Scriptrunner (Doug Sparling)

For starters, you need to make sure you have allowed access to the web directory in httpd.conf, something like:

<Directory "/var/www/domain/public_html">
    Options -Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

If not, you will get the following error (at least with a fairly modern version of Apache):

[Sat Sep 21 08:58:06 2013] [error] [client ::1] client denied by server configuration

Also, since you are trying to call a non-existent “index” file, your results may vary (once you have allowed access to the directory) based on your DirectoryIndex directive.

I’ve found Better WP Security and Bulletproof Security (same as leejosepho uses) to be complimentary security plugins. I use them on every site. I generally add the Sucuri Sitecheck Malware Scanner plugin as well. The plugin is free, but you might want to check out their paid service. Highly recommended and regarded in the community (though I don’t use it, do as I say, not as I do :).

There are other things you’ll want to do, Better WP Security will walk you through some of it. Here are a few things I always do.

1. Keep WordPress, plugins, and theme(s) up-to-date!
2. Make sure admin user doesn’t use ‘admin’ as username.
3. Change userid for admin user (it’s usually 1).
4. Change the database table prefix.
5. Delete unused themes.
6. Delete unused plugins.
7. Delete wp-admin/install.php after install.
8. Update the secret keys in wp-config.php.
9. Move wp-config.php up a directory if I can.
10. Delete the WP readme.

A few other plugins I use:

• Exploit Scanner (manual scan).
• TAC (Theme Authenticity Checker).
• Bad Behavior.
• Block Bad Queries.
• WordPress Firewall 2.
• WordPress File Monitor Plus.
• Ultimate Security Checker (another manual scanner that provides a “score”).

I used to use a separate Login Lockdown-type plugin, but that comes built in with Better WP Security (I’d recommend you limit login attempts, regardless of which plugin you use).

Then, there are more procedural things you can do like enforce strong passwords, whitelist IP addresses for admin login (only allow logins from certain IPs, maybe even only during certain times), require SSH for logins, etc.

A final caveat – I am not a security expert, but I have worked in web development for over 10 years, working on some very high traffic sites. I’ve read and follow who I consider to be WordPress security experts and have picked up a lot along the way.

It sounds like either the theme or a plugin is using its own, older version of jQuery. If it is a plugin, you should be able to disable them until you find the culprit. I know people have used jquery-updater successfully. One caveat – I’m pretty sure jquery-updater uses jQuery 2, so that may cause issues for some browsers (as I recall, jQuery 2 does not support IE 6, 7, & 8).

Edit: jquery-updater does install jQuery 2 + jquery-migrate. It does have a provision in the plugin file to use jQuery 1.10.2 instead. However, current WP should come with 1.10.2 already.

You might want to check that the register link:

/wp-login.php?action=register

actually doesn’t work (since you’re just hiding the link). It won’t be hard for bots to find the hidden link (they probably already know this one).

I’ve used S2 Member before, but I truthfully don’t recall how it works in that regard. Seems like there was an “Allow Open Registration” option in the S2 Member admin section.

Image Store works on the latest WordPress, you might want to try a few things to see if you can get your gallery working.

A couple things to check – make sure your plugin is activated and that permalinks are set to the way they were before, though I don’t believe either would cause a 404. Can you go to the gallery you created in the admin, and the click the “View Gallery” button near the top?

The plugin creates links for “Cart,” “Image Store” and “Secure Images.” Do those links work? I get to my gallery via the “Image Store” link. If you can, is it the link on that page that takes you to your gallery that gives you a 404.

There are ways to downgrade (either a fresh install of an older version or manually downgrading), but I wouldn’t recommend it in this case. I’d give it a go on getting the plugin to work first!

I’ve found WP Super Cache to be the culprit. In my case I had a misconfigured WP Super Cache plugin appending an html comment to the end of the JSON data, causing the JSON to be invalid, hence breaking the Ajax and never stopping the spinner.

I created a new thread on the WP Super Cache plugin forum:

wpcache_broken_message on xhr (Ajax) causing issue with Contact Form 7

As a final note to the OP (as this may not be the solution for your situation), make sure all your plugins and theme(s) are using the WP provided jQuery. Deactivate all the plugins other than Contact Form 7 and try a default theme like 2012 or 2013 and see if that fixes your problem. If so, there is more than likely a plugin/theme jQuery conflict.

