CoffeeCake

Oh. So that's just an aside. Gotcha. How the e-mails were sent out and by what mechanism remains a mystery.

Thank you for this. We operate a site that is similarly sized to the one you are associated with, and have had similar suspicions. We had far better success at addressing the issue by focusing our efforts on the source of registrations. For us, the majority of spam registrations came from particular network segments once we looked at the ASN associated with known spam registrants. We used our CDN's firewall feature to handle those registration attempts and have quite significantly reduced the number of spammers getting through. It's mostly a rare occasion now.

So you used the same username/password combination on the compromised web site (whatever 123rf is) as you did for your servers?

Just for clarity, @Adriano Faria: We see this error upon clicking the 'Create a Bookshelf' button--not when attempting to save a new bookshelf. I see a modal window appear for a moment and then straight to the error message.

No, this table has one record with a books_shelf_id of 1. The values match your attached sql INSERT statement.

See: https://developers.google.com/books/docs/v1/using#RetrievingVolume Looks like you're grabbing thumbnail, but they have smallThumbnail, thumbnail, small, medium, large, extraLarge as results. Something on the larger side would be nice (or configurable, for those concerned with storage constraints of the images). While this would be nice, I meant it more as a manual click to conduct the existing single ISBN search rather than on losing focus for the ISBN field, and an explicit "No matches found" message to let the user know that a search was both performed, and no results came back. In our intial testing, we thought it was broken entirely as we were beginning with books that did not have matches returned by the API. It wasn't until it eventually pulled a result that we understood how it was working.

Another thing we noted, that it would be nicer to take a larger version of the cover other than the thumbnail from the Google API. When clicking on images where the cover came from the API call, we have a tiny version compared to the larger versions from manual uploads in testing. I see this is hardcoded in the API call, but that Google provides options for other sizes. It also might be nice to have an explicit search option, where the user presses a button to search against the Google API (rather than as a surprise when losing focus on the input). From a UX perspective, it's not apparent at all that a search is happening, especially if a match isn't found.

books_bookshelves is empty, with no records.

Nope. We have not made any database modifications.

@Adriano Faria, when trying to create a bookshelf, we get the following error: OutOfRangeException: (0) #0 /path/to/ips/applications/books/modules/front/books/bookshelves.php(27): IPS\Node\_Model::loadAndCheckPerms(1) #1 /path/to/ips/system/Dispatcher/Controller.php(101): IPS\books\modules\front\books\_bookshelves->manage() #2 /path/to/ips/system/Dispatcher/Dispatcher.php(152): IPS\Dispatcher\_Controller->execute() #3 /path/to/ips/index.php(13): IPS\_Dispatcher->run() #4 {main} Also, it would be nice if you trimmed the ISBN input before hitting the Google Books API to remove leading and trailing whitespace.

Advertising is not a cancer. It helps offset costs for many of us. However, the advertising on your site seems, at least as a guest, to be heavily modifying the content of the pages beyond what you likely intend or accounted for. This implementation of advertising, as it exists on the linked site, is a bit cancerous. It, like a cancer, overgrows its natural boundaries, is malignant to its environment, and spreads in such a way that it may be an impacting factor here. Maybe not an issue for the target audience, and the feedback is not intended as a criticism or reflection on your decisions to monetize in this fashion, yet as you try to rule out what's going on, I'd test it with advertising disabled and on the default theme to see if the issues persist. Anything else is a stab in the dark. We don't know what's getting injected to load all those videos, popups, and other elements, nor where they are originating from. On the standard theme, and on the theme here on this site, I don't see any issues with the ability to use reactions on a variety of mobile browsers. Something additional in your implementation is likely the issue, whether that be a plugin/application, custom theme issue, or content inserted into the DOM by your ad networks, or some conflicting combination therein.

