WP eStore plugin – ShrinkTheWeb plugin

[WPS P&C Admin]

I recently installed Bulletproof Security on my site wpspandc.com.au but as soon as I did, and activated it, the shopping cart functionality on my website stopped working. If customers added an item to their shopping cart, and tried to checkout, they were seeing the following error message:

“Your shopping cart is empty. Please add an item to your cart. You can load the checkout page and make sure the shopping cart is not empty.

If you are the admin of this site and you are certain that the shopping cart is not empty then the PHP Session on your server is not working correctly. Please check this http: //www.tipsandtricks-hq.com/forum/topic/php-session-not-working-correctly/

According to the WP eStore plugin provider, this issue is usually caused by an incompatibility with another plugin, and since the Bulletproof Security plugin is the only change I had made to my website in the last 2 weeks, I tried disabling it (by deactivating Root Folder BulletProof Mode, as you suggest). Sure enough, as soon as I did this, the shopping cart functionality started working correctly again.

Could you please advise whether Bulletproof Security can be made compatible with my webstore plugin, WP eStore?

[AITpro Admin]

Please check your BPS Security log and post the error related to the WP eStore plugin.

[WPS P&C Admin]

Error log pasted below, as requested. It’s rather long – looks like there have been lot of attempts to log into my website in the 3 days since I installed this plugin…..

The ones referring to /wp-content/plugins/wp-cart-for-digital-products  are legitimate issues – these will be the attempts by my customers to purchase from my webstore. All the others look like attempts at hacking in  (presumably bruteforce password guessing attempts, etc).

BPS SECURITY / HTTP ERROR LOG
==============================
==============================

>>>>>>>>>>> 403 GET or Other Request Error Logged - 20/04/2013 - 5:22 pm <<<<<<<<<<<
REMOTE_ADDR: 60.242.170.14
Host Name: 60-242-170-14.static.tpgi.com.au
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http: //www.wpspandc.com.au/webstore/
REQUEST_URI: /wp-content/plugins/wp-cart-for-digital-products/lib/timthumb.php?src=[thumb]http://www.wpspandc.com.au/community-advertising/[/thumb]&h=125&w=125&zc=1&q=100
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_5_8) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.90 Safari/537.1

[AITpro Admin]

That timthumb URL is very ugly.  Try this first…

1. Copy this .htaccess code below to the Custom Code CUSTOM CODE PLUGIN FIXES: text box
2. Save your new custom code by clicking the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

NOTE: If your WordPress installation is in a subfolder then add your WordPress subfolder name in the path.
Example:  /my-wordpress-installation-folder-name/wp-content/plugins/google-document-embedder/

# WP eStore skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-cart-for-digital-products/ [NC]
RewriteRule . - [S=13]

If that does not work then try this…

# WP eStore skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-cart-for-digital-products/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/webstore/ [NC]
RewriteRule . - [S=13]

[WPS P&C Admin]

I tried both of those pieces of custom code, but the problem still occurs. Every time I put something in the shopping cart, then navigate to another page, the shopping cart empties.

[WPS P&C Admin]

See extract below from my .htacesss file, which was inserted by Activate button:

# PLUGINS AND VARIOUS EXPLOIT FILTER SKIP RULES
# IMPORTANT!!! If you add or remove a skip rule you must change S= to the new skip number
# Example: If RewriteRule S=5 is deleted than change S=6 to S=5, S=7 to S=6, etc.

# CUSTOM CODE PLUGIN FIXES
# WP eStore skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-cart-for-digital-products/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/webstore/ [NC]
RewriteRule . - [S=13]

[AITpro Admin]

Is the /webstore folder a literal or virtual URL path?

literal URL means that the /webstore folder actually exists.

virtual means that the /webstore folder does not exist and the URL is a permalink URL.

[WPS P&C Admin]

No it’s not a real folder, it’s a permalink URL. I have a page with the title “Webstore” and I have edited the Permalink for this page to be “webstore” too.

[AITpro Admin]

The timthumb request_uri in the error log entry you posted simulates an RFI hacking attempt against your site, but the BPS RFI security filter already whitelists the timthumb.php file name so I don’t think that would be the problem, but I will look at that after you try this next.

Scroll down in your root .htaccess file until you see this code…

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

…and then add this directly below the code above…

# RewriteRule for Custom Apps outside of WP
RewriteRule ^webstore/ - [L]

[AITpro Admin]

Also in older versions of BPS square bracket coding characters were blocked. They are no longer blocked in the current version of BPS.  Check your root .htaccess file and make sure that you do not see this security filter below.
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR]
If you do see this security filter then click the [obsolete-removed] buttons and activate Root folder BulletProof Mode again. This is assuming that you have the most current version of BPS installed and not an older version of BPS.

[WPS P&C Admin]

Yes, I believe I have the latest version of BPS installed, as I only installed it a few days ago. It’s version .48.3  I don’t see the security filter you mentioned above, with the square bracket.  I have cut & pasted the code you suggested, so I now have the following in my root .htaccess file. Do I need to use the [obsolete-removed] buttons again to activate this code?

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# RewriteRule for Custom Apps outside of WP
RewriteRule ^webstore/ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

[AITpro Admin]

Also double check that the RFI and MISC file skip/bypass rule for timthumb.php is correct in your root .htaccess file. You should see your root domain in the HTTP_REFERER condition.

...
...
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteCond %{HTTP_REFERER} ^.*wpspandc.com.*
...
...

[WPS P&C Admin]

With the above code in place, now my webstore doesn’t work at all – I can’t even add something to my shopping cart.

[AITpro Admin]

That is a generic/default WordPress .htaccess file.  Is that the .htaccess file you are currently using on your site and the problem is still occurring?  You would add the code I posted above to a the BPS root htaccess file after you activate root folder BulletProof Mode.

[WPS P&C Admin]

Oh, hang on. I currently have root folder bulletproof mode deactivated, to allow the webstore to work. That’s why the .htaccess file is so small. I need to activate it again, then add the code you suggested. Will try that now…

[Author]

Posts