jlmwp

Hello

We use a shared hosting provider that uses Litespeed as web server and Modsecurity.

Thank you.

Hello

Adding those lines to the .htaccess file solved the problem. The option is now working correctly.

Thank you for your support.

Hello

After the last test, I looked for information about the http referer and WordPress. I found this link https://www.malcare.com/blog/referrer-policy-wordpress/

Following this information, I added these lines to the begining of the .htaccess

# Set Referrer-Policy
<IfModule mod_headers.c>
    Header set Referrer-Policy "no-referrer-when-downgrade"
</IfModule>

I tested and the comments where added correctly! The debug.log file did not change.

I still need to test this on a full working installation, but looks like a posible workaround.

Regards

Hello

I replaced the code and tested.

This is the debug.log

thanks

• This reply was modified 1 month, 1 week ago by jlmwp.
• This reply was modified 1 month, 1 week ago by jlmwp.

Hello. I changed the code as you described. This is the file.

After the test, the debug.log file was created. It only has this line: “[11-Oct-2024 14:52:31 UTC] comment spam due to referrer and user agent issue”

Regards

Hello
I asked to my hosting about this. They say that the only blocking made by ModSecurity in the test domain, is to the file xmlrpc.php, and none of the IPs match the ones of the comments.

This is a capture they sent me

The web server we use is Litespeed. Could this be the cause?

Regards.

Hello.
Thank you for the update.

I downloaded the file you sent. I uninstalled and deleted the installed version. Then I uploaded and installed the new file.

I applied the configuration you sent and re tested the comment.

The comment was marked as spam.

Regards.

Hello

I removed the snippet and tested the 9.4.0-beta.2 version with the cart shortcode.

It worked without errors. The action for the “woocommerce-shipping-calculator” form was the full cart url.

This worked well on a conflict free installation (only Woocommerce and Twenty Twenty-Four theme) and on an installation with all the other plugins enabled and the Theme we use.

Thank you very much.

• This reply was modified 1 month, 2 weeks ago by jlmwp.

Hello

I checked and only this this plugin is active

Your posted comment was indeed marked as spam. I also tested with my admin user while logged, and a test from a mobile device. All were marked as spam.

These are the headers I recovered from the last test.

• GENERAL
  Request URL: https://dev3.bicicosas.cl/wp-comments-post.php
  Request Method: POST
  Status Code: 302 Found
  Remote Address: 200.73.115.33:443
  Referrer Policy: no-referrer
• RESPONSE
  cache-control: no-cache, no-store, must-revalidate, max-age=0
  content-length: 0
  content-type: text/html; charset=UTF-8
  date: Tue, 08 Oct 2024 14:48:50 GMT
  edit: Set-Cookie (.*) “$1;HttpOnly;Secure”
  expires: Wed, 11 Jan 1984 05:00:00 GMT
  location: https://dev3.bicicosas.cl/2024/09/25/hello-world/#comment-6
  referrer-policy: no-referrer
  server: LiteSpeed
  set-cookie: comment_author_05523445a92ef4e351aef48dc345c80b=%20; expires=Mon, 09-Oct-2023 14:48:50 GMT; Max-Age=0; path=/; secure
  set-cookie: comment_author_email_05523445a92ef4e351aef48dc345c80b=%20; expires=Mon, 09-Oct-2023 14:48:50 GMT; Max-Age=0; path=/; secure
  set-cookie: comment_author_url_05523445a92ef4e351aef48dc345c80b=%20; expires=Mon, 09-Oct-2023 14:48:50 GMT; Max-Age=0; path=/; secure
  setifempty: Referrer-Policy: same-origin
  strict-transport-security: max-age=300; includeSubDomains; preload
  vary: User-Agent
  x-content-type-options: nosniff
  x-frame-options: sameorigin
  x-permitted-cross-domain-policies: none
  x-powered-by: PHP/8.1.29
  x-redirect-by: WordPress
  x-xss-protection: 1; mode=block
• REQUEST
  :authority: dev3.bicicosas.cl
  :method: POST
  :path: /wp-comments-post.php
  :scheme: https
  accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
  accept-encoding: gzip, deflate, br, zstd
  accept-language: es,en-US;q=0.9,en;q=0.8
  cache-control: no-cache
  content-length: 172
  content-type: application/x-www-form-urlencoded
  cookie: jeost9tk=wkdl0i0lu65v; dea3ct95=9q3qcnx7c6ui; le67hezg=harnpbrxk5r7
  origin: null
  pragma: no-cache
  priority: u=0, i
  sec-fetch-dest: document
  sec-fetch-mode: navigate
  sec-fetch-site: same-origin
  sec-fetch-user: ?1
  upgrade-insecure-requests: 1
  user-agent: Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1

According to your suggestions. I dont know if i’m undestanding this right, but i’ll try.

