Home › Forums › BulletProof Security Pro › WooCommerce – Read Me First
Tagged: 403 error, checkout, JTC Anti-Hacker, JTC Anti-Spam, Login Security, wc-api, WooCommerce
- This topic has 2 replies, 2 voices, and was last updated 8 years, 9 months ago by AITpro Admin.
-
AuthorPosts
-
AITpro AdminKeymaster
UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.
BPS Pro 12.6+: Login Security & Monitoring (LSM) and JTC Anti-Spam|Anti-Hacker (JTC) can be enabled for WooCommerce 2.6.9+ versions by using the Enable Login Security for WooCommerce & Enable JTC for WooCommerce checkbox option settings.
BPS .54.3+: Login Security & Monitoring (LSM) can be enabled for WooCommerce 2.6.9+ versions by using the Enable Login Security for WooCommerce checkbox option setting.
BPS and BPS Pro: Whitelist the WooCommerce shop, cart, checkout & wishlist URI’s. Whitelist the WooCommerce “order” & “wc-ajax=get_refreshed_fragments” Query Strings. Also resolves wc-api 403 errors.
1. Copy the code below to this BPS Root Custom Code text box: 10. CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
2. Click the Save Root Custom Code button.
3. Go to the Security Modes tab page and click the Root Folder BulletProof Mode Activate button.# WooCommerce shop, cart, checkout & wishlist URI skip/bypass rule RewriteCond %{REQUEST_URI} ^.*/(shop|cart|checkout|wishlist).* [NC] RewriteRule . - [S=14] # WooCommerce order & wc-ajax=get_refreshed_fragments Query String skip/bypass rule RewriteCond %{QUERY_STRING} .*(order|wc-ajax=).* [NC] RewriteRule . - [S=13]
Important Note: If you are using WorldPay then additional whitelisting code is needed. Use this whitelisting method|code here for WorldPay: http://forum.ait-pro.com/forums/topic/woocommerce-worldpay-403-error/
Important Note: If the WooCommerce whitelisting method above does not work then use the WooCommerce whitelisting method below. Unfortunately using the whitelisting method below means that the entire block of BPS Query String Exploit code needs to be modified (as shown below) and added to BPS Root Custom Code.
1. Copy the modified BPS Query String Exploits code below to this BPS Root Custom Code text box:
2. Click the Save Root Custom Code button.
3. Go to the Security Modes tab page and click the Root Folder BulletProof Mode Activate button.# BEGIN BPSQSE BPS QUERY STRING EXPLOITS # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too. # Good sites such as W3C use it for their W3C-LinkChecker. # Use BPS Custom Code to add or remove user agents temporarily or permanently from the # User Agent filters directly below or to modify/edit/change any of the other security code rules below. RewriteCond %{QUERY_STRING} (sp_executesql) [NC] RewriteRule ^(.*)$ - [F] # END BPSQSE BPS QUERY STRING EXPLOITS
POST Attack Protection Bonus Custom Code and WooCommerce store used on a website home page:
Help Reference: BPS Post Attack Protection Bonus Custom Code forum topic: https://forum.ait-pro.com/forums/topic/post-request-protection-post-attack-protection-post-request-blocker/
If your WooCommerce store is on your website home page instead of a /shop or other URL and you are using the BPS POST Attack Protection Bonus Custom Code then add this additional whitelist rule for the WooCommerce Query String sent in the POST Request:RewriteCond %{QUERY_STRING} !^wc-ajax=(.*) [NC]
in your existing BPS POST Attack Protection Bonus Custom Code in BPS Root Custom Code. After you have added this additional whitelist rule, click the Save Root Custom Code button and click the Root Folder BulletProof Mode Activate button.
Note: This code is example code. Edit your actual existing Post Attack Protection Bonus Custom Code and add the additional whitelist rule for WooCommerce shown highlighted below in this example code.
