it is no general issue: acct:matthias@pfefferle.org" target="_blank" rel="noopener noreferrer">pfefferle.org/.well-known/webf…

have you added some extra routes/rules in your nginx or apache config?

nginx / apache config? what config? 🙈​🙉​🙊​ I'm on a shared webhosting plan where I used a one-click Wordpress install. I'm not even sure how to add / configure Nginx.

Considering I added it to my Ghost blog in order to install Varnish cache (which is amazing) I need to look into it.

Please just assume I am a normie who copies and pastes lines of code with success from time to time 😅​

I am sorry 🫣

Have you added something to your .htaccess file? Where do you host your site?

thanks for the help Matthias.

I have very stringent security rules in place with All in One Wordpress Security so maybe it has something to do with that?

Honestly it's NO big deal if I cannot follow my Wordpress account from GoToSocial. I'm just testing things these days before making a big decision 😀

ok Matthias, you are the only person I would ever disable the security plugin for 😊​ I'll do this for the next hour and clear my cache.

For caching I'm using WP Super Cache FYI.

Anyway feel free to look around now that my plugin is disabled. And thank you!

aw thanks for letting me know Matthias!

The GtS devs are on it too, something about the software being very strict with permissions re: content types.

Anyway I will happily re-enable that plugin now, I'm feeling so exposed 😅​

hmm so @pfefferle I just tried to load a post of yours notiz.blog/2025/03/24/blogtast… in SNAC and it doesn't come up at all even though it comes up in Mastodon. Have you been checking how your webfinger works with many things other then Mastodon in the first place?

Matthias Pfefferle

2025-03-24 13:31:07

Blogtastisch: 2. Blogs und das Fediverse

Ich bin morgen, den 25. März um 14 Uhr zu Gast bei Blogtastisch!, einem Meetup für die Bloggosphäre.

Vor ein paar Wochen hat Thomas Riedel mich gefragt, ob ich nicht Lust hätte bei seiner virtuellen Blogger-Konferenz mit zu machen und etwas über „Blogs im Fediverse“ zu erzählen bzw. Rede und Antwort zu stehen.

In diesem Meetup geht es um Social Media in Verbindung mit Blogs, und zwar im Besonderen um das Fediverse. Matthias Pfefferle entwickelt das Fediverse-Plugin für WordPress schlechthin: ActivityPub. Was das Fediverse ist, warum man das haben will als Blogger:in und wie man das installiert und einrichtet, das erklärt uns Matthias in dieser Ausgabe.

Damit alleine hat er mich schon überzeugt – und als ich dann das finale Line-up gesehen habe, erst recht… Es liest sich wie das Who’s Who der deutschen Bloggerszene! 🙂

Wir sehen uns morgen 👋

Blogtastisch! - 2. Blogs und das Fediverse

Am 11. März startet ein neues Eventformat für Blogger:innen. Hier trifft sich die Bloggosphäre zum Netzwerken, und um sich aufzuschlauen.

^Eventbrite

Yes, I sometimes have this error showing up in the "site health" page.
What does it mean? This site only has one user account. I guess it's blocked by something then, but by what and how to unblock it?

I also noticed that on my other site (liminalweb.site) one user seems federated @David@liminalweb.site whereas the two other ones are not (but the backend tells me they are): @Gator@liminalweb.site and @BigKamo@liminalweb.site

can you try to follow @pfefferle@notiz.blog on GtS?

I would assume that this is not a general issue, but something interferes with the WebFinger output on elenas site.

@liaizon

hmmm... does anyone have a test instance where I can have an account to run some tests?

btw. feditest.org/contrib/results/2…

I think we are pretty standards complient, except of some error codes.

the lookup of posts is done by content negotiation and webfinger is it's own thing using the .well-known endpoint.

to look up a post url, you would not need webfinger at all.

ok, I found the issue!

that is a tricky one!

SNAC seems to check if the URL you try to look up is a post or a profile url. And they test that using WebFinger. If WebFinger returns JSON it is a profile, otherwise it might be a post.

BUUTTT: I have enabled WebFinger also for my posts, so SNAC seems to think my posts are broken profiles!

webfinger.net/lookup/?resource…

THAT IS INTERESTING!

if I deactivate WebFinger for my posts it works...

mastodon.social/@pfefferle/114…

Matthias Pfefferle

2025-07-08 16:04:47

ok, I found the issue!

that is a tricky one!

SNAC seems to check if the URL you try to look up is a post or a profile url. And they test that using WebFinger. If WebFinger returns JSON it is a profile, otherwise it might be a post.

BUUTTT: I have enabled WebFinger also for my posts, so SNAC seems to think my posts are broken profiles!

webfinger.net/lookup/?resource…

THAT IS INTERESTING!

if I deactivate WebFinger for my posts it works...

WebFinger

^{webfinger.net}

Hi. I've pushed some code to fix this. It seems to work, but code must be considered experimental.

CC: @pfefferle@mastodon.social @wake_st@snac.rohrmoser.name @elena@aseachange.com @pfefferle@notiz.blog

that is why I LOVE the #fediverse!!!

this is awesome @grunfink !!!

Thank you very much for your help!

CC: @liaizon@wake.st @wake_st@snac.rohrmoser.name @elena@aseachange.com @pfefferle@notiz.blog

such a fast solution wow! 🏆✨ congrats all

@liaizon @wake_st @pfefferle @grunfink

I wonder how long it will be until my timeline is nearly 100% Elena accounts? 😂

You've still got a long way to go to catch up with @catsalad though who I'm convinced is responsible for at least half the accounts in the entire Fediverse!

Hi Matthias.
I found the source of the issue.
There's a checkable option that blocks profiles:
"Prevent discovery of usernames through '/?author=N' scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps"

Wordfence advises against unchecking it:
wordfence.com/help/firewall/br…
What do you think?

I understand why they might want to hide the IDs, but WordPress Core uses them extensively, for example, in its API endpoints.

To me, this feels more like 'security through obscurity' and I'd prefer to focus on strong passwords and two-factor authentication.