skunkworks
Forum Replies Created
-
Additionally.. supporting Slack Notifications via Webhook would be a nice feature addition.
Forum: Plugins
In reply to: [Simple CAPTCHA Alternative with Cloudflare Turnstile] Help! Can’t log in!Tagging @elliotvs just in case the “Resolved” status of this has resulted in a lack of notifications being sent out. If I should branch this off into a new thread let me know but it was originally posted in here since it was the most recent existing post that appeared related, at the time.
Forum: Plugins
In reply to: [Simple CAPTCHA Alternative with Cloudflare Turnstile] Help! Can’t log in!Update: 11 sites in total (out of the 86 sites that we have it installed on) are no longer able to pass the Captcha with the plugin active.
Of those 11 sites, 10 of them have an identical duplicate copy of the site running on a separate subdomain that works perfectly. They are all identical clones and all software is the same. Running on the same server. All keys valid. No errors shown in the plugin’s settings area on either copy. This was not an issue in November.
eg:
- Server 1
- β http://www.site1.com (Working)
- π« staging.site1.com (Not working)
- Server 2
- β http://www.site2.com (Working)
- π« staging.site2.com (Not working)
- Server 3
- β http://www.site3.com (Working)
- π« staging.site3.com (Not working)
Sample Debug Log:
"Date","Success","Response","IP","URL"
"February 4, 2026 11:38 pm","No","timeout-or-duplicate","XXX.X.XXX.XXX","/wp-login.php"
"February 4, 2026 11:38 pm","Yes","Success","XXX.X.XXX.XXX","/wp-login.php"
"February 4, 2026 11:38 pm","No","missing-input-response","XXX.X.XXX.XXX","/wp-login.php?loggedout=true&wp_lang=en_CA"Forum: Plugins
In reply to: [Simple CAPTCHA Alternative with Cloudflare Turnstile] Help! Can’t log in!Update: 3 sites found so far with the issue. Whitelisting the IP in settings prevents the issue from blocking /wp-admin access.
Forum: Plugins
In reply to: [Simple CAPTCHA Alternative with Cloudflare Turnstile] Help! Can’t log in!I too am having this problem on at least 2 sites I manage. Worked fine pre-holidays. Only way to fix and regain access to the /wp-admin is to disable the plugin via FTP then can regain access. All plugins up to date. The new Failsafe feature has no effect.
.
Those seem to come from OpenAI ChatGPT crawlers
Useragent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)
- This reply was modified 1 year, 3 months ago by skunkworks.
No interest in using (or continuing to troubleshoot) the plugin now that it’s known that the plugin requires communicating with an uncontrolled mystery server.
Update: Just received another Solid Security Email randomly in French.
Translated:
Main body:
Site analysis
Scheduled site scan found 1 issue [REDACTED-URL].ca/fr.
Known vulnerabilities
WordPress WPML Multilingual CMS plugin <= 4.6.12 – Authenticated (Contributor+) Remote Code Execution via Twig Server-Side Template Injection vulnerability
Footer:
Debugging information (source page): [REDACTED-URL].ca/fr
The email was followed 12 hours later by an English version of the same email that differed slightly.
Main body:
Site Scan
The scheduled site scan found 1 issue when scanning [REDACTED-URL].ca.
Known Vulnerabilities
WordPress WPML Multilingual CMS plugin <= 4.6.12 – Authenticated (Contributor+) Remote Code Execution via Twig Server-Side Template Injection vulnerability
Footer:
Debug info (source page): WP-Cron
can you try clicking the βResetβ button under the Scheduler table on your Debug page?
Done.
under the Notification Center table, can you confirm that the βdigestβ ID has a schedule for βNext Sendβ?
Reads:
digest – Last Sent: 2024-09-26 20:08:05, Next Send: 2024-09-27 20:08:05, Schedule: daily (Just changed to daily by me) Also I clicked “Force” button which resulted in an email arriving (in English). Unfortunately the email reads:
Site Scan
An error occurred while running the scheduled site scan on [REDACTED SITE NAME]:
Error Message: Unable to determine if the scan target is allowed: Target site returned invalid response. The site scanner was forbidden from accessing your site. Please check if the IP address 207.246.255.60 has been blocked.
Error Code: site_verification_failed.connection_errorIs https://ipinfo.io/207.246.255.60 Solid Security? If so, it was blocked by Cloudflare’s Firewall. You may want to get that IP whitelisted by Cloudflare’s staff as a known safe bot.
I know the last Security Digest was in French language, but (if not deleted yet) please check itβs content (use Google translate if you have to). The email content will tell us what security event/feature triggered that Security Digest email to be send (lockout(s) and/or file change(s)).
It was originally an IP block that was reported in French.
install your LAMPP stack properly.
if you dont know how to do it just buy a managed hosting or managed server.
Was installed by the experts at Less Bits via ServerPilot.io which was created by Justin Samuel and Kevin Luikens. Confident that they know what they’re doing.
Have used their products for just shy of 10 years and have never once had a situation prior where it seemed we didn’t have the basics installed properly.
DigitalOcean VPS + ServerPilot + Cloudflare
Checked the logs from the Post SMTP plugin and a weekly report email wasn’t sent.
Checked the Solid security plugin’s settings for the security digest at:
wp-admin/admin.php?page=itsec&path=%2Fsettings%2Fnotification-center%2Fdigestand all was as expected there. Not sure why the email wasn’t sent. Many other emails from WordPress have been sent in that time and are visible in the logs.
Thanks for checking in on this. Strangely the Weekly report email didn’t come in. (Should’ve been on the 19th) Will need to check on why that is since I know site emails are working properly.
Have added
define( 'ITSEC_DEBUG', true );to the wp-config and will see what happens when the next Weekly Digest email comes in.
If you prefer to use the old 2FA settings UI, you can add this constant to your siteβs wp-config.php file:
@shanedelierrrdefine ( 'SOLID_SECURITY_LEGACY_2FA_UI', true);With Solid Security Basic v9.3.2 I too had to use the above method in order to disable 2FA for my user as the regular method was not working. (WordPress v6.3.4, php 8.2) May 12th 2024
- Server 1