2bearstudio

@gappiah OMG! You are THE GENIUS. I know I could get help from here. Almost ready to duplicate the 10GB site for a test, to disable plugin one by one.

THANK YOU!!

@smashballoonlouis

`## SITE/SERVER INFO: ##
Plugin Version: Instagram Feed Free
Site URL: https://therootcellar.ca
Home URL: https://therootcellar.ca
WordPress Version: 6.1.1
PHP Version: 8.0.25
Web Server Info: Apache
PHP allow_url_fopen: Yes
PHP cURL: Yes
JSON: Yes
SSL Stream: Yes

## ACTIVE PLUGINS: ##
Advanced Custom Fields PRO: 6.0.5
Gravity Forms: 2.6.8
Gravity Forms Zero Spam: 1.2.3
ManageWP – Worker: 4.9.15
MC4WP: Mailchimp for WordPress: 4.8.11
Slider Revolution: 6.6.5
Smash Balloon Instagram Feed: 6.1
Uncode Core: 2.7.5
Uncode Privacy: 2.2.2
Uncode Wireframes: 1.5.0
Uncode WPBakery Page Builder: 6.9.0
WPBakery Page Builder Clipboard: 5.0.2
WPCode Lite: 2.0.4.4
Yoast Duplicate Post: 4.5

Next check: 1:00 pm (every 12 hours)
GDPR: auto
Custom CSS: Empty
Custom JS: Empty
Optimize Images: Enabled
Usage Tracking: Disabled
AJAX theme loading fix: Enabled
AJAX Initial: Disabled
Enqueue in Head: Disabled
Enqueue in Shortcode: Disabled
Enable JS Image: Enabled
Admin Error Notice: Enabled
Feed Issue Email Reports: Enabled
Email notification: Monday
Email notification addresses: [email protected]

## FEEDS: ##
@rootcellar Feed – User
rootcellar (17841400210184847)
gyjjAy44dNrzCBxbocguuVBMazlmeWQxWFZ0b3VGbnZjaVpreHBvYlVobGRJMFN4TElOL3ZSek1sNzk1NktqaFVqd0VLKzZnbkVHRncrdGtxR3ZYOEpXS3VjUmhLOS9EcDhlclJ3PT0=

@thechopshopmeatmarket Feed – User
thechopshopmeatmarket (17841404903599478)
qAES2vk4LfdyJtXH/p9IaEZvK3JuVTVYMzNtUEVnYjJKUVluODJJK0c2WnZzQnVnT1lBbmpxcUZEZHJRZWpaTDcwbW8zTHQzdGJkVmZCTU92U0RoQWluTFFyVmM2RlVNUXBRM3lnPT0=
https://therootcellar.ca/?uncodeblock=0-footer-root-cellar-chopshop?sb_debug

@thepottingshedinsta Feed – User

@therccoffeeproject Feed – User
therccoffeeproject (17841407214944927)
yFw7q/j+DNC005JB+FCzdGJwU3poeXpLNDltOVBpRHNFbVd3bWo3YkFWaDdDM0JWQkJ1YXhJTEI4a2JBUnRBclpRQU9rQklPS3NWY2hkSitYM0dJbEJJYjhRbU5yOHpUcUJQa1JBPT0=

## Sources: ##
17841400210184847
Type: basic
Username: rootcellar
Error:
ZQuU1lGivtoUKuLVOMcC+k83V0JHZHdJUFBlTHpNSmNMS1RTSThGQWtFeGN1aEF6WlhpQ2x0RHRIbWRBWWxSWDVRb3pHbjhncHZOTVJJTjZTNHVnYkk5dVM5L2w4OUFndXRBazZtVGM3YjUwUUloNTlkZW1aTnA5eTA2MkNxRWNRZENyWHdqSWpGUWN1V3VaR014Q0g0R2h4S0hGQ1RPc1B3OE9QQUdBZ1Y4dWx4Vkt4S2wwUVJSQ0xCWDNnd0xtUnRmOUtTU3Z6NUZTblAzS3dCYkZKNnc0N3B0RnUySmpsQUdyYndyeUN3azR6d2dVZzB4Rmh0RXhyVFg2MjUwSnNlbytBbnk1aWY2ek10NE5JejFReGpLKzhEdjNWTWFjb0pqbWpYOVlYRWJSVXRhSzExcVBvRGxaN3h3PQ==

