Forum Replies Created
-
Posts
-
I have seen another case, similar to this where the transaction doesn’t complete: when PayPal (or the purchaser) attempts to use eCheck to fund the transaction.
There is a significant amount of verbiage about this, some parties claiming evil PayPal uses the eCheck funding mechanism as a ruse to keep more of the fees it charges, and PayPal has argued that it’s a backup mechanism.
Regardless, funding fails pending clearance of the eCheck which can take up to 7 days in the US. I let one of my purchasers know that his eCheck would take time to process and he said he didn’t use eCheck – his account was funded through a credit card and a bank account. The funds finally cleared and I *think* WP eStore would have handled it properly except that I had a bug that resulted in the original transaction not appear in the customer table.
Do you have cookies enabled on your browser? Is the PHP Session working correctly on your server? If it isn’t then your server may not be handing the SESSION requests correctly.
PHPSESSID is how (some) servers keep track of who you are when cookies are *disabled*. By disabling cookies you force the server to use “rewriting” to keep track of who you are. I don’t have the member or affiliate plugin, but I haven’t noticed this problem with eStore – probably because my cookies are always enabled.
Jamie, depending on how you use Mailchimp, you might find it advantageous to use groups within a single list rather than multiple lists. The latest version of eStore supports this. See here for more:
“Redirect to the void zone if a *special* cookie is not set.”
That’s good to hear!
Pamela,
Peter and others have given you some good tips but let me expand a little bit.
1. An IP address may represent not one person or machine, but hundreds (or thousands).
>> Because this is true by blocking any one IP address you may in fact be blocking whole companies, households or neighborhoods.
2. Because of things like “proxy servers” it’s possible for the same person to pull from your server from multiple addresses even though they are doing it from one machine.
>> Even if you block “BadGuy” from 123.45.67.89 it doesn’t stop him (gotta be a him, right!) from attacking you from 98.76.54.32 by using a proxy server.
3. There are HUGE armies of zombie botnet servers. These are machines that have been compromised in some way so that they do what they are told to do – like sending email spam or posting comment spam, or attempting to break into websites. Many of them were compromised when people foolishly installed “freeware” or clicked seemingly innocent sounding links. In fact, I’m pretty sure some “wordpress” plugins are in fact vectors for bad behavior.
>> In short, this means you should assume badguys are everywhere. Worst case they destroy your machine by stealing data, bandwidth, or services. And worst-worst case they turn your machine into a vector for attacking others.
I say these things not to scare you (though there is reason for worry), but to let you know that vigilance is a good thing. And secondly the “All in One” security tool is a great tool to help – but don’t get a false sense that you can blindly install plugins or software on either your server or your personal machine(s).
Sorry, you’re correct. It’s the Ajax forms that fire all at once. I had these:
Ajax 28
[wp_eStore_free_download_ajax:product_id:28:end]
Ajax 1
[wp_eStore_free_download_ajax:product_id:1:end]
I filled out the first one, and both fields updated:
<img src=”http://farm8.staticflickr.com/7294/9105656022_9470741713_o.png”>
I only received the content for the first one, though, as expected.
I don’t have eMember, so this may not work, however, I have been using the EStore “Manage Customer” page selecting for a specific product. That gives me a table of all purchasers of that product and includes their email address, first and last name, transaction number, price paid, etc. I can then cut and paste this data into Mailchimp using Mailchimp’s “Import” feature. By checking the “Update” box upon import you can import additional fields.
If you’ve already created a “username” field in Mailchimp then any eMember page that shows a list including both the user email address AND the username can be used to import (set) the username. It’s manual, but it’s pretty easy to do. And it doesn’t matter if there is extra stuff on the page, you can tell Mailchimp to ignore the extraneous stuff.
I have also noticed that using a Squeeze form for download doesn’t deliver the same content as using a “Buy” through the cart. What is not included in the emailed link from a squeeze form is the “Product Specific Instructions” My PSIs explain how to unpack a zip file, and contain a link to usage and installation instructions.
Is there a way to get those “Product Specific Instructions” included in the email generated for free stuff, too?
I don’t think this is documented anywhere… so I’m adding it here. I have ESTORE 6.9.8.2
You CAN use the eStore with Mailchimp to add users to specific GROUPS of a mailchimp list.
