Support Forum

Advanced Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
general-topic
SimplePress deleting users and posts outside of SimplePress...
Avatar
James Mueller
Member
Free Members
sp_UserOfflineSmall Offline
Jan 7, 2015 - 2:14 pm

On Jan-05 I discovered trashed Posts, Users, and Featured Images on our site.

These deletions occur daily. As of today 2,000+ posts – and many associated users and images -- have been trashed.

To clarify: When I refer to “posts” I’m referring to the articles on the site. I am not referring to SimplePress posts, though some SimplePress posts could be missing as well. Growthtrac.com is not only a SimplePress forum -– our site contains thousands of articles (posts).  SimplePress is only a secondary, very minor piece of our site.

The last 3 days, we’ve worked with our host -– WPEngine -– and our developers to determine the cause. Admin accounts were checked, passwords changed, and a Sucuri Scan was run. The scan came back clean.

Last night we tracked content changes on the site. Sure enough, 100+ new deletions occurred and they originated from a cron.

The sph_cron_user cron is deleting content daily at 04:17am
This is of course a SimplePress cron.

 So, I located these (enabled) SimplePress settings:

--Enable auto removal of member accounts
--Remove inactive members (if auto removal enabled)
--Remove members who have not posted (if auto removal enabled)

Here’s what’s been happening: Instead of only removing inactive SimplePress members, SimplePress is also deleting non-SimplePress users (authors, etc.) and associated content.

SimplePress should only be impacting SimplePress data.

 We’re running 5.5.1

 Can you shed light on this?

Avatar
Yellow Swordfish
Glinton, England
SP Master
sp_UserOfflineSmall Offline
Jan 7, 2015 - 3:56 pm

The problem really is that you are mistaking the concept of users.

Simple:Press is a plugin for WordPress not a standalone forum application. There is no such thing as a 'Simple:Press' user as distinct from a user on your site. Simple:Press does not create, maintain or have it's own users. They are all users on your website, controlled by the WordPress user sub-system.

So if you have those options turned on it is working on your site user-base. 

And it uses the standard WordPress core function wp_delete_user() which will remove that user and any 'baggage' that belongs to them.

For most websites - which are run by one or two people who control all of the content then this is a useful tool to make use of. Clearly with lots of people who have in the past, contributed items but have since gone and now fall into the terms of the option settings it is, perhaps, not so useful. And one of ther reasons, of course, we install Simple:Press with those options turned off.

andy-signature.png
YELLOW
SWORDFISH
Avatar
Ron Dunn
Member
Free Members
sp_UserOfflineSmall Offline
Jan 7, 2015 - 6:22 pm

Yellow Swordfish, have you ever thought of separating WordPress users and Simple:Press users?

My forum is for ISV customers and interested parties, a bit like this support forum. I understand the thinking behind integration, but I wonder how many forum customers actually want/need their users to have WordPress integration into their site.

Avatar
James Mueller
Member
Free Members
sp_UserOfflineSmall Offline
Jan 7, 2015 - 6:28 pm

As predicted: it's "my fault"  Oh, and thanks for the empathetic response.

The forums utilize the "WP user sub-system" ... Sure, everyone knows that! How intuitive. Maybe I should have enrolled in the "Simple:Press Architecture 201" class ...  Sorry, my fault.

Why would a "feature" that deletes post content be "useful" ?

And, why, on such a "feature" where a misconfiguration could cause such catastrophic results, would you not provide a 'warning' or 'validation' to safeguard against such actions?

<<  ... And one of the reasons, of course, we install Simple:Press with those options turned off.

And, no -- these configs were not "turned off" by default.

Unbelievable  ... I'm done with you guys. 

PS You're now on the WPEngine "Blacklisted Plugin" list.

Avatar
kvr28
Member
Free Members
sp_UserOfflineSmall Offline
Jan 7, 2015 - 6:32 pm

are you joking? I'm on wp-engine, when does this go in affect?

Avatar
James Mueller
Member
Free Members
sp_UserOfflineSmall Offline
Jan 7, 2015 - 6:39 pm

May not be on the "list' yet, but no, I'm not joking.  I guess after investing 3 days on the issue and paying for a 3rd-party security scan, they didn't want this to reoccur on any of their sites.  Good Luck.

Avatar
kvr28
Member
Free Members
sp_UserOfflineSmall Offline
Jan 7, 2015 - 6:47 pm

I'm waiting on the help desk now for clarification, if they do I guess I will have to move my site,

Instead of only removing inactive SimplePress members, SimplePress is also deleting non-SimplePress users (authors, etc.) and associated content.

Yellow was pretty clear a year ago that WP and SP users are one and the same

https://simple-press.com/suppo.....y-default/

Avatar
kvr28
Member
Free Members
sp_UserOfflineSmall Offline
Jan 7, 2015 - 7:48 pm

well, just got done talking to wp-engine, they have no plans as of right now for disallowing it, they said it would be a 30 day notice if they do, unless it is a security or malware issue which this is not, might still be worth looking into site ground

James, it sucks that this happened, I really feel for you, we went through something similar but to a much lesser extent a couple years ago, since your join date is the second and you say you noticed it only a few days ago, have you had many blog posts the last couple days? Is your nightly backup still available for the first of January so you can revert to that and then disable that cron job and delete the plug in if you don't want it any more?

Avatar
James Mueller
Member
Free Members
sp_UserOfflineSmall Offline
Jan 7, 2015 - 8:18 pm

The correct forum join date is roughly 15 months ago.
We've deleted Simple:Press.

These deletions go back as far as 28-Nov-2014; WPEngine only saves backups 30-60 days, so I cannot go back any further.  My guess is the trashed posts began early 2014; there are some posts we will not be able to recover.  We have a lot of work ahead of us.

And, as stated, it's not as simple as 'restoring' trashed posts -- Simple:Press removes users and associated posts, images, etc.  

BTW The WPEngine team I was working with was quite pissed about the situation; you (obviously) spoke with someone unfamiliar with the issue.

Avatar
kvr28
Member
Free Members
sp_UserOfflineSmall Offline
Jan 7, 2015 - 8:33 pm

yeah, but the backup should restore everything, posts, users and pictures, I believe the default setting for auto removal is 365 days, so at the worst it would have happened a year from your go live date with simplepress, which would be close to your 15 months ago join date and the Nov 28th date

I just checked my dashboard and I'm showing the earliest nightly back up as Dec 8th, so you may be able to restore with just the missing 10 days from 2014, 2013 and anything from the 8th

I agree with you, I'm sure you were talking to someone way further up the totem pole than I was, good luck

Forum Timezone: Europe/Stockholm
Most Users Ever Online: 1170
Currently Online:
Guest(s) 1
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Mr Papa: 19448
Ike: 2086
Brandon: 864
kvr28: 804
jim: 650
FidoSysop: 577
Conrad_Farlow: 531
fiddlerman: 358
Stefano Prete: 325
Member Stats:
Guest Posters: 620
Members: 17365
Moderators: 0
Admins: 4
Forum Stats:
Groups: 7
Forums: 17
Topics: 10128
Posts: 79626