ostinatofreak

You speak dismissively about Wordfence – a mere “free plugin” that still renders its website an “easy target.” In this Bluehost article, https://www.bluehost.com/blog/wordfence-increases-security-on-your-wordpress-site/, Bluehost calls Wordfence a “robust website application firewall and malware scanner” and rates the plugin “highly.”

You say “if” I keep restoring the site without putting “preventative measures” in place as if Wordfence weren’t a preventative measure, as if we weren’t changing passwords, as if we weren’t immediately updating the core and all plugins/themes upon restoration, and as if we weren’t running a deep Wordfence scan after all this is done to certify that the site is clean, all of which we are doing.

Furthermore, if it’s Bluehost’s official position that no WordPress site is “properly” secured unless the client purchases SiteLock, then why doesn’t Bluehost just mandate SiteLock for all its sites? There is a reason why some surgeries aren’t covered by insurance companies – they aren’t necessary. If SiteLock were as critical as you’re making it sound (i.e. any WordPress site that doesn’t have it isn’t “properly” secured!), it would be incorporated into the Bluehost hosting plan as a non-negotiable feature.

I had another WordPress site that was once infiltrated. Bluehost notified me that a virus was detected on the site. The SiteLock people gave me an aggressive sales pitch that made me feel like anyone who has WordPress without SiteLock is an irresponsible fool, and Bluehost was going to mandate SiteLock if I didn’t eliminate the virus myself (or shut down my website). I declined the service, restored the site myself from my own backup, and it eliminated the virus. The site was never infected again – that’s when I first installed Wordfence. It wasn’t a headache. It was just 2 commands in FileZilla and I was done. WAY easier, simpler and cheaper than dealing with the high-pressure SiteLock sales pitch.

If my site is infected repeatedly after restoring, updating and scanning (with a perfect score from a Wordfence scan), one can’t help looking at Bluehost itself, wondering if the virus is coming from the server. You are ASSUMING this can’t possibly be the explanation (or at least, you are ignoring that possibility in your reply) and talking like the only possible cause here is the WordPress site itself.

Thanks Paulina for the information. I’m not sure if you work for Jetpack or not, but whoever does should take note that the information you just provided is woefully missing from the import process. This is extremely basic information to withhold from the user. First, the Import Subscribers screen should say directly on it, prominently, what the current user import limit is. Jetpack’s current import screen says absolutely nothing about this. Second, when a user tries to go beyond this limit and can’t, Jetpack should provide an error message saying something like “maximum imported users exceeded” or something. Currently, Jetpack says absolutely nothing. No error message. It just silently fails. These are both such egregious oversights that even if they were fixed, I have no desire to support a plugin coded with such little forethought put into it – to me this is common sense and vital to its use. Furthermore, the WP SMTP plugin combined with the Better Notifications plugin and WebToffee Import Export plugin ends up being cheaper to use for notifying people of new posts than using Jetpack. Right now, Jetpack is a crappy deal since it’s more expensive for a plugin that does a really lousy job communicating its functionality to users and charges more for this deficiency.

I consider SiteLock to be a borderline scam / money grab. SiteLock tries to get customers to buy a lot more than they need, and the services they provide are severely overpriced for the amount of labor they’re performing when they clean a site.

If we restore a clean backup of the WordPress site and Wordfence certifies it’s clean with a deep malware scan, then it’s infected a week later, then we wipe the site again and restore the backup again and certify it’s clean again with another Wordfence deep scan, over and over again, at some point one must consider the possibility that the infection is coming from the server.

That’s great news! Our next membership year begins March 2024, so this would be very good timing.

“there are ampersands and other “special characters” there indeed.”

So it turns out there were no ampersands. That’s some really unclear communication. I guess the word “or” should have been used… or a different special character (one that’s actually in my form) should have been mentioned instead, such as “there are dollar signs and other special characters there.” Specifically telling me that there is an ampersand in the form (and other special characters) makes me think I’m not looking in the same place in my form that you’re looking. Someone had to see the $ and + symbols in the form… so why didn’t they say “$ and other special characters” instead of throwing me off with “ampersand and other special characters”?

Again I’m inclined to leave it as is for the time being. This is the worst time of the year to make any changes to a form that is working, right in the middle of membership renewal. There have already been 30 submissions, all with a variety of options selected and donation amounts inputted (some donating, others not), and all of the submissions were successful with the correct amounts charged in the final submission. I’m sure that special characters might cause some kind of problems in some Forminator forms, but evidently not this one. For the purposes of this particular form, the presence of the Currency field was the only factor that had any effect on the outcome.

For the next release of Forminator, are you going to just change the sanitization algorithm so that all special characters are removed? Looks like it already removes some such as the front slash – not sure why it only sanitizes that one but not others.

I guess one interesting question might be why the special characters in this form ($ and + and maybe the () symbols) are not causing it to malfunction in any ways that affect the final submission (or notifications/confirmations) for the end user.

