etheos
Forum Replies Created
-
Oh good god yes we need more of a knowledge base and help tips in the SG Optimizer plugin on all this!
I was super annoyed that the Full Page Caching in Cloudflare setting in SG Optimizer for WordPress does not tell you that you’re existing page rules will be lost. That’s huge if you have unique rules setup to make site’s function!
I also then got the surprise email the next day from CF telling me I was about to exceed worker limits. And I have no idea if any of this is doing anything good for my site overall VS other caching settings.
Forum: Plugins
In reply to: [WP Job Manager] Remote Job LocationI 2nd this, this really is a necessity, seems it should be easy enough to implement. Nevermind Covid, remote jobs are really increasingly popular. In fact more than half the jobs on my board are. I have been just telling people to put Remote but yeah that doesn’t get them in Google Jobs search and also makes it confusing on the site.
In my original code I used the html equiv hex code for the check mark ✓ which is: #x2713; (add an & to the front of that) but the post even when using the code snippet here, removes it. Seems to work either way but you may want to replace the ✓ with the html.
- This reply was modified 5 years, 5 months ago by etheos.
Forum: Plugins
In reply to: [WP Job Manager] Job type does not get saved / displayed anymoreAh, same! Plugin compatibility is the reason I usually wait to update WordPress and of course it happens the one time I didn’t wait.
Thanks for the reply! My original post may have been confusing, or maybe I am confusing what you wrote… but the Job Dashboard I accidentally referred to as the Job Manager. I’m looking for a shortcut to provide the employer, where they can click an edit button on the job post, rather than having to navigate to the Job Dashboard to then select Edit next to the job in the list of jobs.
I suggest this might be an intuitive UX feature because people are used to when viewing something on the web they’ve generated, to find an edit button right there and not having to navigate elsewhere and selecting it from a list.
Awesome, thx!
Forum: Plugins
In reply to: [WP Job Manager] Job Manager Uploads Folder HackedThanks @pluginvulnerabilities I was going to reply similarly.
@Jonyran, here’s an example of the abuse…
1) Someone goes to:
https://demo.wpjobmanager.com/post-a-job/2) They scroll right down to “Feature Image” and click “Choose and Image”
then select image from hard drive and it uploads.3) The thumbnail displays as 100×100. They right click on the thumbnail and copy the full sized image URL which in this case a 2550px x 1600px Sunset:
https://demo.wpjobmanager.com/wp-content/uploads/job-manager-uploads/featured_image/2017/07/sunset-3.jpgThey then use it in their spam completely unbeknownst to the website owner.
If you could only img src a 100×100 thumbnail it would really limit the appeal. Unless the spammer could deduce the name of the fullsize file url by just by removing 100×100 from the filename or by looking at a company logo on another post to see the difference is. If the fullsize file name could each have a random hash or something added to the file’s name that might stop that, like this does:
https://stackoverflow.com/questions/3259696/rename-files-during-upload-within-wordpress-backendForum: Plugins
In reply to: [WP Job Manager] Job Manager Uploads Folder HackedThis $39 addon plugin, WP Jobs Manager Field Editor:
https://plugins.smyl.es/wp-job-manager-field-editor/
allows you to disable the Feature Image from the jobs fields and the Company Logo from the Company fields, however I have not tried this so I can’t guarantee there isn’t any issues with disabling these, but it should work fine I believe.Employers on my site use company logos on most posts and I feel it really helps spruce up the listings.
It would be great if WP Jog Manager could come up with a fix to prevent their plugin from being used as a way for spammers/phishers to host images. In addition to my other suggested fixes, even just limiting the thumbnail to a 50×50 image would be effective. Currently the thumbnail preview that is img srced on the job submit form after upload is the full file that was just uploaded, so a spammer can basically upload and then hot link to a 800px or larger image by simply going to the job post form and selecting it from their hard drive! If WP Job Manager could resize this image to 50×50 before displaying it on the form, that would greatly limit the appeal to spammers. Currently the thumbnail that the form displays is resized with CSS and all it takes is a right-click on the thumbnail to discover the full size Image URL.
Forum: Plugins
In reply to: [WP Job Manager] Job Manager Uploads Folder HackedWell I just added this filter to my functions.php which will rename WP uploads to be a hash of the original filename.
https://stackoverflow.com/questions/3259696/rename-files-during-upload-within-wordpress-backend
HOWEVER, on testing this I just realized that it’s pointless because as soon as someone Upload a company logo in a job submission form, their uploaded filename url is revealed to them in the thumbnail preview right there on the job submit form. even before they submit the job.
So clearly my idea would not work. Perhaps the thumbnail could be displayed by way of an img src to a php file that acts as a gate, serving up the image encoding of the thumbnail if it’s request has a referrer coming from the website or if the request is made say within 5 minutes of the file names creation date.
- This reply was modified 8 years, 10 months ago by etheos.
Forum: Plugins
In reply to: [WP Job Manager] Job Manager Uploads Folder HackedHmmm my post disappeared after I edited it. Here it is again:
Were the gif or jpg files images that were uploaded used in spamming or phishing?
It would seem anyone can join as an employer and basically use the jobs website as an image host, even before the job is approved their uploaded image file already exists at:
http://JOBS-DOMAIN/wp-content/uploads/job-manager-uploads/company_logo/2017/07/USERS-ILENAME.jpgWhich the abuser then img src’s in a spam or phishing email. Then your host/domain provider hears about it when the phishing attack is reported, they see you as hosting the image host and believe you’re site is compromised.
I am thinking a good way prevent this is for WP Job Manager to release a fix where the company_logo, featured image, and resume files are given random filenames so that the attacker can not know what the filename would be until the job is approved… but we would of course not approve a job after seeing a malicious image file.
Forum: Plugins
In reply to: [WP Job Manager] Job Manager Uploads Folder HackedWere the gif or jpg files images that were uploaded used in spamming or phishing?
It would seem anyone can join as an employer and basically use the jobs website as an image host, even before the job is approved their uploaded image file already exists at:
http://JOBS-DOMAIN/wp-content/uploads/job-manager-uploads/company_logo/2017/07/USERS-ILENAME.jpgWhich the abuser then img src’s in a spam or phishing email. Then your host/domain provider hears about it when the phishing attack is reported, they see you as hosting the image host and believe you’re site is compromised.
i am thinking a good way prevent this is for WP Job Manager to release a fix where the company_logo, featured image, and resume files are given random filenames so that the attacker can not know what the filename would be until the job is approved… but we would of course not approve a job after seeing a malicious image file.
Forum: Plugins
In reply to: [WP Job Manager] Job Manager Uploads Folder HackedWell this is concerning! What file types where uploaded? Luckily my install has not been infected.
Based on a cursory look, things look secure in that the plugin limits mime types both on the client side with javascript (easily bypassed) but then also in the job_manager_upload_file() and job_manager_get_allowed_mime_types() functions in the file /wp-job-manager-functions.php where the company logo allowed mime types are png, gif and jpeg.
