Jim M

You will want to disable plugins and switch to an unmodified theme to see if the issue is still present. If it is not, enable each one by one again to see if it comes back. If you run into the error again, you will want to contact the author of the plugin/theme for assistance. As the warning indicates, this may be a sign of a plugin or theme is out of date. It does not confirm it is. There are specific functions which are guarded with a CSRF protection key. In those cases, the software is functioning as it should as your CSRF protection key does not match the key which the process generated.

You will want to do the following Spam Prevention items mentioned in this guide: https://invisioncommunity.com/4guides/security-and-rules/spam-prevention-r9/ Looking at your registration form, you are still using CAPTCHA2. You will want to switch to hCAPTCHA to prevent more automated spam bots. Check that your Spam Defense is configured correctly for our services in ACP -> Members -> Spam Prevention. Configure the Flag as Spammer option to be used by you and your administrator/moderator teams to quickly remove spam posts and ban spammers. You will also want to rotate your Question and Answer challenges frequently and ensure that they are things which you are target audience knows but is not easily Googled. This will prevent spam human users from registering. If you are seeing spammers from a certain country that your community does not serve, you can also block them in ACP -> Members -> Spam Prevention -> Geolocation Settings. Finally, if you believe spammers are gaining access to accounts through means of exposed credentials from the dark web. Enabling and requiring Two Factor Authentication will help prevent that. Outside of the items mentioned above, the next steps would be to take moderation action. Require your base member group to have 1 or more posts approved by a moderator prior to them showing up to the rest of your community without being moderated. Use the automated moderation tools so that if a post is reported x times as spam, the system will automatically hide it for your team to review. If any spammers do get through, be sure to use the Flag as Spammer option as that will report it to our system and help your fellow administrators. I will say that no 1 spam prevention method will be 100%. However, hopefully, with all the above, it should cut enough down that you are able to not just wake up to a bunch of spam posts that plague your community. If you deploy the moderation techniques, you will not have your community publicly plagued by spammers. Unfortunately, in the event that a spammer has dormant account(s) on your site and they have already surpassed an acceptable amount of posts (I say acceptable as some may be borderline that your moderation team may still allow) to bypass the moderation queue, the only thing that will help are successful moderation practices by humans and staying vigilant about the future with the above.

It would not prevent the page from showing, no.

You would want to contact your hosting provider or server administrator to ensure that you are properly logging errors.

I'm afraid, this is not a security issue. However, it is a case of spammers trying to sneak under the radar and access counts they've setup in the past.. Keep in mind that a spammer can reset a password to an account if they have access to the email address tied to the account.

This would indicate that you're hitting a server resource issue. It may be the file you're attempting to send is too large and you're hitting a timeout, it could be the server simply can't process it, etc... Only your hosting provider would be able to inform you what that is if there is nothing in your logs related to this request/resource consumption. This is not related to the process here. This is stating that someone tried to access that directory on your webserver but there is no index file to serve them.

I don't believe this is something which we provide and if one is not provided, typically the email service would cover that. Like in an example I just sent through Amazon SES, SES provided the Message-ID header for me as I did not supply it. I have tagged this to a developer to confirm.

CloudFlare Pro has managed firewall rules and improved bot filtering. You would need to review it. I'm afraid, it is outside our scope of support so you would need to contact CloudFlare if you have any questions.

That would be dependent on your server capabilities. If you are unsure, you will want to have your hosting provider or server administrator run that query via the command line.

A blank page is the sign of a suppressed PHP error, you will want to obtain the logs from your server error log for further details on what the issue is.

You would want to contact the author of the application for any support.

The software is getting an unexpected response from your server so is showing the .htaccess information as it is acting like it isn't present. The items mentioned were just suggestions, there may be something else entirely and it will take someone familiar with your hosting setup to fully look into that. Do you use CloudFlare or another firewall product? Is it stopping this from running functionally? Is there a rouge Apache setting only for this site? Tons of things to investigate.

You would want to ensure your configuration for all sites are the same. Just because they are all on the same server, does not mean they are configured the same. Maybe there's a php.ini or .htaccess causing something screwy to happen or the opposite, the php.ini or .htaccess is required to undo something in the core configuration. Your host would need to assist you with this if you are unsure how to check these.

Apologies, looks like we missed this. We plan to support version 4 for a period of time after version 5 comes out. We will issue security releases and minor bug fixes for version 4 in that period but we will not be issuing new features. In theory, on self-hosted, you could stay on version 4 indefinitely. The only thing from our end is that we would likely phase out support of version 4 at some point so you would not be able to obtain support for the software once past that. Additionally, once security patches end and the software version is past end of life, you start to run the risk of security vulnerabilities in not only the software but the underlying server components as well. Commerce is not integrated with Zapier at this time so a customization would be needed.

I would take note of what I edited here as well. The author would need to state compatibility.

You would need to check each author's independent site to see if there have been any releases. Additionally, simply because there has been no release, does not mean it is compatible. Please note this would also impact plugins as well.

Thank you for reporting this. I have submitted this internally to be further investigated.

As you have a custom theme and third-party applications/plugins which interact with code surrounding this, I would recommend starting by ensuring these are compatible with the release you're on.

Has this happened recently on the latest release? If so, not really a good test case at the moment, I'm afraid, but please let us know the example if it happens that way in the future.

The crontask is still set to use PHP 7, you'll need to change it to using PHP 8.1. Go to ACP -> System -> Advanced Configuration and copy the cron task provided there to your cron setup on your server. If you are unsure how to perform this, please contact your hosting provider.

ACP > Members > Groups > edit group > Social > Reactions. Ensure there’s no limit and then repeat for each group 🙂.

Not being familiar with Dovetail's integration with WordPress, it would be hard for us to say how to uninstall it. It sounds like you're just using Invision Community now and everything has been brought over to Invision Community. If that is the case, you can contact the author of the Dovetail integration and find out how to uninstall that. If there are no SSO's setup to your WordPress side or anything else that Invision Community is reaching out to WordPress for. You could ultimately remove WordPress files and database. However, as Randy mentioned, that assumes that your database is separate from your Invision Community database. If they are not, it is very manual that you'll need to determine what is a WordPress table or Invision Community. Finally, if you do decide to go the route of delete files and databases, take a final backup before doing so (maybe of your whole server). That way, if you accidentally did something wrong, you have it.

There isn't a means to do this currently in the software. It would require a customization or speaking with Stripe to see if they have a way.

We used this functionality in our Marketplace up until we closed it. However, looking in PayPal's docs, the functionality for Payouts does still exist.

The answer would be this hasn’t been reported, no. testing that URL local to my test environment, I am unable to even reproduce the error itself. Therefore, either this is something specific to your environment or some customization of the environment. You would want to restore the environment back to stock and provide us access if the issue is still present.