Important Note: The Security Log entry is logged as a GET Request (see example Security Log entry below) when the WooCommerce REQUEST_URI:/?wc-ajax=get_refreshed_fragments
Query String is blocked, which it technically is based on the action of performing a literal GET Request using a Browser, but the AJAX call itself to:wp-ajax=get_refreshed_fragments
is a POST Request.# BPS POST Request Attack Protection RewriteCond %{REQUEST_METHOD} POST [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC] # Whitelist the WordPress Theme Customizer RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC] # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC] # Whitelist Network|Multisite Signup POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC] # Whitelist Network|Multisite Activate POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC] # Whitelist Trackback POST Requests RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC] # Whitelist Comments POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC] # Whitelist WooCommerce POST Request to Root URI by Query String RewriteCond %{QUERY_STRING} !^wc-ajax=(.*) [NC] # Whitelist WooCommerce POST Request to Root URI by Query String RewriteCond %{QUERY_STRING} !^wc-api=(.*) [NC] RewriteRule ^(.*)$ - [F]
WooCommerce wp-ajax=get_refreshed_fragments Security Log Entry:
[403 GET Request: April 16, 2017 - 9:52 am] BPS Pro: 12.9 WP: 4.7.3 Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 127.0.0.1 Host Name: Z666P-HP SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: http://demo5.local/ REQUEST_URI: /?wc-ajax=get_refreshed_fragments QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
BPS Pro ONLY (BPS Pro 12.5+ versions Plugin Firewall AutoPilot Mode automatically compensate for and fix this WooCommerce problem – upgrade to the most current version of BPS Pro):
WooCommerce Checkout page is blank. There are numerous different WooCommerce extensions and “add-on” plugins for WooCommerce. Most likely the reason the BPS Pro Plugin Firewall does not see this WooCommerce blocked frontloading script is probably due to the coding mistake of 2 forward slashes (//) after “v2.3” in the URI, which is most likely breaking the entire Plugin Firewall since that URI is not valid.Note: To check for these types of errors on your website use the Google Chrome Browser > click the 3 bar setting icon > hover over “More tools” > click Developer Tools to see the Google Chrome Developer Tools > select the Console tab to view/check for any errors.Failed to load resource: the server responded with a status of 403 (OK) https://www.aksorganics.com.au/wp-content/plugins/woocommerce-checkout-customizer/static/js/frontend/v2.3//update_payment_block.js?ver=1.0 Failed to load resource: the server responded with a status of 403 (OK) https://www.aksorganics.com.au/wp-content/plugins/woocommerce-checkout-customizer/static/js/frontend/v2.3//general.js?ver=1.0 Failed to load resource: the server responded with a status of 403 (OK) https://www.aksorganics.com.au/wp-content/plugins/woocommerce-checkout-customizer/static/js/frontend/v2.3//collect_wizard.js?ver=1.0Solution: Manually enter the Regular Expressions (Regex) whitelisting rule below in the Plugin Firewall Whitelist Text Area. Using the Regex whitelisting rule below compensates for the double forward slash coding mistake in the woocommerce checkout customizer URI./woocommerce(.*).jsNote: Each plugin script/file path that you add MUST be separated by a comma and a space. Example: /some-example-plugin/api/paypal-ipn-script.php, /another-example-plugin/some-example-script.php. The path name starts with the plugin folder name (do not add /wp-content in the path name).Plugin Firewall Manual Setup Steps
1. Copy and paste plugin scripts/whitelist rules to the Plugins Script|File Whitelist Text Area.
2. Click the Save Whitelist Options button.
3. Click the Plugin Firewall BulletProof Mode Activate button.DennisParticipantI’m having an issue with woo checkout after their latest update and like to see if this code will help but, in #1 above you say: “Copy the modified BPS Query String Exploits code below to this BPS Root Custom Code text box:” but do not say which text box to copy the code?
Regards
Dennis
AITpro AdminKeymasterOops good catch. I have added the Custom Code text box name in the instructions above. 😉
-
AuthorPosts
- You must be logged in to reply to this topic.