Members not expiring

In fact I have just checked this for other members and I have multiple people on “daily passes” who should have been demoted months ago who are still accessing my site!

Here is one record from the users table

simon xxx [email protected] Daily Tips Member 0 Mon Apr 14th, 2014
@ precisely 11:29 pm I-LC59XRK1SK2E — Mon Jul 28th, 2014
@ precisely 7:24 am 1 1 1 Search google 31 Mon Sep 1st, 2014
@ precisely 5:37 pm 111

He subscribed on the 28th of July and should have been auto demoted a day later but you can see he logged in today!

This seems like a major problem in the software!

It was working fine.

I am using (as main plugins)

WP Super Cache
Cloudflare Plugin (to go with Cloudflare – is there an issue with this?)
Widget Cache
Login Limit
Strictly Tweetbot
Strictly AutoTags
Strictly Google SiteMap
Strictly System Reporter

Is there a known issue with Cloudflare?

I am just thinking if maybe your IPN messages need be routed through the “non cloudflare url” e.g the “bypass.domain.com” that is auto config with Cloudflare as maybe they are being blocked or cached – however this doesn’t explain the 200 status code that I got from the Cancellation

I have posted the actual request from PayPal below with major ID removed

txn_type=subscr_cancel&subscr_id=I-1NFVKXRFBFM8&last_name=xxxx&option_selection1=I-BW10AYR8NJKP&option_selection2=77.97.208.72&residence_country=GB&mc_currency=GBP&item_name=Monthly Tips Member / ￡29.99 per month&[email protected]&recurring=1&verify_sign=Ac-8lIpsfKfLswZPqFwbWTL2p6.HAj169zGzy2Bkz7p37NtpdHBRw-d.&payer_status=verified&[email protected]&first_name=xxxxx&[email protected]&payer_id=UE6QKGJ22MWFG&option_name1=Referencing Customer ID&invoice=53d130ac67da8~77.97.208.72&option_name2=Customer IP Address&reattempt=1&item_number=3&subscr_date=10:11:57 Aug 18, 2014 PDT&custom=www.ukhorseracingtipster.com&charset=windows-1252&notify_version=3.8&period3=1 M&mc_amount3=29.99&ipn_track_id=50e60ec9ac4fe

Should this be routed though my own bypass system for Cloudflare?

It seems like an urgent situation if people are remaining on the site when their payment is up.

I’ve no experience with Cloudflare, so can’t address that point.

But my first instinct would be to try flushing your cache and then deactivating WP Super Cache. Unless caching is set up correctly, all sorts of strange things can happen.

Hi

Well I did have WP Super Cache running for a year before any of these issues started happening.

If you notice another recent post I did state that Cloudflare is a reverse proxy so share IP addresses. I am wondering whether that causes issues as multiple users could have the same IP when accessing the site or making payments or even PayPal hitting the site.

I have now installed the module that “returns” the original users IP to the access logs so I will see if the blip in the summer was caused by me installing Cloudflare BUT not this module.

Also there is a sub domain e.g ignore.mysite.com which means all requests bypass cloudflare altogether. This is setup by default when you set Cloudflare up.

Therefore I am wondering whether key requests to PayPal or others should be using this “bypass” Cloudflare URL to make those requests to prevent any caching by this reverse proxy.

More and more people are using Cloudflare as it’s free and you can block whole country IP ranges, speed up sites with minification and “aysnc” or “rocketscript” as they call it added to scripts/css and other cool features.

Therefore maybe it is something S2 should look at to see if it would cause any problems so they can add notes to the others on Amazon and other 3rd party tools AND maybe to their https://www.mysite.com/wp-content/plugins/s2-server-scanner.php tool to scan and see if it could cause potential problems.

Just thinking ahead as I know more and more people are using the tool and if this problem is fixed by me restoring the original IPs rather than the Clouflare proxy IPs then this could be added to your tests and notes / Knowledgebase etc.

I will let you know if it does fix anything.