Like I shared in your other thread, this doesn't work the way you think it works. You can use nginx to cache content, yet nginx has no way to know that someone has changed the content on your installation to work the way you're thinking it will. You can cache static content, and Makoto provides examples here of how you'd do that, however you can't cache dynamic content and expect nginx to magically know that someone has modified a field in your database. That must be parsed by the php, and php is only getting parsed when the caching you setup expires. You can instruct nginx to cache things for a set period of time, yet when you do that, expect to see that content served exactly as you configured it, absent of any changes made by your users.

Wait... so encrypted data ceases to be accessible if you do something standard like rotate service account passwords? 😵 Why isn't there a constant that's used as an encryption key just for this purpose so that the password can be changed without affecting anything else?

Thanks for the insight, newbie LAC. I don't understand what it is, or why it exists. It has untranslated strings, and it is turned on without granting it access, potentially exposing privileged information about advertising campaigns and impressions without any advance indication it would do so. I'd encourage you to reconsider turning on something like this only as an explicit opt-in.

This application creates a page that is available to anyone by default with statistics involving ad impressions. Why is this a thing? I don't see it documented anywhere. For those of you with it installed, check your FURL configuration. Disabling application access via permissions is a workaround, yet why is this here?

Have you tried making it a div instead of a span? Also, it may be wiser to set these values in css and place a class instead, so that you can adjust this in the future more easily, rather than hardcoded style elements within the stored body. Something like: <div class="myRightFloatingImageClass">{content}</div>

There are some issues on mobile, where the text overlaps in the list of categories on the main page. Would this be something you'd be able to correct, @Adriano Faria?

This may be an issue where your credentials were compromised. Change all your passwords. Do not reuse passwords. Do not reuse passwords. Oh, do not reuse passwords.

What version of IPS do you have installed, @marklcfc? Do you have anything other than IPS installed on your server? Any newsletter or other type applications setup to send outbound mail?

I don't think it does what you think it does. That config entry caches requests based on the response code for the period of time indicated. That may make sense on a site that changes infrequently, but not for an active forum. What makes you think the cache is purged by any other means than the elapse of time? Nginx makes the request the first time, gets a 200 response, and then waits 60 minutes to ask again per your config, serving out the cached content until that time expires. There would be no saving of overhead for Nginx to run php, but then not serve out updated results. I'd encourage you to start with reading documentation on each available config option and implementing them one at a time to validate your understanding is correct.

The issue is that your configuration is caching all successful or redirect requests for 60 minutes. fastcgi_cache_valid 200 301 302 60m; Why did you set that value? Documentation: http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_valid

Don't forget the cancer that is your advertising. That may be interfering in some way.

I'd encourage you to escalate this with Invision, and review the Scope of Work for your engagement to see what the responsibilities of the developer were to complete the project. @Lindy or @Matt may be good people to ping to ensure your issue is not being missed. It may be that they delivered to you a working solution, yet you or your team have changed something outside of the agreed scope, or the environment was not configured per specifications. It may be that you agreed to this whole thing using a series of emojis scrawled on napkins for all I know though. Let's hope that's not the case. As to why it's not working, it would only be stabs in the dark to try and sort that out. Invision should be able to point you as to where their responsibilities end, and with more information on what's left, you may be able to get someone to help sort out the remaining pieces. If it's an issue with your Wordpress installation, for example, or an issue at the web server or cookie domain level, that may be something that Invision can't or won't sort out and you'd need an expert in those domains to come and assist. From your video, I see that you're expecting the SSO to work across various subdomains. you.fearlessliving.org vs. community.fearlessliving.org. If the login session is being set in a cookie at the subdomain level rather than at fearlessliving.org, that's a possible explanation for why things aren't working. Was that expectation communicated from the beginning of the engagement? I imagine Invision has a good reputation with regard to custom work. We haven't personally engaged them, yet I'd be surprised if that weren't the case.

Yes. You might want to explore all of the individual processors that IPS integrates with. Stripe is probably most along the lines of how you would expect it would work.