amanandhishoe

However, in theme Twenty Twenty-Five in the Typography panel, I don’t see anything that says “Manage Fonts”. That is what is confusing. Select Typography and you see a list of Typesets. Below that is a list of Fonts, and below that is Elements, followed by Font Sizes.

I did discover that clicking on the slider icon to the right of Fonts does bring up the Font Library panel. And after some playing around figured out how to install and change the fonts available to the theme. And that to change which fonts are used, to ignore the typesets, and set the fonts I want for each Element.

It would be more useful if the label “Fonts” said “Manage Fonts” and was a link to the Font Library.

I use it on sites running PHP 8.3 without any problems.

Not a technical answer, but on the Woocommerce, My-Account page where there is both a login form and a registration form, it works for me, and I see two turnstiles on that page. But another option if you are using Cloudflare’s DNS proxy service, is to protect such complicated pages with a JS Challenge, and not use Turnstile on those pages.

Yes. It works again with 1.26.5. Thank you.

They can find the code needed at https://developers.cloudflare.com/turnstile/

The pdf.js file in pdfjs-viewer-shortcode/pdfjs/build/pdf.js says that it is version 2.6.347 which came out Sep 3, 2020. The current version is 4.3.136 released the end of May 2024, and uses modular javascript using .mjs files instead of .js files. That has been the case since the v4.0.189 release in November 2023.. There might be a problem using it on some sites as not all sites return the correct content type header for .mjs files. Without the correct content type header, browsers will not run .mjs javascript. I had to have our host configure our nginx server to return the content type of javascript/application for .mjs files in order to run pdf.js v4.3.136.

Cloudflare is the maker of Turnstile. There is no charge to use Turnstile. However you do need to create a Cloudflare account, no charge, in order to use Turnstile. You will get Site Key and Secret Key from Cloudflare so that you can use Turnstile on your site. These keys are specific to your domain.

When you setup Simple Cloudflare Turnstile, there are links to get these keys from Cloudflare.

What Simple Cloudflare Turnstile does is implement Cloudflare Turnstile on your site. When someone looks at a form where you have placed it, Simple Cloudflare Turnstile communicates with Cloudflare Turnstile and Cloudflare Turnstile does some quick calculations to see if a human or a bot wants to submit the form. If it determines it is a human, it allows the form to be submitted. In most cases, there is nothing a person needs do. There are no puzzles to solve.

The problem you are seeing is that WooCommerce 8.5.0 added new tracking cookies with names starting with sbjs_ whose contents run afoul of a security rule many hosts use.
What I discovered is that if you turn off this new feature in 8.5.0, the sbjs cookies are not created:
WooCommerce -> Settings -> Advanced -> Features: Order Attribution. [] Enable this feature to track and credit channels and campaigns that contribute to orders on your site
8.5.0 turns that on by default. Turn it off and the offending cookies will not be created.
It won’t immediately get rid of customers whose browsers already have those cookies. They will need to delete those cookies or wait for them to expire. But new users will not get those problematic cookies.

This is typical Woo behavior. They purposely cripple Woocommerce and nickle and dime users by charging for plugins that should be standard behavior of Woocommerce.

That’s strange. I use Simple Cloudflare Turnstile with WPS Hide Login on several sites without any problems.

That’s good news.

Thank you. That sort of seems to defeat the purpose of the promise of full site editing that you need to use a plugin just to use other fonts.

You can email me at [email protected]

And another thing you can do by having your site protected by Cloudflare proxy dns is to restrict the number of checkout requests an IP can make. You can have a rate limiting rule so that no IP can call checkout more than 5 times in 10 seconds or a minute. If they do that, you can either block them, or have Cloudflare put up a JS Challenge. It runs for a certain amount of time and if it doesn’t detect that there is a human, it doesn’t allow the request to go through.
These are per IP, so even if a bot changes its IP when it is challenged after 5 times, the delay a JS Challenge forces on the bot will discourage it from trying to test cards on your site.

Preventing card testing involves more than just using recaptcha or Cloudflare’s turnstile. Most of the time fraudsters are using bots to check credit cards on an e-commerce site. So what I found effective is a multi layer approach to keep these bots from getting through.

1 – I put my website behind Cloudflare proxy dns and use Cloudflare’s WAF to block these bots. This way, bots don’t know the actual IP numbers of your site. All requests to your site go to Cloudflare and it forwards them on to your site. It has a number of security features you can use to block illicit traffic. It has a Super Bot Fight Mode, and you can block all definitely automated bots and only allow verified bots. It does block a lot of bot driven credit card fishing requests. You may need to add an exception for some bots so they can get through.

You can also add your own WAF rules. I added some WAF rules of my own to block certain add-to-cart requests, for example when people first access my site, I send a certain cookie. Any add-to-cart requests that do not have this cookie get blocked by a Cloudflare WAF. Most bot requests will not have this cookie. And I block any add-to-cart requests where the url for the request would not exist on my site. For example, most of these bots send a request /?add-to-cart=1721 and nothing else. On a Woocommerce site that would never be a valid request. It would usually have a /product-category/category-name/?add-to-cart=1721 or something like that. So any requests which are nothing but /?add-to-cart=1721 I block with a Cloudflare WAF rule and those requests never reach my WordPress site.

2 – Use velocity controls. I don’t know if Paypal has them, but many credit card processors do. In my case I don’t allow more than 5 credit card requests from the same IP in an hour. And no more than 3 credit card purchases per credit card in an hour. These velocity limits block a lot of malicious credit card requests.

3 – I also have velocity controls in a plugin I wrote, so that if I see an IP sending add-to-cart requests faster than a human would, I empty that cart and block that IP from adding anything to a cart.

4 – I use Wordfence’s Live Traffic option to see what is happening on my site. I can quickly spot any bot that is attempting numerous credit card transactions and block their IP, or even momentarily block the country the requests are coming from.

5 – And there are plugins for detecting fraudulent transactions. You might find one that works well.

Best of luck. This is a vexing problem for e-commerce sites. Plugins like Woocommerce need to do a much better job of detecting these card fishing transactions and blocking them.

This link has helpful suggestions for dealing with card testing attacks.

https://www.commercegurus.com/woocommerce-card-testing-attacks/

• This reply was modified 1 year, 4 months ago by amanandhishoe.