WP eMember, WordPres eMember, WP eStore, WordPress eStore Whitelist rules

[E. J. Simmons]

Attempting to setup http://trialroadmap.com/members as a membership site using the WP eMember plugin, to take payments by PayPal (via WP eStore plugin) and for eMember and eStore to add the customer as a member. The goal is to have the site protected by BPS Security Pro, since it is the best method to secure a WordPress site. BPS Security Pro is specifically recommended by the WP eMember folks. Previously, I had the site set up on a web host called Eleven2, NOT recommended. After giving up on Eleven2 last weekend, I moved the site to a virtual private server at Liquidweb, a quality web host in Lansing, Michigan. However, the site’s home page is taking 30 plus seconds to load. This figure comes from using webpagetest.org several times. So I spent some time yesterday and today trying to figure out why so slow. The first Liquidweb person, Calleigh, said:

“Per our phone conversations I discovered this issue while watching the server after triggering the members site for trialroadmap.com. This was all in /usr/local/apache/logs/error_log

[Sat Aug 31 22:21:07 2013] [error] [client 10.30.4.89] client denied by server configuration:
/home/trialatt/public_html/members/wp-content/plugins/wp-eMember/js/jquery.pagination-2.0rc.js,
referer: http://trialroadmap.com/members/ [Sat Aug 31 22:21:07 2013] [error]
[client 10.30.4.89] client denied by server configuration:
/home/trialatt/public_html/members/wp-content/plugins/wp-eMember/js/jquery.confirm-1.3.js,
referer: http://trialroadmap.com/members/ [Sat Aug 31 22:21:07 2013] [error]
[client 10.30.4.89] client denied by server configuration:
/home/trialatt/public_html/members/wp-content/plugins/wp-cart-for-digital-products/lib/eStore_read_form.js,
referer: http://trialroadmap.com/members/"

Calleigh’s shift ended, so she transferred the support ticket to the second Liquidweb person, Zack. Zack said:

“I was able to find the source of the errors you are seeing in the error log when a user visits trailroadmap.com/members/. There is a WordPress Plugin on your site called ‘Bulletproof Security’ that generates a .htaccess file in your server’s WordPress plugins directory. This .htaccess file is blocking remote access to certain potentially harmful filetypes, such as .js, for all your plugins. I was able to fix the errors by moving that file aside, however that would not be the ideal solution. The ideal fix will be to configure Bulletproof Security to allow Javascript files to execute in your plugins directory, since your plugins need those files to run properly. This will likely be something you can change within Bulletproof Security’s settings. If you’d like me to make this change for you, please provide me credentials to log in to the trailroadmap.com/members/ administrative area.
Please note that this will be considered “Best Effort Support,” although I am confident that I will be able to fix the issue.”

This was sent after I was asleep. This morning I sent the login info, but unfortunately Zack had left. The third Liquidweb person, Joel, said:

“Unfortunately this ticket involves a wordpress plugin and these are not covered by our normal support. I have done some investigation into the plugin via our Best Effort support ( as mentioned by the previous tech) but have had no luck. No configuration changes appear to make the domain function as it should. As we are not familiar with this plugin nor its configuration you may need to speak with the developers of the plugin in order to make this function. If you would like I can disable this plugin for you.”

In the meantime, a WP eMember admin person, wzp, had responded to my post (in the WP eMember support forum) asking about the apache/logs/error_log info from Calleigh:

“The error message says it all “…client (the browser) denied by server configuration (something about the way your server is setup).” “Server configuration” is outside the control of the plugins. Without knowing EXACTLY what this mystery configuration is, we really have no starting point from which to look for the problem. Did you or your provider “over tighten” any of the security settings on the serer? If you didn’t do any tinkering with the server settings, please ask if your hosting provider did.”

So I asked Liquidweb to review the status of the server security and tell me if any over tightening is apparent:
“Please let me know if the server as it now stands has any unusual tightening of the settings. If the apache error log says “denied by server configuration” please let me know what that means, and if the eMember plugin developer is incorrect in his assumption about the error message.”

