Forum Replies Created
-
Posts
-
Most people do forget to set these helpfull headers. Many of the known attack possibilities ( man in the middle , cross-site-scripting etc.) are almost impossible then.
It just needs some reworking, since everyone wants to have different features on his site; (Google Maps, Google Analytics, Youtube, Vimeo, CDNs to present media files).What I’m only surprised about is that some things I thought were covered by the ‘self’ setting, which is not the case (script loading and stylesheet loading). To have normal outlook of Enfold options i had to set for:
script-src ‘self’ ‘unsafe-eval’ ‘unsafe-inline’
style-src ‘self’ ‘unsafe-inline’So I allow scripts and stylesheets to be loaded insecurely inline (http).
My guess was that some of these get parameters ( https://codex.wordpress.org/Determining_Plugin_and_Content_Directories ) are causing insecure loading. Because i force my whole site to be https by wp-config entry – i have these inconsistancies – like the image above shows you.
and if you know what you like to have use a filter : https://kriesi.at/documentation/enfold/masonry/#change-the-sort-order-of-masonry-elements
or this child-theme functions.php snippet ( or is it deprecated in 4.6.3.1 ? )
https://kriesi.at/documentation/enfold/blog-post/#how-to-add-an-orderorderby-option-to-the-blogpost-sliderportfoliomasonry-grid-elementBesides the working edited image.php – : hm for masonry gallery and gallery ? – i do not see where Enfold sets this Input Field for Caption. Maybe it is possible to add here a custom Title / Alt Inputfield
Many hosters are now forced to switch to higher php versions. Most notify you that the 5.6 versions will now be disabled, but not all. I don’t remember when the enfold versions needed newer php versions higher than 7, but maybe that’s the reason.
Then: did you disable Gutenberg (Block Editor)? I only use the Classic Editor setting with Enfold:
Enfold (Child) – Theme Options – Select Your Editorthe easiest way is to colorize it is f.e. in Photoshop et.al.
all other methods would influence the whole column – or do not work on all browsersbackground-blend-mode f.e. : https://caniuse.com/#search=background-blend-mode
with your example – you have to overwrite the inline rules – because the background image is set as background..page-id-63 #banner { background-image: url("https://www.surfschool.net/wp-content/uploads/2019/07/beginner-surfboard-rentals-huntington-beach-banner.jpg") !important; background-size: cover !important; background-repeat: no-repeat !important; background-position: center !important; padding: 45px 35px 45px 35px; border-radius: 15px; background-color: rgba(0,60,255,0.4) !important; background-blend-mode: multiply !important; }or background-blend-mode : soft-light is nice too – but IE and Edge do not support this – the mobile browser too etc. pp.
the first thing when activating Enfold as theme i do insert this to my child-theme functions.php:
function admin_head_mod() { echo '<style type="text/css"> #avia_quick_css .avia_description {float: none;margin-bottom: 20px !important;padding-left: 0 !important;width: 98%} #avia_quick_css .avia_control {float: left;max-width: 98% !important;width: 98% !important} .avia_footer_links li {float: left;padding-right: 20px} .avia_footer .avia_footer_save {float: left} .avia_reset {pointer-events: none !important } #avia_options_page { max-width: 3000px!important} </style>'; } add_action('admin_head', 'admin_head_mod');or in that code abbove set .avia_reset to display:none
it disables the reset button and let the quick css field and the whole options page grow to max width.
The quick css is to narrow for some selectors.i added custom title attribute aswell.
see here: https://pastebin.com/ehe0nEuK
Download here: https://pastebin.com/dl/ehe0nEuKsorry : both sites
a) https://www.bellarinepeninsulaaccommodation.com.au/
b) https://www.greatoceanroadaccommodation.directory/I’m sorry I’m saying this now, you think you should play it safe and start over.
So-called Nulled Themes can also put code into other folders (of course also into the wp-content folder etc.).
For me the risk would be too high. Therefore : even the database should be completely rebuilt. And also upload a new WordPress. Sounds paranoid, but it would be too unsafe for me to invest too much work and then be blocked by Google because the site sends tons of spam.https://kriesi.at/support/topic/set-image-alt-tag-and-title-in-image-media-element/#post-642918
And for multilanguage sites it could be nice to set different langage specific alt and title attributes.
Allthough f.e. with WPML this is possible in media library too – the easier way is to set it manually.Based on image.php of last Enfold Version 4.6.3.1
I needed this by myself – so i can share this here.
This Custom Alt input field overwrites the Alt attribute from the Media Library only in this case. If the field remains empty, you have the Media Library Alt attribute – if that doesn’t exist – you have an empty Alt attribute.
Maybe you should even add something like : Image Alt or something similar for SEO reasons.
