Premium WordPress Integration

wessel-novacustom

I have managed to fix this by myself by making this change in my Nginx configuration!

I changed this line:
try_files $uri /forum/index.php$query_string
To:
try_files $uri /forum/index.php?$query_string

clarkwinkelmann

wessel-novacustom glad you found a solution.

It had to be related to the rewrites/try rules of WP and Flarum which are nested, you need to make sure everything under /forum/ is handled by Flarum's index.php

clarkwinkelmann

Version 1.8.3 - January 5, 2024

Fix open redirect vulnerability in logout script

Only the Flarum extension needs updating. The WordPress plugin has not received any change.

Forum data and credentials were never at risk, this was just a bad practice that could potentially harm the forum domain reputation if used to facilitate spam. It could also potentially be abused in a phishing attack against the users of the forum to make a malicious link look more legitimate.

The same vulnerability existed in Flarum core and was fixed in Flarum 1.8.5. This extension requires a patch because it uses a modified version of Flarum's logout controller that also contained the vulnerability. You don't need to add the WordPress domain name to the new redirectDomains config key, as the global login and logout feature doesn't use that Flarum mechanism.

Flab

Thanks for this really great plugin. Installing it with the documentation was pretty straight forward. But maybe I did somewhere something wrong.

Login from wordpress / comment section

On the wordpress site: When I want to comment the blog acrticle I cant login or register. Error message says something like

Oops! Something went wrong there. Please reload the page or try again.

Picture resizing

Some pictures on the flarum site in the content excerpt are looking wired. The width of the picure is changed to fit in the frame, but the height remains. Like this:

I tried to geht rid of th e picture with whitelist of HTML tags with p,ul but that seems not to work with my blog.

Previous blog postings

All the previous postings on the blog site have instead the comments frame this message:

This post doesn't have a comment thread yet. If you are the blog administrator, publish the post, or disable and re-enable comments to start a thread.

I can use “Bulk Edit” on the posting site to turn of the comments an on again. But there about 3000 postings. Is there any easier, smarter way to that?

Where to change words

Where can I change some words like on the flarum site in the excerpt WorpdPress Post. Also I want to change the read on blog and Read more button into my language.

On the Wordpress Site I want to change the word comments in to the site language as well.

clarkwinkelmann

Flab sorry if I skip over some of your questions, I'll reply to the most pressing points and read again your post later to make sure I didn't forget anything.

For the "Something went wrong", there should be more info in the Flarum or webserver log file, see https://docs.flarum.org/troubleshoot for how to find it.

For the picture size, I assume it's the post thumbnail rather than an image in the post content. I don't remember if my extension has a setting to toggle its visibility, probably not. But I could add a setting for that. The post preview on the Flarum side is displayed with some very simple CSS, which you should be able to override from the forum custom CSS if you wish. I don't remember seeing that issue with the image ratio but I'll take a look at whether I can fix it. It could also be caused by the CSS from other Flarum extension.

There is currently no way to automatically create comment threads for existing WP posts. This is a feature I planned to add but have not completed yet. The only solution at the moment is to manually toggle comments off and on again on each WP post. If you need this feature I can move it up my TODO list and work on it in the coming weeks.

To change texts on the Flarum side, you can use the Linguist extension https://discuss.flarum.org/d/7026-linguist-customize-translations-with-ease I think all texts should be translatable but if you can't find one let me know and I'll look into it.

On the WP side (outside of the iframe), I don't think my extension provides any text at all (except the admin panel setting names). The comment count is re-using the translation from the WP built-in themes, so it should already be translated by WP language packs. Texts inside the iframe are managed in Flarum.

Flab

clarkwinkelmann

Login from wordpress / comment section

Content of the storage/log
https://pastes.io/a6fg6fxaze

Picture resizing

In the admin panel both options Show WordPress post thumbnail above excerpt and Show WordPress post thumbnail in Flarum discussion list are switched off.
The image is in the begining of the post content, not the post thumbnail.
Unfortunately I dont know how to write anything in CSS.