Thanks

Rob

I understand what you say about WP Super Cache, but only yesterday someone reported a problem with their site, and it turned out the problem was with W3 Total Cache, which they had been running on their site for quite a while.

Updates to plugins change things, and that applies to caching plugins as much as any other. (Actually, from looking at the forums for W3 and WP Super Cache, updates are a frequent cause of problems for those plugins).

So I would still check.

Hi

Just to let you know a daily member (daily subscription) signed up the other day and last night they were kicked off automatically by your system and I can see in the Admin notes the correct data e.g

Demoted by s2Member: Mon Sep 1, 2014 9:50 pm UTC
Paid Subscr. ID @ time of demotion: paypal -? I-AYVCV9A17V91

So maybe this is working again.

Rob

Hi

Sorry, boss walked in so I had to finish.

I understand about caching plugins changing and I cannot use W3 Total Cache on this one site due to the way it works as I don’t want certain things minimised or cached that seem to be no matter what settings I put in.

Therefore I have managed over the last two years to get a core set of plugins (some written or modified by myself) to work on this one site. The one new addition over the summer has been Cloudflare which does seem to have thrown up issues.

I realised my OWN .htaccess rule of banning blank user-agents was causing payment issues so I know now to ensure they are least 2 chars long as it was stopping IPN notifications coming through.

Also I have just realised that I installed the Cloudflare module (and Akismet plugin) over a month ago so it shouldn’t have effected the cancellation IPN notification for this other user BUT when he signed up in the first place he may have been logged into your system with a Cloudflare proxy IP address (all Amazon apparently and listed on their site).

This may have meant the linking of the registration and cancellation IPN notifications was askew. I don’t know how your system works in regards to IPS behind the scenes but it’s just my theory.

However this daily member who joined and left AFTER the Cloudflare IPs were restored looks to be a good sign that restoring original user IP addresses with the CloudFlare module (even on older LINUX systems you can force the modules use) is a “must” for your plugin to work with CloudFlare.

One thing I would like to know is that your security check file > s2-server-scanner.php keeps throwing up the same error.

Although NOT required, s2Member recommends that you reinstall the following plugin directory: /home/mysite.com/public_html/wp-content/plugins/s2member. The checksum for this plugin directory (2c6ad8138fe267a039b53aa86425ed2a), does NOT match up with the official release of this plugin (fe5b4d8fea0ad64e6be257a6b6bba04c). An invalid checksum can be caused by an incomplete set of files. Or, by files that should NOT appear in this directory. Or, by corrupted files in this directory. Reinstalling the official release of this plugin should correct this issue.

I have tried
-deleted the directory and re-uploading with FileZilla the whole folder downloaded from your site.
-using WP to upgrade to your latest version.
-bypassing Cloudflare when I run it.

But nothing seems to work. Ideas?

Also maybe a check for the CloudFlare IP ranges (they are listed on their site) and showing warning messages about using them could be added to this page as it is a useful tool and maybe could be standard admin functionality.

Same with checking for access to the site with a blank user-agent or any of your custom HTTP libraries as a lot of people ban CURL, WGet, blank agents and so on.

Also for telling people what they need to do to get the S2 security badge as I am at a loss to what I need to do to get a 1 from my check. My hashes in my config are over 60 chars long, I block brute force attacks and shared IP use by the same user. So I am stuck on what is actually causing the 0 to be returned. Is there code I can check (unencrypted?) or a way of finding out easily what is breaking it?

Adding these features would make the scan page even better and more useful from an admins perspective. Just an idea.

Thanks

Rob

I’m assuming you have the Pro version, in which case you need to talk to Pro support at https://www.s2member.com/contact/

Nope don’t have the Pro version, just wanted to try the free version out as I only needed 4 subscription levels so I didn’t know what the pro version offered me extra.

Plus I’m an ok PHP developer/plugin writer/debugger so I have been able to fix most bugs I’ve come across myself.

I just thought they might have been some ideas for the admin panel e.g to have the “test” page built into it with extra options.

Thanks

Rob