which is something that was simply never true of a previous release.

More fundamentally, before if it didn’t work you had no option for help, now you have documentation and a support team who want to make sure you are connected.

Angry fruit salad

This is a dig at the (rather wordy) telemetry opt-in that greets you upon installation. I’ll be honest, I’m with you on this one. I pushed internally that we shouldn’t have the first impression be corporate-speak via this opt-in, but lost that battle.

In it’s defense, you opting into our telemetry is another sign that now this plugin is getting attention. We monitor data to see how we can make the product better and more integral to your site. And per WordPress rules, we don’t do anything without your permission, hence tossing a bowl of “fruit salad” at you. I’m a little offended that you didn’t appreciate my careful wording. 😆

Owned by CloudOne Digital

Yes, SolidWP is part of StellarWP, in the Liquid Web family of brands, and CloudOne digital is an investor. Also, ask around in the WP ecosystem and you’ll see that there are many “old school WordPressers” like myself who work here and love all of the things that have made WP great over the years.

I know it’s just empty words from the outside, but here on the inside I’ve seen StellarWP doing everything right when it comes to acquisitions. The products (and teams) get better (and happier) after acquisition.

There’s going to be a premium version soon.

If there is a premium version, that I have any part in planning (I would definitely have a part), it won’t take away features, or lock them behind a paywall. We’re more concerned with people using the products as a part of our overall suite in SolidWP.

You’ll start seeing this kind of language around our sites and plugins, but we aim to be a brand and set of products that “every WordPress site needs.”

Doesn’t matter what kind of site you run, you need Security, Backups, Performance (caching and optimization), and now: Mail.

So the value in the acquisition here was trust, not “quick, make a premium product!” We are going to be adding features and stability to the products, with the entire goal being that you trust us. There’s no shortcut: trust is earned over time, and we’re just getting started.

Here’s hoping this big ol’ wall of words was helpful for you. Let us know if you have any trouble with this or any of our products!

• This reply was modified 1 year, 8 months ago by Ben Meredith. Reason: typo

Hey @akashbelokar !

We just relaunched this plugin with an all new interface and some different capabilities under the hood, and I wanted to ask you to try connecting again, and let us know if you still have trouble. We also added some documentation here: https://help.solidwp.com/hc/en-us/articles/29111180436635-Getting-Started-with-Solid-Mail

Thanks!

Hi @neversaynever504

Happy to provide a bit of context for this!

It’s an established best practice in WordPress to discourage direct execution of PHP files. Responsible plugin developers do that within their code, directly. That’s why (if you view the source code of a plugin or a theme) many times you’ll see something like

if ( ! defined( 'ABSPATH' ) ) {
exit; // Exit if accessed directly
}

…which is a function to ensure that the file in question is being executed correctly. A brief translation into English of what that function is telling the machine would be “check to see if ABSPATH has been defined, and if it hasn’t, stop executing this code!”

ABSPATH is a PHP constant defined in WordPress itself, in the wp-config.php file (after a warning to not modify the constant!).

So that responsible little line at the top of a legitimate file essentially ensures that the code is being executed in the correct context.

Solid Security allows you as a user to essentially enforce that developers do that responsible thing. It performs a similar block on directly executing code, whether that line is present at the top of the file or not!

If it’s not being executed in the context of WordPress, you can’t execute anything. Solid Security gives you the ability to granularly block the specific directories where you want to enforce the rules, but beyond that if there were something like a filter to whitelist certain files, it would essentially provide a way for a malicious actor to bypass the functionality altogether.

So when we say “we’re not going to be adding that” it’s not just to make it more difficult: it’s to encourage other plugin developers to stop the bad practice of directly executing PHP in that way, and it’s to prevent putting in a way for bad actors to essentially render that layer of security protection null.

Put slightly more bluntly: This has been a standard practice for years in WordPress, and plugins and other adding code that’s designed to execute outside of WordPress itself should find better places to put that code.

Hi @htchr !

Please open a support request for this if you haven’t already! We don’t want to bombard (via email notifications) the others on this review thread with trying to troubleshoot your individual site’s issue here.

Thanks!

Hi @stefangroenveld!

I just scoured our support forum (both for the basic and pro versions of our product) and I am not seeing any tickets from you. We are more than happy to help you get back into your site, if you’ve locked yourself out.

One of the realities of making a really good system for keeping folks out of your site is that it’s definitely possible to lock yourself out inadvertently. So we have a simple (one line of code!) addition for folks to add to their wp-config.php file that allows you to deactivate Solid Security’s features in order to reset things so that you’re not locked out. On top of that, once you do get logged back in, if you run into the same trouble again it’s super-simple to troubleshoot and we’re happy to help.

Getting technical support in WordPress can be harrowing, but reaching out on our support forums would have been a much better idea than spending hours frustrated with your site!

If you’re still interested in all of the benefits of Solid Security (now that you’ve tested and confirmed that our 2-Factor authentication process is highly effective at keeping out bad actors!) I’m happy to help. Here’s the code that you’ll need (add it anywhere above the “that’s all!…” line)

define('ITSEC_DISABLE_MODULES', true);

We have this article on all the best ways to edit the wp-config.php file, but the short version is “ask your host for help” because most of them can point you directly to that process specifically for their environment.

Bottom line, I’d love to earn back those missing stars in your review. Don’t hesitate to reach out.

Have a great day!

Hi @yuyu009!

Very glad you reached out! What you are seeing is a result of some changes made in the latest version that’s ultimately a security feature. I’m happy to explain (it’s a bit of a long story…).

WordPress requires that plugins hosted on their servers (including Solid Security Basic) not “phone home” or send requests back to our servers without explicitly asking for permission and having users like you opt in. We are very careful to follow those rules, which are put in place for your protection.

A feature of Solid Security (and iThemes Security before it) is IP detection, for the purposes of locking out bad actors by IP address.

The best way to handle detecting of IP addresses is by handling IP detection on our servers. But since we can’t do that without your permission, for years we’ve had a fallback method of using IP detection on the server where your site is hosted.

Recently it was determined that this method (IP detection on your servers) is not secure, and can be used in malicious ways. So we removed it.

That means that in order to do IP detection at all, you’ll need to opt in, which is possible in the settings at Security > Settings > Global Settings > IP Detection. Select “Security Check Scan” and save the settings, and you’ll be all set.

Finally, just a heads up that a better place to get support is the support forums, not the reviews!

I’d love to earn back the missing stars in your review here. How can we do that?