Update today and website in critical error

All my broken sites are on Plesk using ModSecurity.

WooCommerce versions 8.5.0 and 8.5.1 BOTH trigger ModSecurity to block access with error 403 forbidden.

I’ve resolved this by adding an exception for (switching off) security rule ID 218500. (This rule is: SQLmap attack detected)

This can be done at either server level in Tools & Settings or on a site by site basis under the Web Application Firewall link.

Hope that helps.

Hey there, @nanny7! Thanks for contacting us. I’m happy to help you.

As @thewebsmiths mentioned, there’s a known issue with Web Application Firewall (ModSecurity). We are currently looking into it and will share updates as soon as we have them. You can keep an eye on this blog post if you wish for news about it.

If you want, you can try the solution provided above or you can roll back to 8.4 for now.

You can find older versions to download here.

If you prefer, you can also use a plugin such as WP Rollback to help you with this process. You can find the plugin here.

Please let us know if you have any further questions.

Have a wonderful day!

Many thanks?@sureshramasamy!

Option 3 below has done the trick for me. It’s an easy setting to change, no need for a roll back. I have no need to enable the option anyway, surely it should be disabled by default?

What action should I take?

• Plesk already has a help article targeting this issue, identifying Comodo rule with ID 218500 being false-positively triggered when Woocommerce 8.5 is in use. They recommend disabling the rule following the steps on their page.
• Check with your host to see if ModSecurity is enabled. If that is the case, you may ask your host to adjust the firewall rules to allow the cookies set by Woo’s Order Attribution feature. You can find more information about the cookies used by this feature in our documentation.
• If the above doesn’t work for you, disable the Order Attribution feature to prevent future users from seeing the 403 errors by going to WooCommerce > Settings > Advanced > Features and toggling the Order Attribution feature off.

• This reply was modified 10 months, 2 weeks ago by lanxalot.

Thank you everybody for your help. I have asked the host and will see whether they prefer to add a rule or for me to toggle the Order Attribution feature off.

Hi this is the response from the host:

If Woocommerce triggers the WAF rules, the site will show 403 Forbidden.

However, in your situation, after updating plugins, your site is showing Critical Errors.

I believe something else is at play here.

Hi my settings won’t let me toggle the?WooCommerce > Settings > Advanced > Features?and toggling the?Order Attribution?feature off.
https://imgur.com/a/Nqmd9da

Hey, @nanny7!

The screenshot you sent is from the Order data storage options.

Order Attribution is on that same page, but a few options below:

Please also make sure your theme and all your plugins are updated, as outdated plugins and themes can also cause issues on the site.

—

If you are still having issues, please share a full screenshot of WooCommerce > Settings > Advanced > Features so we can take a look.

Furthermore, I’d like to understand your site properly. Please share with us the necessary information below for us to investigate the issue further:

System Status Report which you can find via WooCommerce > Status > Get system report > Copy for support.
Fatal error logs (if any) under WooCommerce > Status > Logs.
You could copy and paste your reply here or paste it via https://gist.github.com/ and send the link here.

Have a wonderful day!

Hi @nanny7

For some settings, you need to synchronise the orders (in the same advanced tab/ window) before you can change them.

Thanks you, everything seems to be working at the moment.

I’m having the same issue. I restored from a stable backup. Will these workarounds help me if I’m using Hostinger for my VPS?

Hello ramwoodstudio

As per our support policy, please create a new topic so we can help you with your issue separately.

Looking forward to your new topic. ??

• This reply was modified 10 months, 1 week ago by Zubair Zahid (woo-hc).

@ramwoodstudio

Check option three in the solutions I posted above. Will only take you a moment to test. Cheers!

Hello Everyone! ??

If anyone else is facing this issue too, I suggest checking out the guide shared on our dev blog: https://developer.woo.com/2024/01/16/woocommerce-8-5-1-issues-with-web-application-firewalls-modsecurity/

If the solutions there don’t resolve the issue, please create an issue on our GitHub repo. This way, our developer can find it, share a solution, and release a patch to fix the issue.

Thanks for understanding! ??

A new ModSecurity rule set for Comodo (free) has rolled out within Plesk this morning which seems to have resolved the issue across all my affected sites.