17841407214944927
Type: basic
Username: therccoffeeproject
Error:
8xa24GBy9hP1GDNuoN1QoDFVUWtxeFZiV1d3alVNUTZXNmNvb0U5dGg5MXVxWVFTclRpRElhQTZHeVplOTFUYjhyb1ZXZXQ1dTYyQU16WVU0ekxYQzU0VjZQU1VYUlIwY3lIL3J2SkRmeWFGS1EwcmJrUnVzU2lMK0E2V3YyWXlleFZSaW9kVGVnS05ZNmE2a05RcnRSdXdtdHdkdDZpWG1lSDRKYTZGeGFNRlhjYWtJVnpaeE5QWXJaVENsZGFBbDhJbHlYaTRVdDN6R0hJaC9sNS9PYkljMHhQbW1sVFZNdzRWbUpmcXRWc1plUDllRnozWmVJdTZCV1VZUGdMaWZiQTFjNGFsOWlhRjd5Y3hrN3Z6amNIQ01WNnVlT3FWVzJIY1oyeTgyd21PYXllQXNLQnhlbDNa

17841404903599478
Type: basic
Username: thechopshopmeatmarket
Error:
ozxlNVGrSxSV142aREVqUEdwVW10blZsbXBiZVhFaGZ3L0JaOG9UMkIwdXdERGxTd3FQZ0RlSlpnZWZrNllVRXM4M0lXS1RIRzFXZDYwQlNCc0dmcUc2dURUSFJNZVhFdDZNZm8yZkd2c3pQUW9RUjNnVCs4YmxteHdoc2YwcnBBM0k4TXhRbWxwWXp5djg4R214LzNyM0ZXSkNRQmdYNVJmZjRtSjFqMC9salpRVzJMMExNbk8vUDZsUm9wbVdkcXVzU1pnRk01ZEpGWnRCdUFmb0Qxd0hkaEJ3Y3N6OW5USEhsVHNvWlZWb09tR3F3dEdtUVJtNnFCaHhMNEM2WmdLOHd5US9uam1NT3U2K0g5RkR6MVpVQ1ZET1Ixb1FKTEF1WjRpRnNBYzF4T2ttQkhscWpWeDNXR2c9PQ==