;)
https://pastebin.com/dl/ehe0nEuK ( no support on that – those who do not know how to use edited ALB in Child-Themes should read in the documentation )
Please do upload a complete new Enfold Folder like here: https://kriesi.at/support/topic/some-hints-and-advice-to-update-enfold/#post-1056107
Because: Pirated (Nulled) Themes do often includes malware or spyware.
so to be sure that there is no additional code in your enfold folder – this was my advice.PS both sites are still on older versions: the one on 4.0.5 the other on 4.4.1
Why is it necessary to set the script-src to ‘unsafe-inline’ and ‘unsafe-eval’ – in content security policy ?
without it does not work – same thing with style-src .
My whole website is https – i force it via wp-config and on htaccess there are entries too!
But when i set the given CSP to only ‘self’ a lot of things do not work.so these settings works very well – but had to be always adjusted to your website.
The best would be to start with a Standard Entry in htaccess file# Extra Security Headers <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header always append X-Frame-Options SAMEORIGIN Header set X-Content-Type-Options nosniff Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header set Referrer-Policy no-referrer Header set Feature-Policy "camera 'none'; microphone 'none'; payment 'none';" Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com;" </IfModule>Do not insert this between the standard Entry of WordPress itself:
Between # BEGIN WordPress and # END WordPressAfter that you look to your site and open the developer tools of your browser – goto console log and look for errors.
If you have a youtube film – f.e. you have to exclude these sources from the Content-Security-Policy
you see that on the code above f.e. the gravatar.com is excluded from img-src .
Google Maps needs to have contact to api etc. pp.Yoast does it right if it does not count the backgrounds as images. these are in css not in the DOM as img tags.
Yoast only looks if all img tags have alt attributes.on that page f.e: https://campcarysbrook.com/fees-registration/camper-forms/ the little icons are inserted by a plugin or via script.
Maybe this tries to insert on the same way a pdf icon before the enfold button and destroyes the structure.
There are ways via quick css to replace the enfold icon with your: https://campcarysbrook.com/wp-content/plugins/mimetypes-link-icons/images/pdf-icon-16×16.pngthe thing is – that background-images do not have alt tags – or do you see in your source code an image tag?
i can not believe that a seo tool (i use for bigger sites Yoast Seo – and others for smaller sites ) would find this as fault.
May i see the concerning site?besides the script problematic – see your source code some entries in the body tag – etc. pp ( Google Analytics code etc)
(how did you insert your Analytics Code >? f.e.)maybe that causes my hypothesis:
try to select some “invisible” text – this seems to be white font on white background. Because i see the spell check working in your screenshot.but you are sure, that you have inserted the higher resolution to your site?
on The image Alb element or other image based ALB Elements of Enfold – you can choose what resolution is shown f.e.:
there is no automatic load of the child-theme replacement files:
there is a child-theme functions.php snippet that induces the replacement: https://kriesi.at/documentation/enfold/intro-to-layout-builder/#add-elements-to-albthe place then for the substitutes is: child-theme/shortcodes/
in this case i would overwrite the parent theme file – because it will be fixed in next update
but this is deprecated stuff. Google / Youtube changed all what was in former times possible to suppress.
You only have the possibility to have your own Channel and on these Videos it is possible to set some things in the youtube Options.What you always can do is not to use the google maps ALB Element – but the codeblock element and embed the iframe given from Google Maps ( there is an embed button on share the map )
The only thing to change there is the width to 100% and the wanted height !
Then insert to the codeblock element your borlabs short code and the iframe inbetween:[borlabs-cookie id="googlemaps" type="content-blocker"]<iframe src="https://www.google.com/maps/embed?pb=!1m14!1m8!1m3!1d2524.0265485697782!2d7.0528674!3d50.7565414!3m2!1i1024!2i768!4f13.1!3m3!1m2!1s0x47bf1e2abeab2637%3A0x2a80c2a108fded35!2sLudwig-Schopp-Stra%C3%9Fe%2027%2C%2053117%20Bonn!5e0!3m2!1sde!2sde!4v1572797232411!5m2!1sde!2sde" width="100%" height="600" frameborder="0" style="border:0;" allowfullscreen=""></iframe>[/borlabs-cookie]or do not remove it but redefine it to an empty title:
jQuery('your-selector').attr('title', ' '); or via property: jQuery('your-selector').prop('title', ' ');And by the way – this could not be the correct usage of the font name in css? – with file-extension?
This preview should give you an idea of what the layout will look like, but does not show exactly what will be shown in the frontend.
you can switch of that developer Preview in Options Dialog of Enfold : Layout Builder – General Builder Optionscan you show a gallery of your page on frontend? That will help more like that little film to inspect what happens.
how to add a custom script to enfold – see here: https://kriesi.at/documentation/enfold/add-custom-js-or-php-script/#add-a-script-to-footer-section
Ok _ thanks for now :
these are my efforts on that: https://securityheaders.com/?q=https%3A%2F%2Fwebers-webdesign.de%2F
you can see my code inserted in htaccess file on that page.