Previous blog postings

If you need this feature I can move it up my TODO list and work on it in the coming weeks.

That would be a really nice to have feature and will save a lots of clicks.

Where to change words ✅

To change texts on the Flarum side, you can use the Linguist extension https://discuss.flarum.org/d/7026-linguist-customize-translations-with-ease I think all texts should be translatable but if you can't find one let me know and I'll look into it.

I could find everything with the linguist extension.

hrvoje_hr

Flab you can send the link and I will help you with CSS

clarkwinkelmann

Flab I don't remember 100% and I'll need to check the code again but it's possible that the thumbnail settings only apply to new and updated WP posts.

Once I implement the import tool, it will also solve this issue as it will allow re-syncing all post previews in addition to the comment threads.

Flab

hrvoje_hr Thank you for your kind offer. You will find a sample posting with strange looking picture over https://kominote.de/d/42-zusammen-f%C3%BCr-mehr-respekt

clarkwinkelmann The new import tool sounds great.

I still have the login problem when I want to login from the comment section at the wordpress site. Does this log file from storage/log help?
https://paste.quest/?56772ec7b1af43bd#8BTy3qZwSwDSBc49p2rLhGApzsp4KPE2MY9K4HZQoYYR

hrvoje_hr

Flab you could use this to hide the image:

.KilowhatWordpressSummaryPost-Article img {
    display: none;
}

However it is better to allow only the "p" HTML tag in the extension settings ("Whitelist of HTML tags to keep in the excerpt" section)

clarkwinkelmann

Flab I still have the login problem when I want to login from the comment section at the wordpress site. Does this log file from storage/log help?

It seems unlikely that those errors are related to login. The 3 WP logs are just information and not errors. The 2 instances of the same error must have happened during the deletion of a post.

The post deletion error is curious because I haven't seen it before. I'm not sure if it could be caused by my extension. It's probably caused by either discussion_user.last_read_post_number or discussions.last_post_number being NULL. This could be caused by malformed data after migrating from another software, or is related to posts/discussions that have been manually created by an extension, possibly my WP extension. I would need to test on my development server to see if I observe this issue.

Can you share your php flarum info and confirm whether you migrated data from another platform? Also if you remember deleting Flarum posts, do you remember if it was inside a WP comment thread or unrelated?

Flab

clarkwinkelmann

I cant say exactly which Flarum posts I was deleting.

Here is my php flarum info

I do have now a second storage/log Maybe this one can help?

NetConfig

Hi Clark,

Another quick FYI type update re WP Integration.

As you know, I have been trying to create a clean integration with the login / membership account page on the WP side.

I am coming to the conclusion that there are limited options to fully accomplish this and that it is better to stay in the normal WP fold with things.

So I have:

set the WordPress login path under the SSO settings in WPI back to the standard wp-login-php option
added a custom WP login modal logo with a plugin.

By doing this, the correct SSO behavior is also again working completely. Meaning, when you login on one side, you are in the other and the same for logout side.

Yes, it does POP up the WP login modal, but it is now customized to show some icon related to my main site, and seems "integrated enough". Forcing users to first go to the main site to login, and then go back to what they wanted to do also seems like a hassle for user experience anyway.

I am hiding the KiloWhat login button with display none in CSS, because there are enough Login options that show up at the Post level anyway. Meaning, the Login to see Replies from your See Past First Post extension, or the normal Login to Reply button from the normal theme.

On my "menu bar", I still have three custom buttons of which two are visible to users at one time.
Forums - is the home button as I am not displaying a logo here
Main Site - will link to the Membership login page for visitors using the Links extension
Main Site - will link to the normal home page of the WP site for logged in users.

In short: using your WP Integration extension AS YOU DESIGNED IT, hiding a Login button, and adding a few menu bar buttons, along with a bunch of custom CSS to integrate the forums look and feel with the main WP site seems like the way to go.