## IMAGE RESIZING: ##
upload directory exists

## POSTS: ##
## FEEDS POSTS TABLE ##
record_id: 481
id: 315
instagram_id: 18085415134310858
feed_id: *3
hashtag:

## POSTS TABLE ##
id: 315
created_on: 2022-12-04 21:02:35
instagram_id: 18085415134310858
time_stamp: 2022-12-04 17:10:26
top_time_stamp: 2022-12-04 17:10:26
json_data: hlzNNj5e6rfls/nqrvtNhlNyNk1WRzdBNHJsVDFOb2RmWEtPVkh2b3RibkFtYWU3djhGNlJJUmQ1Ymh0YU95TmxpMDhsc3F2SlN6M0lhR2lIS0V4b25xM3ZjaStQcmFPRStQUjg1VGZHRVZOM1NVZFg0eG5HeU5ocWR6cEVxN2lUcy9sTUlQdVNWWGlSV2xuQTdWWjFtdGhiMmZER1hJSlRLWFFNdGx6WHEvUkhVWEFSZHhMamZISndvMEhUSUtXTTlLdTA1MGNVWnVTcFltMENrL1FBNTZFY2FPeGxKSk5aQlhqTVlSZmJEczlDUzFrclNsb1doM0RkMVNncFZCd25RTFlqZzZpUlhhcngyQ3hYTm0xcGNvTkVIbGppQkJjY1diYWNVcUM0QXpZQ0tGQ2NVNkF3UFR1QkhodVVDUzI3VGNaM1N4VEhEZlRhMTJRN0ZNMXJkR2ZiOEJaRW1tdlNzbi9mRGx2NDhMcGhkdlFUQTVZYU1oRm1zTmFrd09OeFloUGZJUDdNdGZTSzNSc3Iya3laUERiWktOV2xyVTV2anoxZjVtZW5qNGFBUFlTUWU2RTZTSFpTenZxMnZFemNrY0tNd25DVklSYUpiTlVQN1MwTkpPc2ZzTVNFanFRNGxJK2NFQks3Y3pJbTlMdUcrRUY2TWJybmEzQUVvdk1VMExBaFd2b09NeWRKb2VKZ3k4NVNVb0ZEdmtHeFdOZ1d0Uk03Q1JHRzlpODN6UnlaM0hYcFFqaVg5WTBaUzQ2SWtwVUZvRE5kNG1pR21vVE15QUtOTEVjWkQvS3F2Tm1wSEcrOUxuZ2JCWGFpblIwZVlsdjRQUVpxb0FMd2VHU2l5U1lXWU1QUDdvdzNvczNxelM5NXR1bUhYcTU3MmZxeW5oUU1nRTFMNWdxKzN4bjQxUy9qbUdVUU15aXlkVVA1YVM4eldBYVRTWWRyU29CSTc0TTVSVkpxb0JtOEpncmpQODM3UzNWVlpxSVlRMURXTi9aYTcxVjFtMTY3SVczODA1MEw2M1o5UUVXVG5UK1hrbVUxOHFSVWpiTnRja1JWMzNMQUFZKzJ1NXpHQUowTFlLUUVJM1krMCs2VHlXNVRiMEd3ZVdMNjdaZThiYndSVEtWRXVHZFRRbFV0TmZ2enVVMzdYeG8yNlAvNGgrOEIrRkZlcXhTYVFnd1hBZy9VVDdCMU9KeHVPeW9UeThkS2dwK1l1SVdGM2lVSkZsMkphYUgxemJGQmcvdGlNaEZ4SU1hSnlGSXY4U01oU3dZUVZxZTNNMGdJaUFRNmQ2WjFiRW8yVUdvWm91U0ZveEQyVWRncUtlNWFoOUR0YmVNaldMay9CMHdXV3l2alYrSlVpdWVxcmtsRU5CR2o3RWRBaGtSMDZxOG9MMVJTMWtpbUwyYkNvY2NTUjJ6VStIR1BSNWZJVFE5eVlQcTVsMFVnZzFYbmcxT3ZFUjMvc01JYk9GNWxEU1hOYm1iRjh0WHovbllpa0V2RGVTZ2dzcWpWMEFBUHRIQ0I1c29HT0FiWmI5eGQza2psczQxMVhqUHdUS01FY3FHL28rb2ZyYk4vNXdXM2pUM21pMlY=
media_id: 318345156_1168598484086277_3726000718359083026_n
sizes: a:3:{s:4:”full”;i:640;s:3:”low”;i:320;s:5:”thumb”;i:150;}
aspect_ratio: 1.00
images_done: 1
last_requested: 2022-12-05

## Cron Cache Report: ##
Time Ran: 2022-12-05 09:01:52
Found Feeds: 3

4:
Did Update: no – no post cache found

1:
Last Retrieve: 2022-12-05 09:01:07
Did Update: yes

3:
Last Retrieve: 2022-12-05 09:01:07
Did Update: yes

sbi_feed_update
2022-12-05 21:00:00
Next Scheduled: 401 minutes

sb_instagram_cron_job
sb_instagram_twicedaily
2022-12-06 00:17:35
Next Scheduled: 599 minutes

sbi_usage_tracking_cron
2022-12-07 23:24:52
Next Scheduled: 3426 minutes

sbi_notification_update
sb_instagram_feed_issue_email
2022-12-11 23:00:00
Next Scheduled: 9161 minutes

## ERRORS: ##

## ACTION LOG ##
07-21 09:02:32 – Cleared connection error.
07-21 17:54:33 – Cleared connection error.
10-11 03:34:45 – Cleared connection error.
10-11 03:40:10 – Saved settings on the configure tab.
10-11 03:40:29 – Saved settings on the configure tab.
10-14 02:53:06 – Saved settings on the configure tab.
12-02 04:02:54 – Cleared connection error.
12-02 04:14:40 – Saved settings on the configure tab.
12-02 17:31:57 – Saved settings on the configure tab.
12-02 17:33:29 – Saved settings on the configure tab.