What you put in the AutoResponder List name is:
“List Name|GROUP Name|Group Member”
So if you have a list named “StarCircleAcademy” with a group called “Purchased Products” and a group element called “Advanced Stacker” it would look like this:
StarCircleAcademy|Purchased Products|Advanced Stacker
Super great feature, thanks!
Interesting. I noticed another side effect, too. I put a half dozen stylish squeeze forms (the Ajax ones) on a page and one fill out in one form caused all the others to spin as if they were processing. I reverted to using the non-stylish form even though I prefer the Ajax form because no redirect / reload happens.
Two factor authentication can already be accomplished, using Google Authenticator.
Thanks for that tip, but using that plugin against brute force attackers means consuming hosting resources to serve the WordPress login page. I am currently seeing about 4,000 daily requests against my wp-login.php page. Any server overhead processing logins from an attacker eats my server resources at my expense. I am still looking for a good solution that will divert the traffic with very low overhead (CPU or bandwidth).
Keeping track of IPs, number of login attempts, etc. sounds like a good thing, but really it’s wasting resources. Case in point, I have the Redirection plugin installed and one side effect of that activity is that the default “missing page” logging consumed about 12 MB in my database in a few afternoons due to attackers.
I have seen people who have moved wp-login.php to somewhere else e.g. opensesame.php but I understand that tactic has issues. Once wp-login has been moved the new “wp-login.php” page could serve up a nice tasty empty document, or get redirected to the NSA
. Or better to 127.0.0.1 so that the attacker requests the resource from themselves!I’m entirely certain that my userid’s and passwords are secure from attack – I use LastPass [http://lastpass.com] to generate (and store) both the userid and the password. No attacker will manage to guess a userid of “w56mFry2U#5q” with a password of “zc9%nUFupv!e” **
I just don’t want my server wasting any time providing a login form or processing a response from a source that clearly is not me!
As for tracking where the attacks are coming from – that data is in the server logs. I already know that the attacks are distributed across thousands of servers – most of which are in China
http://blog.starcircleacademy.com/2013/05/chinese-robot-attack/
**Of course those are not my actual userids and passwords, but my actual UID and password were generated with the same randomness.
Is it possible to include a discount coupon code with the text link and have that applied to the cart? I saw this:
But it’s not what I need. I need to be able to mail out a coupon to folks to offer them a “buy now” at X% off button and not have to diddle with a code. I suppose one solution to this would be to create a duplicate product with a new product code but I’d have to remember to clean it up to prevent massive unexpected usage.
In my ideal world, I could use MailChimp to create coupons that are unique to the given customer, but I know that’s asking quite a bit.
If I might offer a suggestion: Rather than monitoring logins which consumes considerable resources, prevent all access to wp-admin based on the absence or presence of a cookie.
The cookie can be created and sent to the browser from any page (perhaps via an embeddable shortcode?), but obviously it would be safest to serve the cookie from a secure page. Anyone invoking wp-login or wp-admin who doesn’t have the cookie can (and should) be redirected away to a very small page that requires no resources to serve (e.g. a simple .html). Or you can do what I like to do and redirect them to “http://127.0.0.1/goawayjerk” where they will be using their own bandwidth to serve themselves – or time out trying – or perhaps to a honeypot.
In fact, if the required cookie is created behind a password protected page and is dynamic then this would constitute a two-factor authentication. The second factor being the actual login credentials.
http://www.willmaster.com/blog/contentprotection/htaccess-cookie.php
Sorry: Quoting from an earlier post in this discussion:
“Caveat: When using an external shorting service, you run the very slight risk of having the shortened link harvested by others and used before the intended customer. This may result in customer complaints about expired links.” ~wzp
My question is by what mechanism might this happen so that someone is either able to find the shortened link or what it points to without having it emailed or displayed. E.g. can a nefarious person snoop the goo.gl links created and view them? I know the links are “public” and that someone could brute force attack them, but is there some other method that I should worry about? The Google API only seems to allow a user with credentials to view the links.
The second part of my question: can I substitute my own API key? That would allow me to see how often the shortened URL is clicked.
This creates an intriguing question… if e.g. google is being used as a link shortener, does that imply that google can be inspected for click tracking (assuming the shortening is created under the credentials of a google user?)
That would be cool.
On the other hand, I’m not sure how using the link shortener might result in someone else getting the data ahead of the person its being sent to. Is there some way to see the shortened links?