And then using the See Past First Post aka Show Only the First Post extension makes it a solid solution for clean integration with a membership site.

Just wanted to share as I am getting another step closer to installing this on my live site as described.

Cheers!

Flab

One more thing. Maybe this problem is connected with the "cant Login from the comment section in wordpress" Or maybe not.
Flarum and Wordpress are installed on two different domains. Like myflarumsite.com and mywordpresssite.com. Normally when login out of wordpress I get redirected to: mywordpresssite.com/blog/wp-login.php?loggedout
Since the Flarum Plugin in Wordpress is activ, I get redirected to: myflarumsite.com/wordpress
A error page occurs with something like "could not find this site, back to myflarumsite.com"

clarkwinkelmann

Flab officially, using multiple root domains is not supported (see Requirements section of my documentation), because the main SSO mechanism is a cookie set to the top level domain that must be accessible to both WP and Flarum.

Something I should add to the documentation is that the common domain is only a requirement for the SSO feature. The comments integration by itself will work no matter the domain names.

It might work when logging in from a certain direction due to how it's implemented, but I am not entirely sure in which circumstances it will work, I would have to do some tests.

I might be able to add an option to make SSO cross-domain work, but it will involve one more redirect on every login. Currently, global login is done through cookie (because it's more performant and less chance of breaking due to WP plugins), and global logout is done through redirects (because it's the only way to be certain both sessions are deleted).

Flab

My goal: Users on my blog site (they dont have or need a wordpress account) can comment the article. Therefore they can register or login in the comment frame below the wordpress article. So I dont know if im right, I think therefore I dont need SSO? I disabled SSO.
With SSO disabeled or enabled its not possible at the moment to leave a comment in the frame below the wordpress post.

clarkwinkelmann

Flab that's correct. If your users don't need a WP account for any WP features, it's better to leave the SSO feature off and simply let users connect using native Flarum login and/or Flarum social login extensions.

You should be able to connect and reply directly from the iframe on the WP side. If it doesn't work, maybe the Flarum hosting needs some additional headers to allow the cross-domain embedding of the iframe. My extension doesn't add such headers, as they depend on the exact situation and are easy to add using Apache or Nginx rules.

I'd really like to add a section about headers to my documentation but I have a hard time figuring out all the use cases I should cover. And it seems like every time I finally have some instructions written, browsers update their security requirements and I have to research everything again 😅

Flab

clarkwinkelmann You should be able to connect and reply directly from the iframe on the WP side. If it doesn't work, maybe the Flarum hosting needs some additional headers to allow the cross-domain embedding of the iframe. My extension doesn't add such headers, as they depend on the exact situation and are easy to add using Apache or Nginx rules.

I don't know really know what exactly to do. Is there any chance I can get the extension to work with my limited technical knowledge? Where and how do I add headers? Any hint is much appreciated.

clarkwinkelmann

Version 2.0.0 - May 9, 2024

This is a major release. Please read this announcement and execute the migration commands listed below.

Thanks to everyone who sent feedback in these last few months, I hope this update addresses most of your needs!

Video showing the new features

Upgrade instructions

This update requires a few additional steps. The extension will not work as intended if you skip them.

If you have some sort of maintenance mode, I suggest enabling it so no user tries to login or post during the update. But it should only take a few minutes and most features of WordPress and Flarum should continue to work even if you haven't finished to update both sides yet.

Update the WordPress plugin. The download link is available under the WordPress changelog.

First update the package (require will make sure you bump the major version):

composer require kilowhat/flarum-ext-wordpress

Then open the Flarum admin panel, and enable the "Backoffice" extension which will have been automatically installed.

Enabling this new extension should have automatically run the migrations and cleared the cache, but you can run them again to be sure:

php flarum migrate
php flarum cache:clear

And finally, after having updated both the WordPress plugin and Flarum extension, run the following command on the Flarum server to migrate the settings to their new names and invalidate the old API Key:

php flarum kilowhat-wordpress:migrate:v2

The command will list the actions that are about to be performed and ask you to accept. Press Enter to continue, or use the --no-interaction CLI flag when calling the command to skip confirmation. The command can be run again without any danger.

