WooCommerce – 403 error

Home Forums BulletProof Security Free WooCommerce – 403 error

This topic contains 19 replies, has 4 voices, and was last updated by  AITpro Admin 2 years, 10 months ago.

Viewing 15 posts - 1 through 15 (of 20 total)
  • Author
    Posts
  • #5141

    nasigoreng
    Member

    Hey guys,

    We’re using Woocommerce Plugin and eversince we installed BPS we get 403 forbidden error on our “Order Received” page. Just to explain of what’s going on with the plugin:
    1. User buys a product from us
    2. The user gets redirected to paypal to pay
    3. The user pays on paypal’s website
    4. Paypal redirect the user back to our website
    5. 403 error!

    The redirect URL from Paypal looks like this:

    http://www.ourtestwebsite.com/checkout/thank-you/?order=xxx&key=order_xxx&utm_nooverride=1&tx=xxx&st=Completed&amt=10.00&cc=GBP&cm=xxx&item_number=

    Is there a way to fix this? Any info would be helpful
    Thank you!

    #5144

    AITpro Admin
    Keymaster

    Disregard: This topic is no longer valid. Several things in WooCommerce have changed.
    See this new Topic regarding WooCommerce issues/problems: http://forum.ait-pro.com/forums/topic/woocommerce-read-me-first/

    #5146

    nasigoreng
    Member

    hey guys

    Thank you so much for the quick prompt reply. removing the order| fixes the problem! This is actually a new installation. I only just installed the BPS plugin this morning. The query string is actually added by Paypal, rather than WooCommerce.

    Thank you again.
    Amazing plugin!

    #5157

    AITpro Admin
    Keymaster

    Great!  Thanks for confirming all is well.

    #22509

    DaveP
    Participant

    I have just followed this procedure on a brand new WooCommerce site with BPS after getting the 403 error. So surprised that I am getting this with such an old issue. I looked at the .htaccess and it had the |order| entry in it ! I will let you know once a new order has been processed to ensure it is working…

    Regards, Dave

    #22511

    AITpro Admin
    Keymaster

    I looked at the .htaccess and it had the |order| entry

    Yes. You are correct. That is standard BPS Security code and will always be in standard BPS security files. For folks who have WooCommerce they will need to make this necessary modification to BPS Standard code and files.

    #22513

    DaveP
    Participant

    OK, that is good to know – I will remember that & thanks for the prompt reply – Dave

    #23128

    Amy V
    Participant

    I have done these steps and I’m still getting a 403 forbidden from paypal. Here’s my address string in the browser looks a little different and I’m not able to make heads or tails of the code to paste into the little window.

    https://northcountryfiberfair.org/shop/index.php/checkout/order-received/xxx?key=wc_order_xxx&utm_nooverride=1&tx=xxx&st=Completed&amt=0%2e01&cc=USD&cm=a%3a2%3a%7bi%3a0%3bi%3a1744%3bi%3a1%3bs%3a22%3a%22wc_order_xxx%22%3b%7d&item_number=
    #23130

    AITpro Admin
    Keymaster

    You have done something incorrectly.  I checked your site and the %22 | order condition is still in effect/has not been successfully changed.  Double check that you are doing ALL of the Custom Code steps.

    1. Copy the modified (order| has been removed) BPS Query String Exploits code below to this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS:
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    #23131

    AITpro Admin
    Keymaster

    Disregard: This topic is no longer valid. Several things in WooCommerce have changed.
    See this new Topic regarding WooCommerce issues/problems: http://forum.ait-pro.com/forums/topic/woocommerce-read-me-first/

    #23136

    Amy V
    Participant

    Will try that. thx.  I also realized I had BPS installed in my two WP installations (one at main address and one at /shop) and had changed only one. so I’ll try applying the fix to both.

    #23137

    AITpro Admin
    Keymaster

    Ok take a look at this Forum Topic link below to get familiar with how multiple website domains – hierarchy, structure, relationship affect each other.  Basically a Parent website’s htaccess file will affect all Child websites since the Parent site is higher in the folder structure:  /parent/, /parent/child-1/, /parent/child-1/subfolder/, /parent/child-2/, etc.

    http://forum.ait-pro.com/forums/topic/htaccess-files-for-multiple-website-domains/

    #23143

    Amy V
    Participant

    Thanks! I can get it to work nicely with paypal sandbox, but not paypal itself. Frustrated, but not giving up yet!

    #23144

    AITpro Admin
    Keymaster

    The Sandbox should exactly simulate a Live transaction.  Double check that the Sandbox and Live transaction payment script/file are using the same path location and any other parameters.  It is possible, but not likely that whatever transaction payment script/file that you are using is making a HEAD Request.  To rule that out do the Custom Code steps in this forum topic:  http://forum.ait-pro.com/forums/topic/broken-link-checker-plugin-403-error/#post-2017

    #23182

    Amy V
    Participant

    (Taking a deep breath.) There is some difference and I can’t figure out what between the sandbox and the main paypal site. The sandbox plays nicely and goes back to the order summary page. Main paypal does not. I have put in the “BPS QUERY STRING EXPLOITS” code, the  CUSTOM CODE WP REWRITE LOOP START, and the Whitelist User Agents or remove HEAD here in both BP Security installs in the custom code boxes and Activate Root Folder BulletProof Mode. No messages appear in my main site BP security log file (so it wasn’t likely necessary to have those changes – but for completeness sake I’d added them). looking through the wc paypal error log – there doesn’t appear to be any sort of error.I looked at the htaccess file editor under Your current root htaccess file and those mods appear to be there. Help? Do you want screenshots of anything? Anything else I need to check? The message that keeps popping up in the BP security log for the shop install says the following:

    [403 GET / HEAD Request: June 6, 2015 4:48 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: xxx
    Host Name: xxx
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://www.paypal.com/us/cgi-bin/webscr?cmd=_flow&SESSION=3nbT63vkQZlKaNoXsGPPOreAtC0z-8CV0grCgmJ71oxBprynQBi6Lo194g0&dispatch=50a222a57771920b6a3d7b606239e4d529b525e0b7e69bf0224adecfb0124e9b61f737ba21b08198acc59b45c1b5383c3fbf91319c9514c0
    REQUEST_URI: /shop/checkout/order-received/1787?key=wc%5forder%5f5573242ccf79a&utm_nooverride=1&tx=6KV93855973324020&st=Completed&amt=0%2e01&cc=USD&cm=a%3a2%3a%7bi%3a0%3bi%3a1787%3bi%3a1%3bs%3a22%3a%22wc%5forder%5f5573242ccf79a%22%3b%7d&item_number=
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36
    
Viewing 15 posts - 1 through 15 (of 20 total)

You must be logged in to reply to this topic.