Booster for WooCommerce – POST 403 error

[James]

Hi guys,

Could you please suggest the best way to add a whitelisting rule to prevent the 403 errors shown below when using the Booster for WooCommerce plugin please?  In particular it is the “WooCommerce Prices and Currencies by Country” and the error occurs when trying to switch the country (using the dropdownlist supplied with the plugin).  Strangely though it only seems to happen on the shop homepage, and not if the country selection is done on any other page.

See plugin info here: https://booster.io/features/woocommerce-prices-and-currencies-by-country/

[403 POST Request: February 3, 2017 - 11:11 pm]
BPS Pro: 12.6
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 58.182.129.248
Host Name: 248.129.182.58.starhub.net.sg
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 58.182.129.248
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: POST
HTTP_REFERER: https://mysite.com/
REQUEST_URI: /
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
REQUEST BODY: wcj-country=DE

This is my POST Request Attack Protection root htaccess code:

# BPS POST Request Attack Protection
RewriteCond %{REQUEST_METHOD} POST [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
# Whitelist the WordPress Theme Customizer
RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
# Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
# Whitelist Network|Multisite Signup POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
# Whitelist Network|Multisite Activate POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
# Whitelist Trackback POST Requests
RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
# Whitelist Comments POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
# Example 1: Whitelist Star Rating Calculator POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC]
# Example 2: Whitelist Contact Form POST Requests
RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
# Example 3: Whitelist PayPal IPN API Script POST Requests
RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
# Whitelist wp-load.php, needed for ManageWP?
# RewriteCond %{REQUEST_URI} !^.*/wp-load.php [NC]
# Whitelist ManageWP POST Request to wp-load.php by Query String
RewriteCond %{QUERY_STRING} !^mwprid=(.*) [NC]
RewriteRule ^(.*)$ - [F]

Many thanks, James

[AITpro Admin]

You can try and whitelist the “shop” URI, but the REQUEST_URI: / means that this WooCommerce extension is sending a POST Request to your root URL|URI = /, which is the exact same thing that hackers do with POST Request Attacks.  I don’t see anything unique that can be whitelisted like a Query String.  I downloaded the Booster for WooCommerce extension from the booster website so I can look at the code.  After looking at the Booster for WooCommerce extension code I will be able to tell you if there is anything you can whitelist or that you cannot use the BPS POST Attack Protection code with this extension.

RewriteCond %{REQUEST_URI} !^.*/shop/ [NC]

[AITpro Admin]

I have tested the Booster for WooCommerce extension and I am not seeing any errors when testing the Prices and Currencies by Country dropdown list on the /shop/ test site/page.

[James]

Hmm, that’s odd. On your test site, is the store homepage on the root of the site (e.g. www.mystore.com) or as a subfolder (e.g. www.mystore.com/shop)? On the site that I am having problems with, the woocommerce store is the homepage of the website; there is no blog, just the store front page when you go to the root of the domain name. As the problem only occurs on my website when the country is changed on the homepage, and not when you do the same on any of the other store pages, then I wonder whether this could be the problem?

Thanks for taking teh time to look into this for me, much appreciated 🙂

[AITpro Admin]

Ahh ok then you definitely cannot use the POST Attack Protection code.  The way the POST Attack Protection code works is that all POST Requests are blocked by default and each new line of code that you create/add is a whitelist rule to allow a POST Request to that unique/specific URI or Query String.  So by default your root site URI / blocks POST Attack Requests since 99.99% of all POST Attacks are made to your root site URI|URL by hackers.  Since I do not see any unique Query Strings that you can use to whitelist for the Prices and Currencies by Country dropdown list POST Request to your root site URL then unfortunately you cannot use the POST Attack Protection code.  If you whitelisted your root site URI|URL then that is the same things as not using the POST Attack protection code at all.

[James]

Thanks for confirming – that’s what I thought / feared! Probably easiest to try and hide the country switcher widget on the store / website homepage then and I will send a message to the developer to see if they can tweak the code in some way to make the request more identifiable and hence whitelist-able.

Thank you, James 🙂

[James]

Just raising this with the Boost plugin developers.  Is there any info or documentation you could point me (or rather them!) too which explains how the POST request can be modified to be unique and hence identifiable and whitelist-able please?

https://booster.io/features/woocommerce-prices-and-currencies-by-country/#comment-11364

[AITpro Admin]

This is only a general example of what the end result of the Request URI and Query String should look like and not an example of how they would actually do that in their code:  /?wc-booster=price_country or if they are using AJAX: /?wc-booster-ajax=price_country.  The whitelist rule for the POST Attack Protection code would then be able to whitelist their POST Request Query String:

RewriteCond %{QUERY_STRING} !^wc-booster=(.*) [NC]

or

RewriteCond %{QUERY_STRING} !^wc-booster-ajax=(.*) [NC]

Since the Booster plugin is a “booster” for both WooCommerce and Jetpack and both WooCommerce and Jetpack are using code that uses Query Strings in POST Requests then the simple thing for the Booster folks to do would be to look at both WooCommerce and Jetpack code that makes POST Requests using Query Strings and then use the POST Request method that either of these plugins use.

[James]

Thanks.  I’ll forward that across and fingers crossed they came implement something.  Cheers, James

[Alex Laxton]

Great code is shown by some members but will it a workout to boost sales from niche to top, this extension will help to show how much the sales conversion is boosted.

[Author]

Posts