Rebecca Diamond

Have you replicated this across multiple browsers? If it persists on every browser even with ad blocking off, I’d try running a plugin conflict check – disabling all other plugins to see if it persists.

There is not a method to add phone numbers at this point in time, although as you mentioned it can be done via custom fields/custom code.

What version of the plugin are you currently running? Does this error still persist?

If you go to Restrict > Tools and look at your System File, are there any tables missing in the database section?

Thank you, Mika – we have been seeking clarity for this for quite some time now, as literally no other credible account of any vulnerability of this nature has come in to date.

Obviously, if there *is* an actual security issue we need to know about it and plug it. At this point in time, without any actionable data, we can’t fix something that isn’t known to exist.

If anything is shared with the plugin team that points to a vulnerability, please share that with us. Our devs will hop right on it if a patch is needed!

Our team will be out of office over the upcoming holiday – please note we’ll be checking in again on Tuesday. In the meantime, please do roll those API keys, and go ahead and contact Cloudflare to assist you with rate limiting.

I wanted to respond and let y’all know that this was fixed a while back – I didn’t realize we still had open threads about it ?? Make sure you’re updated to the latest version, and the email settings no longer disappear.

In addition, the URL of the site where this is happening will help us look into things further – thank you!

Your first step will be this:

You can also roll your API keys by disconnecting and reconnecting Stripe, as that removes the API key you are currently being targeted with. It’s important to use the 2022 Stripe API, so if yours is outdated you should remove the endpoint and start over with fresh webhooks/endpoint using the updated API.

Once that is done, I’d suggest reaching out to Cloudflare to implement rate limiting as mentioned above – their support should be able to assist you with this (I don’t personally use Cloudflare so I don’t even have a starting point for you beyond suggesting you contact them.)

Are you a registered non-profit? If so, you may be eligible for certain discounts; I know that’s the first thing I check when setting up sites for non-profits, so it would be worth asking Stripe about non-profit pricing if you do have a registered non-profit.

reCAPTCHA is currently a Pro feature with our plugin, but as mentioned, I’ve escalated your request to our product/development team. However, that won’t be considered until after the holidays, which is why I highly suggest rolling your API keys and contacting Cloudflare.

With Stripe as payment gateway, I would think their Radar solution would be the best one for your situation – again, it’s not free, but when running even a non-profit there are expected business costs and that may be your most efficient way of handling this moving forward.

You could certainly give that a try! I see that plugin (like many including lots of those I’ve worked for or with in the past) does offer more reCAPTCHA versions in Pro.

To be honest, no matter what plugin suites you use, if you are in a situation like this:

Stripe is debting my bank account for the thousands of fraudulent charges until they can resolve the payments, because over 120,000 had a charge,

then you are best served by making sure you are maximizing all every plugin and theme has to offer, even if that is selecting Pro plugins or themes that are different from your usual ones but offer the features you are looking for.

I did a little digging into what our plugin offers vs. what others offer, and it looks like we are all pretty much on the same page when it comes to free/lite features vs. Pro/Paid features.

Personally – speaking as myself, and not as an employee – anything that comes anywhere near my bank account is as secure as I can make it, even if that means that I have a little more upfront costs.

Speaking as an employee of the company behind this plugin, I have escalated your concerns to our development team; as you know from requesting the Stripe Descriptor, they are quite responsive to customer requests.

If you are getting DDOS’d then your best protection is Cloudflare at the moment, using rate limiting and the other mitigation measures.

You can also roll your API keys by disconnecting and reconnecting Stripe, as that removes the API key you are currently being targeted with. It’s important to use the 2022 Stripe API, so if yours is outdated you should remove the endpoint and start over with fresh webhooks/endpoint using the updated API.

While we do our best to be responsive to customer issues and to help users with the plugin as written, we do have two different versions of the plugin and not all features from Pro are available in free – as with every other plugin that offers free and paid versions.

You can certainly look into implementing https://stripe.com/radar on your site – that’s a paid option from Stripe that lets you use your current free plugin/theme versions but adds strict card attack mitigation measures, and that might be an alternate investment route for you to help protect your account and site(s).

Would you please DM me the names of the folks you spoke to on the exploit team? That way our team can reach out to them to discuss this.

Updating this because we have one additional report of this issue – you might want to try this: https://blog.cloudflare.com/turnstile-private-captcha-alternative/

If you are using Restrict Content, you can implement this (a free service) – https://blog.cloudflare.com/turnstile-private-captcha-alternative/

As an additional resource, since you mentioned using Cloudflare:

Using Cloudflare to Mitigate a Carding Attack

Cloudflare offers the so-called ‘under attack’ mode that will invoke additional measures for traffic analysis and present each visitor’s browser with a JavaScript challenge. Using it does harm the overall user experience, but will help you mitigate the carding attack fairly quickly. 

Cloudflare also allows you to block web requests based on IP reputation scores, which are collected from Project Honey Pot. Set the Security Level to High from the Security > Settings page of your Cloudflare dashboard to block all requests with a Threat Score higher than 0.

It is important to note that aggressive firewall rules and rate limiting will also almost inevitably lead to blocking legitimate web traffic. That is why these measures should only be used when your online store is under an attack and be disabled shortly after a successful mitigation.

-iThemes

• This reply was modified 1 year, 11 months ago by Rebecca Diamond.

Hi Lorienz – in order to provide you with the best support for the pro version, please login to my.restrictcontentpro.com and submit a support ticket. That way we can take a better look at what’s happening.

Thanks for the headsup! Are you still experiencing this?