## OEMBED: ##

{"customizer":false,"type":"user","order":"recent","id":["17841404903599478"],"hashtag":[],"tagged":[],"width":"100","widthunit":"%","widthresp":"","height":"","heightunit":"px","sortby":"none","disablelightbox":true,"captionlinks":false,"offset":"0","num":"9","apinum":"0","nummobile":"9","cols":"9","colstablet":"3","colsmobile":"3","disablemobile":"","imagepadding":"3","imagepaddingunit":"px","layout":"grid","lightboxcomments":true,"numcomments":20,"hovereffect":"","hovercolor":"","hovertextcolor":"","hoverdisplay":"username,date,instagram","background":"","imageres":"auto","media":"","videotypes":"regular,igtv,reels","showcaption":true,"captionlength":"","captioncolor":"","captionsize":"","showlikes":true,"likescolor":"","likessize":"13","hidephotos":"","showbutton":"","buttoncolor":"","buttonhovercolor":"","buttontextcolor":"","buttontext":"Load More...","showfollow":"","followcolor":"","followhovercolor":"#359dff","followtextcolor":"","followtext":"Follow on Instagram","showheader":"","headertextsize":"","headercolor":"","headerstyle":"standard","showfollowers":false,"showbio":false,"custombio":"","customavatar":"","headerprimarycolor":"#517fa4","headersecondarycolor":"#eeeeee","headersize":"small","stories":true,"storiestime":"","headeroutside":false,"class":"","ajaxtheme":"","excludewords":"","includewords":"","maxrequests":"5","carouselrows":"1","carouselloop":"rewind","carouselarrows":false,"carouselpag":true,"carouselautoplay":false,"carouseltime":"5000","highlighttype":"pattern","highlightoffset":"0","highlightpattern":"","highlighthashtag":"","highlightids":"","whitelist":"","autoscroll":false,"autoscrolldistance":"","permanent":false,"accesstoken":"","user":"rootcellar","feedid":false,"resizeprocess":"background","mediavine":"","customtemplates":false,"moderationmode":false,"colorpalette":"inherit","custombgcolor1":"","customtextcolor1":"","customtextcolor2":"","customlinkcolor1":"","custombuttoncolor1":"","custombuttoncolor2":"","photosposts":true,"videosposts":true,"igtvposts":true,"reelsposts":true,"shoppablefeed":false,"shoppablelist":"","moderationlist":"{\"list_type_selected\":\"allow\"}","customBlockModerationlist":"","enablemoderationmode":false,"fakecolorpicker":"","cachetime":"1","gdpr":"auto","altresize":true,"minnum":"8","disable_resize":false,"favor_local":true,"backup_cache_enabled":true,"disable_js_image_loading":false,"ajax_post_load":false,"sbi_cache_cron_interval":"43200","sb_instagram_cache_time":"1","sb_instagram_cache_time_unit":"hours","feed_name":"@thechopshopmeatmarket Feed","sources":{"17841404903599478":{"record_id":"22","user_id":"17841404903599478","type":"basic","privilege":"","access_token":"IGQVJVNG1VVTFRV634hgdf83hjdj2ThEaU9KeEtlTm52VVZATM0h5SWlhNVEtUVF1OEFsa3BSVzFGdFRNZAjdRelQxeTF3ZAzhzTFZAaa3U4OUhuREJtRjB4ZA3dTWVk4R0ViaFBaTGpMZAjAwRW5UZAnNncmdR","username":"thechopshopmeatmarket","name":"thechopshopmeatmarket","info":"{\"id\":\"17841404903599478\",\"username\":\"thechopshopmeatmarket\",\"media_count\":714,\"account_type\":\"BUSINESS\",\"local_avatar\":false,\"name\":\"{}\",\"page_access_token\":\"\"}","error":"","expires":"2023-01-31 04:00:18","profile_picture":"","local_avatar_url":false}}}

@grimesweb Thank you for adding your case to the thread. I know adding different question to a thread is not encouraged in this forum. But I like to add a quick reply.

