Update On WordPress Directory Listing

Store Locator Plus® 5.9 was released last week as a security update for the WordPress plugin community.   The plugin was reviewed by the WordPress Directory staff.    They chose to keep the plugin closed for what they deemed “potential future issues” with the plugin as well as requests for several changes to follow what they deem “best practices”.   Of note in this review is that they did not cite any of the publicly reported vulnerabilities that closed the plugin in the first place as remaining open.

In other words, all reported vulnerabilities were apparently addressed to their satisfaction.

However, they have opted to keep the plugin closed until we can update our coding style.   While we are willing to work toward their new “best design practices” for coding style, this is going to take some time.  For example, the latest 5.10.1 release of the Store Locator Plus® plugin has replaced the PHP standard <?= shorthand with the longer <?php echo syntax per the WordPress Plugin Directory Team’s request.   Not a security issue, but something they requested we change before being re-listed.    This requires that we run a full internal test if the updated code before it can be released to the general public.

While we wait for the WordPress Plugin Directory Team to approve re-listing, our self-managed WordPress plugin users can only receive updates to the Store Locator Plus® plugin.  You can find this in the WordPress plugin store.   You can learn more about the update process in our 5.9 Security Update Released news post.

While we hope that the folks over at WordPress.com deem our plugin worthy of being re-listed in the near future, we have no control over what they will come back with during each review.   It could be weeks or months before the plugin is available again in the standard directory with one-click updates being available.

This is one of the biggest advantages to being on the SaaS offering, no need to manually update your locator software.  EVER.

Store Locator Plus® 5.9 Security Update Released (WordPress Plugin)

Store Locator Plus® 5.9 was released today for our WordPress plugin customers.   The update addresses several security concerns in the AJAX and REST libraries included with Store Locator Plus®.   Despite several articles being released prematurely from security companies in the WordPress market, we are unaware of any compromises to WordPress sites due to this vulnerability.

Unfortunately the folks that manage the WordPress plugin directory de-listed Store Locator Plus® almost immediately, despite our ongoing communication that we were working on patching the reported vulnerabilities.    As such, many of our WordPress plugin users are now unable to update the WordPress plugin to install the latest 5.9 release automatically from within their site dashboard.

Upgrading Store Locator Plus® On WordPress

Users that wish to upgrade to the latest 5.9 release will need to follow these steps until further notice:

  1. If you do not already have an account at WordPress.StoreLocatorPlus.com with the Store Locator Plus® base plugin as a prior purchase, you will need to purchase it.
    1. Go to https://wordpress.storelocatorplus.com/
    2. Click the Add To Cart Link
    3. Complete your purchase
  2. Login to your WordPress.StoreLocatorPlus.com account and download the base plugin.
    1. Go to https://wordpress.storelocatorplus.com/
    2. Click on My Account (top right of screen on the menu bar)
    3. Click on the Downloads entry on the account menu (top-middle of the page).
    4. Download Store Locator Plus®
  3. Deactivate and Delete Store Locator Plus® from your website plugins.   It will not remove your settings or locations.
    1. Login to your website as a site administrator.
    2. Go to plugins.
    3. Find the Store Locator Plus® plugin, hover over the entry on the plugin list.
    4. Deactivate the Store Locator Plus® plugin (this may deactivate your premium Store Locator Plus® add ons)
    5. Delete the Store Locator Plus® plugin.
  4. Upload and activate the updated 5.9 version of Store Locator Plus®.
    1. While staying logged in as an administrator on your site go to plugins.
    2. Click the Add New button.
    3. Click the Upload Plugin button next to the “Add Plugins” title.
    4. Select the Store Locator Plus® slp4.zip file you downloaded from our WordPress store.
    5. Go back to the main Plugins dashboard on your site, listing all plugins.
    6. Check off ALL the Store Locator Plus® plugins, including the newly-uploaded Store Locator Plus® base plugin and any premium add-ons you may have.
    7. From the menu on the top or bottom of the plugin list, choose “Activate” and click Apply.

For those that do not have an existing purchase of the Store Locator Plus® base plugin for WordPress and do NOT wish to purchase a copy from our store, you can wait until the folks that manage the WordPress plugin directory review our latest release and re-list it in the WordPress plugin store.  We are hoping this happens soon, but they are very busy and it could take up to a month for them to review our updates.

For Our SaaS Customers

For our customers using our SaaS service, none of this applies to you.  All security patches and updates are automatically provided as part of the service.   The security concerns in the self-managed WordPress plugin that are being discussed do not affect your site in any way.    SaaS users are not hosting data or access endpoints for AJAX or REST on their servers, and thus have no vulnerabilities like those discussed in the various Store Locator Plus® security bulletins.

 

WordPress Subdirectory Install and The REST API

Seems there is a number of new people having issues with the Store Locator Plus® address lookup feature due to a failed REST API request. With Store Locator Plus 5 all address lookups are routed back through the WordPress site via the REST API in order to protect Google API keys.

If your site is running WordPress from a subdirectory you may run into issues if your web server is not configured to properly handle REST API routing. Especially if the site is using “pretty permalinks”, any Permalink setting under WordPress Settings | Permalinks other than “plain”.

The problem is that most of the Codex articles on the subject of doing a “WordPress in it’s own directory” installs came out well before the REST API existed. Most, dare we say ALL, have not been updated since and completely ignore the corner case of a WordPress subdirectory install with Permalinks enabled.