Update: It appears to me that it’s not specifically due to the extra content after the closing html tag, but something to do with WP Super Cache using the PHP fucntion register_shutdown_function() to call wpcache_broken_message() in advanced-cache.php. (which in the end, does add extra content after the closing html tag)

This is definitely an edge case and may or may not be the cause of your problem. All I can say is that it was in my case.

If this doesn’t remedy your situation, I can recommend you try one of a few things.

1) See what the error message is (if the spinner won’t go away, then the response had an error).

In wp-content/plugins/contact-form-7/includes/js/scripts.js, try changing:

error: function(xhr, status, error, $form) {
    var e = $('<div class="ajax-error"></div>').text(error.m    essage);
    $form.after(e);

}

to

error: function(xhr, status, error, $form) {
    alert(error.message);
    var e = $('<div class="ajax-error"></div>').text(error.m    essage);
    $form.after(e);

}

If you get an error like: “JSON.parse: unexpected non-whitespace character after JSON data”

then use Firebug (or similar) to take a peek at the response from the Ajax call.

In my case, I saw:

{“mailSent”:true,”into”:”#wpcf7-f1994-p1944-o1″,”captcha”:null,”message”:”Your message was sent successfully. Thanks.”}<!– WP Super Cache is installed but broken. The path to wp-cache-phase1.php in wp-content/advanced-cache.php must be fixed! –>

which made it obvious that there was extra characters after the JSON.

I have found the root cause of the problem (in my case). I simply eliminate the cause of the problem instead of fixing the plugin, as I’m hoping that the plugin author is reading he can update the plugin to deal with what caused the issue.

View source on your page and make sure there is absolutely nothing after the closing html tag.

This is what was causing my problem (the very end of my html output):

</html><!-- WP Super Cache is installed but broken. The path to wp-cache-phase1.php in wp-content/advanced-cache.php must be fixed! -->

Apparently this the commented after the closing html tag is being appended to the JSON response, causing an error, which in turn causes the spinner to never quit spinning (actually, the element css style for visibility is never updated to “hidden”). In my case, we had moved to another server, and the contents of wp-content/advanced-cache.php (from WP Super Cache) was causing this extra output. I simply uninstalled WP Super Cache, which eliminated the extraneous output to my page.

So check if there’s any extra output after your closing html tag. You can also use Firebug to see the XHR response.

And this

define ('WPCF7_LOAD_JS', false);

is in your wp-config.php?

If so, you might check as wp-config.php can be located in one of two places. Top level of your WordPress install and one directory above that.

I put it right above the “happy blogging line”

.
.
.
/**
* Contact Form 7 JavaScript causing issues with jQuery and form submission
*/
define ('WPCF7_LOAD_JS', false);

/* That's all, stop editing! Happy blogging. */
.
.
.

You shouldn’t see this in the view source of your page once you’ve made the change and refreshed the page:

<script type='text/javascript'>
/* <![CDATA[ */
var _wpcf7 = {"loaderUrl":"http:\/\/example.com\/wp-content\/plugins\/contact-form-7\/images\/ajax-loader.gif","sending":"Sending ...","cached":"1"};
/* ]]> */
</script>
<script type='text/javascript' src='https://example.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=3.5.2'></script>

Did you do a hard refresh on the page before resending? If you’ve already loaded the page, you’ll need to refresh it first since this statement will remove some javascript from your rendered page.

I see this div tag wrapped around your error message:

<div class="wpcf7-response-output wpcf7-display-none wpcf7-mail-sent-ng" style="display: block;">
    Failed to send your message. Please try later or contact the administrator by another method.
</div>

This generally means wp_mail() has failed when attempting to send the email. Have you tried setting WP_DEBUG to TRUE in wp-config.php? That should give you additional information.

I’m dealing with the same issue at the moment myself. It’s likely a jQuery conflict with another plugin/theme. However, even though I’ve reverted to a default theme (I’ve tried 2012 and 2013) and deactivated all other plugins, I’m still having the same issue. My current work around is to eliminate the spinner (for now) by adding this to wp-config.php:

define ('WPCF7_LOAD_JS', false);

I’m devoting the weekend to solving this issue, as I’ve yet to find a definitive answer.

Awesome, thank you for the update. And thanks for using my plugin!

Also, did you do an update or delete the old version first? Deleting the plugin will remove the settings from the database. An upgrade will not. The main thing is to check the plugin settings page and see if the blacklist boxes you checked still are and the redirect is set.