Joe G.
Forum Replies Created
-
Forum: Plugins
In reply to: [WooCommerce] Thousands of POST requests to /?wc-ajax=checkout@sneader the solution for the time being is to use https://woocommerce.com/products/recaptcha-for-woocommerce/ This has successfully deterred this attack for us. However, we have had a couple customer complaints here and there that it has blocked them from processing their order incorrectly; but these are fringe cases with javascript disabled, using a 10 year old tablet on satellite internet, etc.
You are 100% right though that WC needs to up its game. (In my opinion, stop wasting time with bloat analytics and marketing hubs and fix the fundamentals to make WC viable in 2021.)
Forum: Plugins
In reply to: [WooCommerce] Thousands of POST requests to /?wc-ajax=checkout@kgabales & all,
I did a variety of things to stop this attack. But the thing that helped the most was installing reCaptcha v3. https://woocommerce.com/products/recaptcha-for-woocommerce/
The weak link is still that WooCommerce (and payment gateways) allow for unlimited CC processing attempts on a single order. Someone needs to develop a solution to only allow X attempts then set the order status to canceled so no more attempts can be made on that order. (Now, they can always just create a new order, but it would make it just a little more difficult.)
Forum: Plugins
In reply to: [Woo Manage Fraud Orders] Blocking Multiple Attempts on the same oder@prasidhda Thank you for the reply.
Yes, the attacker was rotating several different data points.
If an order status is set to cancelled, will WC still allow for payment attempts to be processed? If WC will not allow that, then a great feature to add would be: set order status to ‘canceled’ IF number of payment attempts > X. Putting a limit in place would at least prevent a single order from being abused.
Forum: Plugins
In reply to: [WooCommerce] Thousands of POST requests to /?wc-ajax=checkout@myst3k99 You are right, should be simple enough. I don’t think this data is stored anywhere; at least its not in the obvious places. In my interactions so far trying to find a solution, it seems like everyone is pointing to the right… WC Core, “it’s the gateway’s responsibility…” Gateway, “it’s the processor’s responsibility.” Processor, “it’s the WAF’s fault.”
Forum: Plugins
In reply to: [WooCommerce] Thousands of POST requests to /?wc-ajax=checkout@myst3k99 (cc @riaanknoetze ) Is there a way to limit the number of processing attempts on a failed order? Does WC core store the number of attempts somewhere or is that completely up to the gateway? I would like to block processing attempts, after say, 5. This seems to be a easy way to harden WC. Allowing a free for all at processing thousands of cards on a single order is insane.
Forum: Plugins
In reply to: [WooCommerce] Thousands of POST requests to /?wc-ajax=checkout@myst3k99 This is very helpful; thank you. We experienced the same attack. They were determined too… I threw in a minimum order amount code snippet just to make it a little harder ($5) and I saw in the access logs where they sorted my shop by price to find the items that were just above that amount. I do not understand how that amount of effort is worth it.
Forum: Plugins
In reply to: [WooCommerce] Thousands of POST requests to /?wc-ajax=checkout@machinedean I am running WooCommerce 4.8.0 on this store, so it appears it is not as simple as updating WC. 🙁 Did you all do anything else or did the attackers just move on?
Forum: Plugins
In reply to: [WooCommerce] Thousands of POST requests to /?wc-ajax=checkoutI am on WC 4.8.0 and this just happened to us. 7,000+ orders in one night running over 20,000 different cards. We also use a WAF. This is a pretty complex attack. IP addresses are rotating and they are going slow enough not to be considered a ddos by WAF. Any ideas?
Forum: Plugins
In reply to: [WooCommerce Manual Payment] Calculate Shipping@bfl thank you! I’ve search far and wide for a clean and simple plugin to calculate shipping on the admin using the existing shipping methods (or even alternative methods for that matter). There are many out there that offer “complete” solutions for manual and phone orders but all of these either work through the front-end OR do not offer any sort of admin payment gateway. I thought this might be a good business idea for an additional plugin if you are ever interested. An admin shipping calculation + your manual payments plugin could offer the only (to my knowledge) complete solution for taking admin/phone/manual orders through the WP-Admin.
Forum: Plugins
In reply to: [Disable Bloat for WordPress & WooCommerce] Scheduled Actions@anchises , did you find an answer to this yet?
With Woo 4, it seems you have to manually trigger the importing of historical order data. So if, you install this before updating, then I do not think the data will be imported.
Forum: Plugins
In reply to: [Quotes for WooCommerce] Mixed Quote and Cart Products@cruisetastic in my config, this is how it works. But I am exploring options on how to possibly separate this into two different carts/orders. Any thoughts, Pinal Shah?
Thank you! I figured it out a while ago, but the loop detection helps!
Forum: Plugins
In reply to: [PDF Invoices & Packing Slips for WooCommerce] Invalid address (setFrom)Server architecture Linux 4.15.0-1028-gcp x86_64
Web server nginx/1.15.12
PHP version 7.3.4-1+ubuntu16.04.1+deb.sury.org+3 (Supports 64bit values)
PHP SAPI fpm-fcgiForum: Plugins
In reply to: [PDF Invoices & Packing Slips for WooCommerce] Invalid address (setFrom)Hi Ewout,
The only way I was able to get it to work was to uncheck the pdf invoice attachment option. Since doing that, I have not had any issues. But, it still does not work with attachments. I am using PHP 7.3. I am still using your plugin.
Unfortunately, downgrading to 7.2 is not an option for us. I can test it on a staging environment later, but it’ll take a couple weeks to get through my to-do list first.
If you need to test on your end, Mailgun accounts are free as long as you don’t go over a very generous quota. Try it it out and see if you can come up with something. I’ll let you know if I find out anything further.
Forum: Plugins
In reply to: [PDF Invoices & Packing Slips for WooCommerce] Invalid address (setFrom)I am using SMTP. I’ll have to dig into that a little more… It is a complicated issue!
I’m skeptical about the “from” failure that WP Mail Logging is giving. It might be something else? I agree that it’s proabbly some sort of header check somewhere. Can you provide an example of what a normal Woocommerce Email header w/ PDF attachment should look like?
I also have a ticket open with Mailgun. I’ll see what they say.