This is the response from Joel at Liquidweb:

“The error client denied by server configuration references a deny code for the IP address used to connect to the server. This does not reference the firewall but actually references the .htaccess file for the domain as this would contain coding that would determine who can access or not. As the plugin is the one building the .htaccess for the domain I was having a hard time understanding why it would create a file that causes itself to be blocked. So in this particular case server configuration is in fact being controlled by the plugin because it is creating the file that tells the server to deny access. Moving this htaccess file out of the way does allow the server to function however this defeats the purpose of the plugin. This is why I suggested contacting support for the plugin as it seems the plugin is creating a faulty htaccess file. The following is an article in regards to this error:
http://wiki.apache.org/httpd/ClientDeniedByServerConfiguration I have looked over the server and have not been able to determine any “extra” security measures in place that would have any affect on this. It seems the file it is creating is the cause.”

In looking at the site, I noticed that the security log is empty. I ran the Pre-Installation Wizard Checks and all was green except this is in blue:

“Your current Root .htaccess file is not locked. In order to ensure that the Setup Wizard completes successfully your files will NOT be locked by BPS Pro F-Lock. Your F-Lock settings will be set to “Turn Off Checking & Alerts”.”

I have a feeling that the problems, both the slow loading and the other details, relate to not having the dot-htaccess files set up correctly. But I do not know how to go about fixing the problem.

Sorry for the lengthy message, please edit as you see fit, but I thought that providing more info was better than taking the risk of omitting a significant fact. I know there is a way to have a membership site that takes PayPal payments and is protected from the bad guys by BPS Pro. Please let me know how I should proceed.

Thanks.

[AITpro Admin]

Yes, the Plugin Firewall not being completely setup yet is why the js scripts are being blocked by the Plugin Firewall since they have not been whitelisted yet.  Send me a temporary Admin login to the site and I will set that up in less than 1 minute.  The slow loading problem may be caused by something else.  This is not typically a problem that is caused by not setting up the Plugin Firewall yet.

[E. J. Simmons]

Login info sent.

[AITpro Admin]

Logged in, setup the Plugin Firewall, which actually appeared to have the correct whitelist rules so not sure what happened there.  I have condensed your whitelist rules using Regex to this:

/wp-cart-for-digital-products/lib/(.*).js, /wp-eMember/js/(.*).js

I am now checking your site in general for any issues.

Page Load speed is currently:  2.36 seconds.  YSlow indicates that there are several additional things that can be done to speed up this site.  I will add the AITpro Speed Boost code here:  http://forum.ait-pro.com/forums/topic/htaccess-caching-code-speed-boost-cache-code/ to BPS Pro Custom Code.  You currently have W3TC deactivated on this site.  If you run into a problem when you activate W3TC let me know and I can assist you with that.

RE: WP Affiliate Platform plugin – this plugin is currently deactivated, but requires additional Plugin Firewall whitelist rules for the IPN script, which I have added so that when you activate this plugin the whitelist rules will already be in place. http://forum.ait-pro.com/forums/topic/wp-affiliate-platform-plugin-firewall-whitelist-rules/ I assume WP eMember also may have an additional IPN script.

[AITpro Admin]

I have also added this additional Brute Force Login Protection code to BPS Pro Custom Code.

http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/

# Protect wp-login.php from Brute Force Login Attacks based on Server Protocol
# All legitimate humans and bots should be using Server Protocol HTTP/1.1
RewriteCond %{REQUEST_URI} ^/wp-login\.php$
RewriteCond %{THE_REQUEST} HTTP/1\.0
RewriteRule ^(.*)$ - [F,L]

[AITpro Admin]

The cause for slow loading is probably caused by this:

You have W3TC deactivated, but this code is not commented out in your wp-config.php file.  I think the best thing to do at this point is to remove this code since W3TC is currently deactivated so I have removed this code from your wp-config.php file.  When you activate W3TC it will add this code back to your wp-config.php file.  For that reason I am turning off the wp-config.php file lock.  It is not really necessary to lock the wp-config.php file these days since AutoRestore/Quarantine was created.