I believe the attack happened to you is the similar one like the attack I experienced. Seems hacker upgraded their technique by changing IP. That’s a huge challenge, especially when we have to deal with it manually.

In my case, I added CDN to the site to provide another layer of protection. It didn’t happen to me afterwards. But I can’t say for sure that’s a solid solution.

@wudman In my case, all order has exactly same address. The only difference is name. I’ll have a good night sleep. The attacked stopped today.

Thank you for all the comment and help.

@wudman Wow! What a story. Thank you SO MUCH for the comment and helpful tips.

The site indeed has Wordfence Security. I am able to use it to block and track how many continued attack.

On the 2nd day, when attack started, I blocked few IPs and then put the site on maintenance because the site isn’t busy online store. It stopped the attack immediately. So if anyone who unfortunately run into similar attack, “Maintenance” mode can buy you some time.

I absolutely believe this could be a security problem of WooCommerce. 20 – 30 orders in every minute, even bypass the reCAPTCHA solution.

By checking the access log, I noticed that the bot access the product page directly, then checkout page. Guess it somehow triggered the add to cart button and then check out. This steps were repeated over and over. To my surprise, Wordfence couldn’t catch this.

The site was attacked by a similar spam before, the attack is documented here. I cleaned up the spam orders but interestingly, noticed that during this attack, hacker created 2 account with user name “bbbbb.bbbbb” & “bbbbb.bbbbb-8431”. These two accounts are left active with latest login date “August 17, 2022”. During the maintenance mode, I disabled these 2 accounts.

Along with few other security hardening, the attacked stopped today. Figures crossed, hope one of my solution worked. But I am still on high alert.

• This reply was modified 2 years, 2 months ago by 2bearstudio.
• This reply was modified 2 years, 2 months ago by 2bearstudio.

@margaretwporg I understand and thank you for the reply.

I have a feeling that, the attacker is utilizing some sort of bug of WooCommerce. Because it summit failed order every 2 – 3 seconds. Yet, there were 3 successful orders placed among the 4000+ attacks.

I have no proof but that’s my feeling. The attack happened on Sep 13, then on Sep 14. I upgraded WooCommerce from 6.8 to 6.9 on Sep 13, but apparently, it didn’t help either.

@margaretwporg Thank you for the reply.

Yes, I installed reCAPTCHA on checkout page, it didn’t help. The plugin I installed on the site is: reCAPTCHA for WooCommerce from EnvatoMarketplace.

I understand “Disable anonymous checkout” could help, but this is not the store policy. WooCommerce should have the ability to allow anonymous checkout. Even “Disable anonymous checkout” can stop spam for now, it is not a long term solution. Isn’t it?

Thank you @rainfallnixfig.

I checked WooCommerce log and found nothing related to this issue. As for staging site advice, I have implemented but found no clue at this moment. Will keep on monitoring.

I also updated WooCommerce from 5.5 to 5.6, hope this could help.

Thank you @rainfallnixfig.

I understand how to test plugin conflict on a staging site. However, I am not quite sure how to troubleshoot this issue. Would you mind elaborating the advice a bit more? There is no visual change or error to trace. How to even trigger such unexpected result?

Thank you for the reply, @haithh93.

Can’t edit first post and can’t find Contact page. Would you please leave a link to the Contact Page?

Is there a way I can contact you privately? This is a private site, customer requires to have account to login before they can see any proudcts.

@catdec Happy New Year! Thank you so much for this recommendation. Sorry I missed it. Will try it now.

I am still getting this kind of orders, not that many but still coming in. But I don’t have spam user registration from this source any more.

Thank you @riaanknoetze

I believe I found the solution.

I now use “woocommerce_calculated_total” directly to update the final cart total. And use “woocommerce_review_order_before_order_total” to display the balance applied to the payment.

Now, my question becomes, what hook to use to record this to the order (database) and display in order notification email.

Thank you so much @fernashes, for the information.

The questioned website has been updated to WooCom 4.6.2 yesterday. Hope it is the cure for this issue.

Appreciate all the help I get from @fernashes @slash1andy @slash1andy.

Best,