That should be it! You can then check out the settings in the Flarum admin panel if you wish to enable the new features.

If you encounter any error during the update process, please reach out.

Improved security

I have completely rewritten the way Flarum and WordPress communicate together.

Previously, a Flarum API Key was used and also behaved like an API Key on the WordPress side, meaning a compromised key would allow performing any admin action on both Flarum and WordPress, resulting in a complete compromise of both sites.

The new implementation uses a shared key that only authenticates synchronisation requests.
If that key were to be compromised, it would at worst allow an attacker to create bogus discussions under the tags configured for WordPress comment threads. Or when the SSO feature is used, it would allow creating bogus user accounts but won't be able to give them arbitrary groups (but if you use role to group synchronisation, they could assign any of those groups).

This change was made to follow best practices, I don't have any report of the old system being abused.
For the key to be stolen in the first place, one of WordPress or Flarum (or their respective backups) would probably have to be compromised. The new system ensures my extension cannot be used as a vector to compromise the other website in case one is compromised.

New global login methods

In addition to the cookie-based global login previously used by the SSO module, 2 new methods have been added.

These new methods remove the requirement to host WordPress and Flarum on a common top level domain.

Redirect uses a redirect after the first login from WordPress to connect Flarum.

Iframe uses a hidden iframe and the PostMessage web API to enable cross-origin communication between Flarum and WordPress and offer a one-click login, or optionally login through an automatic client-side page refresh.

See the documentation for the pro and cons of each method.

Improved cross-origin support, but...

I have performed many tests for cross-origin support. I added more built-in headers that you don't have to setup manually and created a section in the documentation about what must be done manually.

Unfortunately, the main conclusion of these many tests is that the setup will be infinitely easier if you stick to a common top-level domain.

Despite the improvements, global login and interacting with the comments in the iframe probably won't work in private browsing or privacy-enhanced mode in most browsers.

Role to group synchronisation

As part of the SSO feature, you can now automatically assign groups to Flarum users based on their WordPress role.

Forced Synchronisation commands

You can now manually force a synchronisation of all posts or users. Useful if you have a lot of data already in WordPress before enabling the integration.

Check out the help page for the commands and the online documentation.

php flarum help kilowhat-wordpress:sync:posts
php flarum help kilowhat-wordpress:sync:users

Feature toggles kept in sync

Previously, the SSO and Comments features had to be toggled on both Flarum and WordPress side.

In this new version, toggling a feature from the Flarum admin panel will automatically toggle it on WordPress side as well.

Other changes

Added: Option to send Guzzle exceptions to the Flarum reporter instead of silencing them, useful with Sentry for example.
Changed: Moved settings to the "Backoffice" admin area in order to use some of the reusable components provided by that extension.
Fixed: The "last updated" date of a WordPress post is no longer bumped anytime a comment is written.

NetConfig

Congrats Clark on this major leap forward with the WP-Flarum integration. I will be implementing it on my test site ASAP and likely my main site this weekend, and share any feedback.

For those who are new to this discussion and that are looking for the BEST forum option for a WordPress site: do yourself a huge favor and explore Clark's solution here.

I use it specifically for the SSO capabilities, but not the Comments functions.

Compared to bbpress, Asgaros or WP Foro as "native" Wordpress forums, integrating Flarum with Wordpress results in a much, much nicer discussion platform, that is WAY more modern too.

I also like having a hard split between my "content side" on WP with its plugins, database, theme, etc, and having the "discussion side" entirely separated into another installation, which I can backup independently, etc.

Clark's software easily and nicely integrates the two and I have the forum.sitename.com approach for my setup.

Will report back here with any insights after performing two upgrades by this weekend!

« Previous Page Next Page »