WP eStore plugin – ShrinkTheWeb plugin

[AITpro Admin]

If you are using default WordPress .htaccess code then BPS is not causing the problem and it is something else that is causing this problem. Deactivate Root Folder BulletProof Mode to do this.  Test and let me know what happens.

[AITpro Admin]

If you are already deactivated Root Folder BulletProof Mode then BPS is not causing the problem.

[AITpro Admin]

To completely eliminate BPS do this.

FTP to your website and delete the root .htaccess file and the wp-admin .htaccess file.  Then go to Settings >>> Permalinks and click the Save Changes button.  If the problem is still occurring then it does not have anything to do with BPS and you should deactivate your plugins one by one at this point to see if another plugin is causing the problem.

 

[AITpro Admin]

I do not think this rewriterule will work at all so do not use it.  This is for 3rd party apps so it would not work for internal rewriting that is done by a plugin.  I wanted to eliminate the possibility that the plugin is simulating an external URL.

RewriteRule ^webstore/ – [L]

Check the RFI and MISC filter to make sure your domain is whitelisted correctly.

[WPS P&C Admin]

Sorry, I had put BPS in [obsolete-removed] overnight, so that the webstore would continue to work, but forgot to activate it again before applying your suggested changes. It is definitely BPS that’s causing the problem, because every time I put it into [obsolete-removed] , the webstore works, and every time I activate it again the webstore stops working.

I have reactivated it now, and applied the suggested code to the .htaccess file. I have also added my domain name to the HTTP_REFERER  condition, as it wasn’t there (but presumably if I ever use the [obsolete-removed] buttons again I will lose both the customisations I have made directly to this file???)

So, I have added the following 2 changes:

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# RewriteRule for Custom Apps outside of WP <-added at your suggestion
RewriteRule ^webstore/ - [L] <-added at your suggestion
...then...
RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteCond %{HTTP_REFERER} ^.*wpspandc.com.au.* <-I changed this to my domain name
RewriteRule . - [S=1]

[WPS P&C Admin]

Oh, I only just saw your latest post after I had finished typing my reply above. With both of these changes in place, I can not add anything to my shopping cart.

I need to go to work now (my paid job – this website is a labour of love for my kids’ school) so need to deactivate bulletproof mode for the day, so the webstore will work.

I’ll leave it with you until this evening (Sydney time) and will apply any further changes you suggest later today.

[AITpro Admin]

What was the HTTP_REFERER condition before you changed it?  Your root domain is fine:  wpspandc.com  you do not need to add the .au

This rule was an experiment:  RewriteRule ^webstore/ – [L] so remove it.

Try commenting out all the security filters with a # pound sign from…

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
#RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
#RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
...
...
...
#RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

Do not comment out this security filter below
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]

[WPS P&C Admin]

Ok, I’m a bit confused now. Have just re-read all the above posts, and am not confident of  what changes I am supposed to be experimenting with in my root .htaccess file now.

To answer your question about “What was the HTTP_REFERER condition before you changed it?” It was as follows:

RewriteCond %{HTTP_REFERER} ^.*com.au.*

I have just changed it to:

RewriteCond %{HTTP_REFERER} ^.*wpspandc.com.*

BTW, I should also point out that the domain http://www.wpspandc.com does actually exist – it was our old website, hosted by Webs.com but we have switched to an Australian hosting provider on the http://www.wpspandc.com.au domain this year. The old http://www.wpspandc.com domain expires at the end of May 2013 but is currently still active.

In addition to the HTTP_REFERER condition change you suggested, I have also commented out the security filters as per your instructions immediately above, but this did not work. With BPS active, and the above security filters commented out, and the HTTP_REFERER condition set as per your instructions, items are still disappearing from my shopping cart every time I navigate away from the webstore page.

I will have to deactivate bulletproof mode now overnight, but will await further suggestions about what to try next.

[AITpro Admin]

hmm running out of ideas here.  Please send me the plugin so that I can test it and see exactly what the problem is.  I will delete the plugin on test completion.  I have purchased and am using the WP Affiliate Platform plugin from these folks who make the WP eStore plugin on that AITpro.com affiliate site.  Send the plugin in zip format to edward at ait-pro dot com.  Thank you.

[WPS P&C Admin]

I have just emailed you a zip file containing the WP eStore plugin v6.9.7.6, which is the version I currently have installed. This version is slightly ahead of their latest release v6.9.7.3, because it included a bug fix to do with their CSV download function which they provided in advance.

[AITpro Admin]

Ok will test it shortly and find out what is going on.  Once testing is complete the plugin will be destroyed/deleted.  Thanks.

[AITpro Admin]

WP eStore has been tested and there is only one issue/problem that I found.  All aspects and features of the Shopping Cart work perfectly fine.

Issue/Problem:  When trying to add a thumbnail image on Additional Product Details page the media-upload.php file was blocked.
Error Message: You don’t have permission to access /wp-admin/media-upload.php on this server.
Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

Solution:
Add this wp-admin .htaccess bypass / skip rule below to the wp-admin Custom Code box – CUSTOM CODE WPADMIN PLUGIN FIXES: and then activate BulletProof Mode for your wp-admin folder again.   The skip rule must be [S=2] because it will be written to your wp-admin .htaccess file above skip / bypass rule [S=1].

# WP eStore media-upload.php skip/bypass rule
RewriteCond %{REQUEST_URI} (media-upload\.php) [NC]
RewriteRule . - [S=2]

I tested with several different short codes and no issues/problems were found. I did not have any URLs with timthumb in the URL so I am not sure where that URL in the security log error you posted is coming from. Maybe you have several plugins that are integrated together?

[AITpro Admin]

I will attempt another test and try and figure out how to get the timthumb script that is included in this plugin to generate a similar URL and see if I can duplicate that issue.  It appears that the issue is directly related to the timthumb script at this point and not other issues/problems with this plugin exist.

[AITpro Admin]

I used the Media Uploader and created a From URL hotlinking to another website’s image file and the timthumb URL that is in your error log entry was NOT created and the cart worked fine.  I believe that however you created your image link/URL is the problem.  And suspect that when the Media Uploader did not work for you you tried an alternative method of image linking???

In any case, I was unable to recreate the exact security log entry and WP eStore is working perfectly fine.  My suggestion is that you try and create a new test product and upload the image file in the normal way and do not hotlink to an image file.

[AITpro Admin]

I used the Media Uploader and created a From URL hotlinking to another website’s image file and the timthumb URL that is in your error log entry was NOT created and the cart worked fine.  I believe that however you created your image link/URL is the problem.  And suspect that when the Media Uploader did not work for you you tried an alternative method of image linking???

In any case, I was unable to recreate the exact security log entry and WP eStore is working perfectly fine.  My suggestion is that you try and create a new test product and upload the image file in the normal way and do not hotlink to an image file.

[Author]

Posts