/** Enable W3 Total Cache */
define('WP_CACHE', true); // Added by W3 Total Cache

[AITpro Admin]

Another general cause for slowness is most likely caused by your PHP Configuration Memory Limit being set too low.  It is currently set to:  64M

I have changed this to 128M for best WordPress/website performance.  Either the change has not take effect yet (may require restarting web services) or your Host does not allow the memory limit to be set using ini_set.  Please have your Host check this to ensure your memory limit is set to 128M.

memory_limit

64M

64M

[E. J. Simmons]

I sent to the webhost the comments about the memory limit.

[AITpro Admin]

I found and added these 2 IPN scripts for WP eMember to your Plugin Firewall Whitelist rules

/wp-eMember/ipn/eMember_handle_paypal_ipn.php, /wp-eMember/ipn/eMember_handle_clickbank_ipn.php

It appears that WP eStore is already working and does not have an IPN script, but does have this download script that may need to be whitelisted so I added it to your Plugin Firewall Whitelist rules just in case.

/wp-cart-for-digital-products/download.php

Ok so at this point I have checked your site with a Web Proxy and no Security Log Errors are being logged. Please test all of your Shopping Cart plugins and let me know if there are any issues.  Logged out now.

In Summary, these are your entire Plugin Firewall Whitelist Rules:

/wp-cart-for-digital-products/lib/(.*).js, /wp-eMember/js/(.*).js, /wp-affiliate-platform/api/ipn_handler.php, /wp-affiliate-platform/api/wp_aff_integration.js, /wp-affiliate-platform/wp_aff_includes.php, /wp-affiliate-platform/wp_aff_includes_3rd_party_integration.php, /wp-affiliate-platform/wp_affiliate_platform1.php, /wp-eMember/ipn/eMember_handle_paypal_ipn.php, /wp-eMember/ipn/eMember_handle_clickbank_ipn.php, /wp-cart-for-digital-products/download.php

[E. J. Simmons]

Made a membership purchase, Paypay took the payment and confirmed, but apparently did not communicate with the eMember/eStore plugins, there are 403s in the security log from for example:
HTTP_USER_AGENT: PayPal IPN ( https://www.paypal.com/ipn )

If I recall, this was a problem a couple of weeks ago but I cannot remember how it was fixed.

[AITpro Admin]

Ok logging back in.  Most likely the paypal.com domain will also need to be whitelisted in addition to whitelisting the IPN scripts.

[AITpro Admin]

Oops i missed this IPN script.  😉

Interesting that Server Protocol HTTP/1.0 is being used instead of HTTP/1.1, but it does not really effect anything, just noting it here for myself.  Edit:  Duh, nevermind that is the POST /cgi-bin/webscr HTTP/1.0 Header used with fsockopen.  😉

>>>>>>>>>>> 403 GET or Other Request Error Logged - September 2, 2013 - 12:09 am <<<<<<<<<<<
REMOTE_ADDR: 66.211.170.66
Host Name: notify.paypal.com
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /members/wp-content/plugins/wp-cart-for-digital-products/paypal.php
QUERY_STRING:
HTTP_USER_AGENT: PayPal IPN ( https://www.paypal.com/ipn )

[AITpro Admin]

Ok this Plugin Firewall Whitelist rule has been added.  Please test again.

/wp-cart-for-digital-products/paypal.php

[E. J. Simmons]

Payment worked, PayPal notified and the membership site plugin worked and gave the email to input username and password and it worked.
About 5 seconds to load, can live with that better than the 30 seconds from before. Thanks.

[AITpro Admin]

Where are you seeing a 5 second load time?  When I check your site with Firefox, Firebug, Firephp and YSlow I am seeing 2.1 to 2.2 second load times.

[Author]

Posts