neandertool
Forum Replies Created
-
Forum: Plugins
In reply to: [WooCommerce] Security Concern: Direct Add-to-Cart GET Requests VulnerabilityThis issue has been driving me completely insane ever since I added code to our site to track add-to-cart activity.
I can confirm that we have successfully dealt with the issue with the following code:
// Prevent Direct add to cart by bots outside of AJAX and forbid
function prevent_bots_add_to_cart() {
if ( isset( $_GET['add-to-cart'] ) && !wp_doing_ajax() && !is_admin() ) {
status_header(403);
nocache_headers();
// Get time and date
date_default_timezone_set("Europe/Paris");
$time = date("d-m-Y H:i A");
// Get bot's country by geolocation
$wc_geo = new WC_Geolocation();
$bot_geo_details = $wc_geo->geolocate_ip();
$bot_country_code = $bot_geo_details["country"];
$bot_ip = $wc_geo->get_ip_address();
if ( !empty($bot_country_code ) ) {
$bot_country = WC()->countries->countries[$bot_country_code];
}
else {
$bot_country = "UNKNOW";
}
if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
$ip = $_SERVER['REMOTE_ADDR'];
}
else {
$ip = "unset";
}
if ( isset( $_SERVER['REQUEST_METHOD'] ) ) {
$request_method = $_SERVER['REQUEST_METHOD'];
}
else {
$request_method = "unset";
}
if ( isset( $_SERVER['REQUEST_URI'] ) ) {
$uri = $_SERVER['REQUEST_URI'];
}
else {
$uri = "unset";
}
if ( isset( $_SERVER['SERVER_PROTOCOL'] ) ) {
$protocol = $_SERVER['SERVER_PROTOCOL'];
}
else {
$protocol = "unset";
}
if ( isset( $_SERVER['HTTP_USER_AGENT'] ) ) {
$user_agent = $_SERVER['HTTP_USER_AGENT'];
}
else {
$user_agent = "unset";
}
if ( isset( $_SERVER['HTTP_REFERER'] ) ) {
$referer = $_SERVER['HTTP_REFERER'];
}
else {
$referer = "unset";
}
// Log bot data to file
$bots_log_file = $_SERVER['DOCUMENT_ROOT'] . '/wp-content/bots_add_to_cart.log';
$data = "===================================================\n\n";
$data .= $time . "\n\n";
$data .= "Blocked add-to-cart attempt by bot\n\n";
$data .= "IP: " . $ip. "\n";
$data .= "Country: " . $bot_country . "\n";
$data .= "Request URI: " . $request_method . " " . $uri . " ( " . $protocol . " )\n";
$data .= "User Agent: " . $user_agent . "\n";
$data .= "Referer: " . $referer . "\n";
$data .= "\n\n\n";
file_put_contents( $bots_log_file, $data, FILE_APPEND );
exit('Forbidden');
}
}
add_action('init', 'prevent_bots_add_to_cart');Please note the following about the above code:
- Add the above code to your theme’s functions.php file or a custom plugin
- We only use AJAX add-to-cart
- We use the MaxMind Geolocation integration within Woocommerce to determine country for IP address, remove this part of the code if you do not use that integration
- Obviously it’s not vital to log the bot activity to file, but handy if you want to double-check against your server logs to ensure exactly what’s going on with your site.
Additionally we block the action of legitimate crawlers that actually obey the rules using our robots.txt file:
User-agent: *
Disallow: /*add-to-cart=*
Disallow: /basket/
Disallow: /checkout/
Disallow: /my-account/Adjust the “Disallow” endpoints above as appropriate to your setup.
Bonjour,
Incroyable, merci beaucoup. C’était très rapide!
Bonjour,
Merci beaucoup, ce serait fantastique!
Bonjour,
Merci beaucoup d’avoir pris en compte ma demande. Le plugin est très bon à part ce problème majeur.
Bonne journéeYes, I have to agree with wp_user1. It is super annoying that you must use custom HTML to style this email, but then have to remove all line breaks in your code to get your email to display correctly without excess white space from the line breaks.
The real question is why this particular email has to be manually created with HTML at all when MailPoet has a built-in drag-and-drop email editor?