Please tell me exactly which field and exactly which value in the form uses an ampersand. The ampersand is the only “special character” you have mentioned specifically.

I haven’t touched any of the radio button field values, and the form has been working fine with people using it to renew their memberships.

There are no fields in the entire form that have the ampersand character in it. (And the only place that even mentions spouse/children is the Relationship field, which offers the options “Spouse” and “Children” each as separate options.)

Yes correct, the workaround is successful. A couple other people used the form, even after I added a few more visibility rules that were there before, and it works, charging the correct amount on the credit card. It looks like Forminator indeed has a problem involving the currency field.

1. I just used https://washoetennis.org/membership-old/ and did Junior Membership ($50) with optional $15 donation. The whole transaction went through correctly, charging me $65 on my credit card.
2. I went to change the “After submission” Inline message (is that what you were talking about?), and the message already has no calculation field. It just says “Membership complete – thank you for your support!” I also went to the email notifications, and the email sent to the New Member just has {name} and {all non empty fields}, nothing else. So it appears that my scenario #1 was actually a test of your #2. So to do your #1 item, I added {calculation-1} into the on-screen confirmation (“$xxx received”) and also the email notification that goes out to the new member. This time with Junior membership ($50) again and optional $5 donation. It went through correctly as $55.
3. I replaced the currency field with a number field and updated the Total to include that instead. I used $0 optional donation and Junior Membership ($50), and the transaction was successful – it charged me $50, and all confirmations/notifications correctly displayed $50. So it seems that your currency field has some kind of bug in how it is handled after submission.

That new formula unfortunately didn’t work – I still got “This value must be greater than or equal to 1.”

But after my more recent posts, I’m starting to think this has less to do with the formula than it has to do with Forminator’s behind-the-scenes handling of calculation fields. The “Total” field in the form is showing up correctly whether I use ({field}) or just {field}… but the amount gets reset to 0 after the user clicks Submit.

And here is another pastebin for you: the current form, the one that doesn’t use Stripe at all. Again, this form shows the correct total on screen, but after the form is submitted, the total is shown as $0 in the submissions, on-screen notification message and all confirmation emails.

https://pastebin.com/TqWnXQ2T
(expires on 2/19)

I think I might have stumbled across a clue about this “must be greater than 0” error (which in turn might also be the cause of the “Stripe field doesn’t exist” error). In testing the new Forminator form at the current live URL (washoetennis.org/membership) which has credit card payment removed from the form, I’ve filled out the form, twice now, using Family Membership for the membership type, which means the Total field reads $170. I see with my own two eyes that the Total field says $170 when I submit the form. But then when I get the on-screen notification that’s supposed to remind me to send in my $170 payment, it says to send in a $0 payment. The email notification I get says Total: $0. And if I go to “submissions” in forminator to see the complete content of the submissions, it says $0. It seems Forminator’s calculation fields are sometimes showing the user one thing on screen, but doing another thing behind the scenes.

Unfortunately, our organization has decided to remove the credit card field from the Membership form since this bug still persists. I have made a copy of the old form on a page that isn’t indexed on the site, but I published the page just so you can continue to test it if you want. It is washoetennis.org/membership-old

This also uses the old version of the form that is represented above in the pastebin.

Just curious (just an idea), is it possible this problem could be caused by the Total field calculation being the following formula:

{radio-1}+{radio-4}+{radio-5}+{radio-6}+{radio-7}+{currency-1}

Only one of the 5 “radio” options will show any given month of the year (the price of membership changes based on the month and also whether people are newcomers or not). I think any person using Forminator would assume that when being asked to calculate a Total adding up various fields that are invisible, it would just yield “0” because those are null (like in Excel when adding cells that have nothing in them). But if Forminator doesn’t allow invisible fields to be used in calculations, this should be made clear. Even better would be the behavior that I believe anyone would expect: just have Forminator treat hidden fields as “0” when using those fields in calculations.

• This reply was modified 1 year, 9 months ago by ostinatofreak.

Updated pastebin: https://pastebin.com/hz4hCCHu
Again this is for https://washoetennis.org/membership/

Info I type when I fill out the form… I’m assuming actual names don’t matter, so will just use ***** for those fields. I’m sure I’d be getting the same error if I use John Doe for all of the names.

First name / Last Name: *****
USTA Member: Yes
Tennis Rating: 4.0
Cell Phone: ****
Home Phone: (nothing)

Additional Family Member(s)? Yes

(family member 1)
First name / Last name: *****
USTA Member: Yes
Tennis Rating: (nothing)
Relationship: Child
Family members 2 and 3 same thing as #1
(Family member 5)
First name / Last name: *****
USTA Member: (nothing)
Tennis Rating: (nothing)
Relationship: Spouse)

Membership: Family ($170)
Optional donation: 0
Credit / Debit card: Discover card
Notes: (nothing)

Submit!

Error: “This value must be greater than or equal to 1.”
Nothing in the form is highlighted, so there is no way to tell what this error message is referring to.

• This reply was modified 1 year, 9 months ago by ostinatofreak.