I'm doing a simple integration with the Woocommerce API. The "Create a customer" and "Retrieve a customer" commands worked correctly. But when trying to use the "Delete a customer" command, the API returns nothing, much less deletes the customer. See Postman's print (http://prnt.sc/ek8ed0)
I suspect that there are some server security rules that block the DELETE command, but I'm not sure.
Has anyone ever experienced this?
Solved it at my end. The host was rerouting DELETE request to GET requests. I edited my .htaccess and added:
<Limit GET POST PUT DELETE>
order deny,allow
allow from all
</Limit>
That fixed it for me.
Related
Im using code from this article, worked perfect, but i want to block access for entire site, not only for one page, is there any available method?
Using Ubuntu, php7, mod-security2.
Code:
<Locationmatch "/wp-login.php">
# Setup brute force detection.
# React if block flag has been set.
SecRule user:bf_block "#gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "#gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</Locationmatch>
When any site user try to log in 10 times in 3 minutes with wrong credentials mod-security block access for this user(by IP) and only for this page(sitename/wp-login.php), but i need to ban for entire site. Is there way to make this via this rule and modsec without db/.htaccess and any other features?
Thanks for any help.
You could a plugin like limit login attempts, which would handle tracking failed logins, and would manage the IP's blocked. But since the plugin would only block future logins, you could add a basic function that harnesses the plugin to block access to the front end.
For example, with the Limit Login Attempts plugin installed, add the below code into functions.php - and made any changes you'd like.
add_action('template_redirect', 'checkIfLockedOut');
function checkIfLockedOut(){
if(function_exists('is_limit_login_ok')){
$isNotLockedOut = is_limit_login_ok();
if(!$isNotLockedOut){
// you could wp_redirect here,
// or do what you'd like.
die('Sorry, you cannot access the site, you are locked out!');
}
}
}
https://wordpress.org/plugins/limit-login-attempts/
similar question has been asked before however I am not sure if the proposed solutions can be applied in my case. I have generated consumerKey and consumerSecret as per the woocommerce api documentation. I have confirmed that I can get the results using these keys by calling the below url in the webbrowser:
https://mywebsite.com/wp-json/wc/v2/products?consumer_key=ck_blahblah&consumer_secret=cs_blahblah
However, when I execute the same api call in the postman, using GET and correctly replacing user-> consumerKey and pass -> consumerSecret I always get 401 : woocommerce_rest_cannot_view. I have tried both http and https with the same error. Any ideas?
Use this plugin https://github.com/WP-API/Basic-Auth and when you call the API use the Basic Authentication using the username and password.
Woo Commerce uses a diferent authentication method for HTTP and HTTPS.
So, if "HTTPS" = 1 is not being passed by Apache/Nginx to you code it will enforce the HTTP method.
Do a double check if this "HTTPS" is passed to your PHP:
Open the file: ./wp-includes/load.php
Search for "is_ssl"
Insert a "echo 'test_beg'; echo $_SERVER['HTTPS']; echo
'test_end';
Do a request on the API
If it return test_beg and test_end without "on" or "1" in the
middle, the HTTPS is not being passedList item
It can happen when using a reverse proxy, so, you could need to insert "SetEnvIf HTTPS on HTTPS=on" on your httpd.conf (if using Apache).
I hope it helps :)
(remember to delete these 'echo' on load.php)
I have a firebase project that loads properly unless I type the url to my project with www. in front.
This works:
https://myproject.firebaseapp.com
This returns an error:
https://www.myproject.firebaseapp.com
Your connection is not private
Attackers might be trying to steal your information from
www.myproject.firebaseapp.com (for example, passwords, messages, or
credit cards). Learn more NET::ERR_CERT_COMMON_NAME_INVALID
Attempt to resolve
I followed the "Learn More" in the error above and it seems that
the error might be that firbase by default sets up
myproject.firebaseapp.com but not www.myproject.firebaseapp.com.
I then checked the firebase app in the hosting console (i.e. https://console.firebase.google.com/project/myProjectNameHere/hosting/main)
and it does show only the non-www version, but adding the www version here does not seem possible since I do not own the firebaseapp domain so I cannot add the provided TXT file at this point to the DNS records.
Does anyone know why this is occurring and how to get the project to load when www. is added to the url?
Thank you in advance!
This is not supported.
To give some technical detail, wildcard SSL certificates are only valid for a single level; so *.firebaseapp.com but not *.*.firebaseapp.com. In addition, this is (in my estimation) entirely unnecessary as it simply makes the URL longer.
What I would encourage you to do is purchase a domain name for use with your Firebase Hosting site, and connect it. Read "Connect a Custom Domain" in our docs for more info.
I am trying to connect my firebase app in to a domain -where the domain purchesd from google.Need help to to do the setup for DNS configuration.
my app is working fine in firebase app.
firebase app is - https://.firebaseapp.com/
My Firebase setup
And
Google Domain (https://domains.google.com/) - DNS Configuration
1.Name servers
Default is "Use the Google Domains name servers" is it OK?, if not what to setup
2.Registered hosts
If anything, need to add- please let me know.
3.Synthetic records
If anything, need to setup - please let me know.
4. Custom resource records
I am trying to add two records but getting error while trying to add second record - is "Record already in use"
please find the screen shot
Update
Now I have added both the IP address, but still it is not working.
Click the little + icon to the right of the field where you're entering the IP address. That will open a second textbox that you can use for the second value.
I noticed in your screenshot
That you have #-------------.com (where I assume ----------- is your URL). You don't want that. You want simply # there (and www if you want to redirect www.--------.com as well). # means "this domain name", which in your case is ----------
Hope this helps!
This was really helpful but there was one missing thing I was still confused on. On the firebase docs page for this https://firebase.google.com/docs/hosting/custom-domain if you scroll down the page it give you an example of how to setup a google domain. It asks that you put in the following information.
I could not find any "verification value provided in firebase console" for a TXT record. I ended up just putting the DNS A record inputs and that worked for domainName.com and www.domainName.com
Addition to Editing and (+) adding records together. You might want to also add 2 records for # and and 2 for www.
I had same problem, every setup was right but site doesn't work.
Finally I removed the domain from Firebase and add it again without changing DNS setup, then problem resolved.
I'm attempting to add a custom domain to firebase hosting.
Added the TXT records as instructed, and I get this message in the firebase dashboard:
"Unexpected TXT records found. Continuing to watch for changes."
There is one additional TXT record in my DNS settings, but I can't remove it. I don't see how it would get in the way of firebase's verification of my domain either.
I'm using Namecheap if that helps.
Thanks in advance!
I had to make sure that for the host field, it was set to '#', and not my actual host name.
I'm told this varies from registrar to registrar. Some require '#' for the host field if it's for the root domain, and others do not.
Hope this helps someone.
If you've updated your TXT records in your DNS settings as per the instructions, then it just a matter of time for firebase to detect the changes. Normally upto 48 hours. This message is normal though, if there is a real problem then you will be able to see an error message after the 48 hours.
On namecheap what worked was changing my host field to '#' rather than the host provided on firebase help.
Next step was to wait for an SSL