• “HTTP_REFERER and HTTP_USER_AGENT are blank”

I could not find the “HTTP_REFERER” header, but on the “General” headers, the “Referrer Policy” is set to “no-referrer” and on the Request Headers, the “user-agent” is set to “Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1”

• ” or the keys for form hidden field and set cookies if do not match”

This is the html code for the antibot-keys

<p class="comment-form-aios-antibot-keys">
	<input type="hidden" name="n5aip6c1" value="ha25m2vs4aa1">
	<input type="hidden" name="ffqu9qt4" value="lodm1911pb2x">
</p>

And on the Request headers, i only found this header

“cookie: jeost9tk=wkdl0i0lu65v; dea3ct95=9q3qcnx7c6ui; le67hezg=harnpbrxk5r7”

I dont know if any of this could be the reason.

One thing. Our hosting has very strict rules for Modsecurity. Could this be related somehow?

Thanks.

Hello

Thank you for you answer. I’ll add some captures of what I did this time.

I changed the settings as you described.

On the site, I checked the comment form for the antibot keys. They were added.

I added two comments. This time my IP was not blocked, but both comments were marked as spam.

I tried this same test on a brand new installation. The comment was also marked as spam.

This is my dev site which is a clone of the production site with all others plugins disabled and the default theme: https://dev2.bicicosas.cl/cuales-son-los-accesorios-basicos-para-mi-bici-nueva/

This is another dev site which is the new instalation: https://dev3.bicicosas.cl/2024/09/25/hello-world/

Thank you.

Hello

OK. I tried replacing the “[woocommerce_cart]” shortcode with the Woocommerce Cart Block.
Unfortunately one of the others plugins was not compatible with the Cart Block, so it didn’t work as we needed.

After reading the github post we decided to apply this snippet which reverts the changes made on the 9.3.0 version and allow us to keep Woocommerce updated.

// Cart fix for 9.3.x
function woocommerce_get_cart_url_fixed(){
    return wc_get_page_permalink('cart');
}
add_filter('woocommerce_get_cart_url', 'woocommerce_get_cart_url_fixed');

With this the cart url is always the full url. On our site this works well.

Thank you for all your support.

Hello
I found the reason!

Short version: My cart page was using the Woocommerce Cart Shortcode “[woocommerce_cart]”. This generates the error. Using the Woocommerce Cart Block works fine.

Long version:
Following your suggestion I installed Woocommerce from scratch on a new site on my current hosting. Turned out, it worked fine. After checking all the settings between the dev site and the new site, I found the cart pages where built different. The old one with the shortcode, and the new one with the block.
So, on my dev site I created a cart page that uses the Cart Block, assigned it as my Cart page, and, voilá, it worked.

This was my old cart page that uses the shortcode. This generates the error (Link to image https://snipboard.io/QsLXkN.jpg)

This is my new cart page that uses the block. This works fine (Link to image https://snipboard.io/7yJdou.jpg)

I still need to test this with all the Plugins active and the Theme we use, but at least works on the tests.

As @assassinateur suggests, i know my hosting uses Modsecurity and it’s probably one of it’s rules what is blocking the shortcode cart. What I don’t know is why, and why it works on version 9.2.3.

At least I have better fix. It would still be a good thing that both versions worked (shortcode and block), but for now i’m going to use the woocommerce cart block.

Thank you all for you suggestions.

Hello
I made the conflict test as you mentioned and followed this guide (https://woocommerce.com/document/how-to-test-for-conflicts/) step by step.

This time I used the Twenty Twenty-Four Theme and checked that the .htaccess file contains only the rules that WordPress need to run.

I got the same error.

Error on the console (Link to image https://snipboard.io/c73Zsk.jpg)

For now I’m just going to use Woocommerce version 9.2.3 and I’ll be checking the github thread to see the progress.

If I can provide more information, please tell me.

Thank you.

Thank you.

Hola

El código que compartí aquí ya no funciona. MercadoPago está incluyendo sus librerías de otra manera.
Dejo el código sólo como infomación general.

La nueva manera de MP de incorporar las librerías produce menos impacto en el rendimiento en nuestro sitio.

Gracias. Saludos.