BPS RBM blocks woocommerce serial key plugin from validating serial key

See the “POST Attack Protection Bonus Custom Code and WooCommerce store used on a website home page” help section in this forum topic: https://forum.ait-pro.com/forums/topic/woocommerce-read-me-first/ for how to add additional whitelist rules for WooCommerce (and other WooCommerce plugins) to the BPS POST Attack Protection Bonus Custom Code.

• This reply was modified 7 years, 7 months ago by AITpro.

Oops this is a GET Request and not a POST Request. The top section of this forum topic: https://forum.ait-pro.com/forums/topic/woocommerce-read-me-first/ has whitelist rules that should whitelist the wc-api Query String, but you may need to add an additional Query String whitelist rule for the WooCommerce Serial Key plugin. See example below.

Example:

# WooCommerce shop, cart, checkout & wishlist URI skip/bypass rule
RewriteCond %{REQUEST_URI} ^.*/(shop|cart|checkout|wishlist).* [NC]
RewriteRule . - [S=14]

# WooCommerce order & wc-ajax=get_refreshed_fragments Query String skip/bypass rule
RewriteCond %{QUERY_STRING} .*(order|wc-ajax=get_refreshed_fragments|wc-api=validate_serial_key).* [NC]
RewriteRule . - [S=13]

• This reply was modified 7 years, 7 months ago by AITpro.
• This reply was modified 7 years, 7 months ago by AITpro.

Hi AITpro,

Thank you very much for your swift reply.

I had already added the Woocommerce whitelist rules. Top one is the same, bottom one I replaced with your version. Unfortunately the problem persists.

To be clear; I now have nothing in the CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE, only in the # PLUGINS/THEMES AND VARIOUS EXPLOIT FILTER SKIP RULES.

Any suggestions? Do you need more info?

Did you do all of the Custom Code steps? Edit/change the custom code, Save it and then Activate Root Folder BulletProof Mode again.

• This reply was modified 7 years, 7 months ago by AITpro.
• This reply was modified 7 years, 7 months ago by AITpro.

Yes, I did (3 times)

Are you using any additional BPS Bonus Custom Code?

Hmm maybe the Query String is being seen as an RFI hacking attempt. I will test the Query String and see if that is what is being blocked: /?wc-api=validate_serial_key&serial=XXXXX&sku=XXXX&uuid=https://www.hacker-website.com/

No other custom code. Do you need the whole string without X’s?

I already tested the Query String and created a working solution and yep the Query String simulates an RFI hacking attempt against your website. I will create a forum topic for the WooCommerce Serial Key plugin on our forum site and post the link here with the working solution.

here is the solution: https://forum.ait-pro.com/forums/topic/woocommerce-serial-key-wc-api-403-error/

WOW!

This totally fixed it. Hope this helps others too.

Thank you for your EXCELLENT support!

Paul

Great! Thanks for confirming that worked.

We are adding a new Setup Wizard AutoFix feature to our BPS Setup Wizard that will automatically create whitelist rules for known issues with other plugins. The WooCommerce Serial Key plugin is a premium plugin so we cannot find the path for this plugin’s initialization file. Please go to the BPS System Info page > click the Get Plugins List button > copy the info that you see in the Plugins List for the WooCommerce Serial Key plugin and paste that info in your Reply. Example: WooCommerce Serial Key version # – Activated: example-path-to-plugin-initialization-file/example-file.php

Thank you

• This reply was modified 7 years, 6 months ago by AITpro.

Hi,

here is the requested path:

WooCommerce Serial Key 1.7.9 – Activated: woocommerce-serial-key/serial-key.php

Hope this helps.
Paul

Awesome! Very much appreciated paul. ??