Skip to content

WP / Woocommerce Mystery

Solved Configure
  • I’m posting this as a long-shot that someone might have a thought of why this Wordpress / Woocommerce site stopped working recently, although code not altered.
    Its not my page, but the owner had a working site that used a Leonardo.ai API to have a panel to generate images, which were used in these ‘diamondpainting’ kits, where people make the pictures out of small plastic beads.
    Anyway last week the website just stopped working fully, now has a word [Leonardo-AI] where the ai panel was! It should have run some custom PhP there.

    diamondpainting.png
    I inspected the html in the site www.diamondpainting.ai
    and there is a
    <P>[Leonardo-AI]</P>
    which seems strange!
    He wondered if he has been hacked, so tried installing last weeks back-up and that has the same error now.
    Its very odd.
    Not sure if there is enough info here for any guesses on what might have happened

  • @Panda can you give me admin login details for this site via pm ? Hard to tell without access to the site itself plus access to the host it sits on.

  • hi, allright i will do, thank you!

  • oh sorry, im new here, cant write you pm

  • @papillon121 you should be able to. There isn’t any restriction once you’ve been upvoted (which I’ve just done).

  • @phenomlab
    Do he square brackets [] mean anything special in html or wordpress?
    This line in console inspection confuses me, unless WP generated it
    <p>[Leonardo-AI]</p>

  • @Panda typically in WordPress anything inside square brackets is considered to be a shortcode.

    https://codex.wordpress.org/Shortcode_API

  • I just took a very quick look at this site, and there a plugin (well, two of the same actually) called Leonardo AI so I’ve enabled one of them.

    The front page also has the shortcode of [Leonardo AI] so that explains the odd text. It’s a shortcode which won’t render unless the plugin is enabled.

    The site looks ok to me, but I can’t comment as such because I don’t know how the site works, or should work.

  • @phenomlab
    Great. Why might it have come disabled?
    Papillon just has to put new API key in, as that was reset when we tried to fix it.

  • @Panda Plugins don’t generally disable themselves, but you do have 2 plugins with the same name (but probably different folder names) so you should remove the erroneous one.

    It’s likely that the addition of the second identical plugin forced the first and original offline.

  • Pandaundefined Panda has marked this topic as solved on
  • @phenomlab were both plugins the same (in code terms?)
    Papillon put in new key and its not actually generating the image.
    Im wondering if its worth trying enabling the other plugin instead?
    Is it easy to delete the second plugin if we find out which one is not working?

  • @Panda I can’t tell if they are the same without access to the file system itself. They are probably the same, so if you disable the currently active one and then enable the other, you may find that the API key is activated (but it’s typically stored in the database).

    You should be able to remove one of the plugins from within WordPress.

  • Any more ideas on this? The plugin is running now, just not returning an image?
    The Leonardo AI generation requires two API calls. First to start generating a series of images, and second to fetch the images.
    I can see in console log, no seriesID from first call, so maybe a key issue?

    @phenomlab did you get host login details?

  • @Panda I did yes, but not had any free time to look yet. Will have a look either later this afternoon / evening, or tomorrow morning.

  • @Panda @papillon121 Ok. I think I have this working now - can you verify?

    image.png

    82a739a7-3d54-4c16-afcb-b84b87d23616-image.png

    There in fact wasn’t two plugins, but the a copy of the plugin’s main configuration file was in the same directory meaning WordPress will see it and list it twice. The erroneous file has been renamed to .old to stop WordPress reading it.

  • @phenomlab Great. Its working most of time for me now.
    Its always been a bit flakey.

    Can you just explain for me what these config files are. Why would there have been two?

    On another topic, Papillon does prefer Shopify, but it did seem more complicated to try it there. Shopify uses a template language for custom js, its rather like Nodebb’s template language actually!
    @phenomlab have you any Shopify experience?
    Shopify has more restrictive rules, in what you can add, thats why WooCommerce was used for this test

  • @Panda @papillon121 Did this script ever work properly? Looking at it, there are two components.

    1. A PHP script that collects values from the page
    2. A JS script for processing via AJAX

    This is standard behaviour for processing remote data requests via json but I’d frankly be amazed if this ever worked properly without a user being logged in. There are functions such as the below

    add_action('wp_ajax_handle_curl_request', 'handle_curl_request');
    

    This will work if the user is logged in, but if not, then it will never return any data. The entire point of your site is for a visiting user to generate their request, see the response, then decide if they want to purchase it or not. As no data is ever returned from the json request (because it requires an authenticated user), the visitor is likely to think it doesn’t work, and then simply move on.

    Because of this, I’ve changed the above code to be as below (there are actually three of these that need fixing, but including one only for brevity. The code is commented, so you can review for yourself)

    add_action('wp_ajax_handle_curl_request', 'handle_curl_request');
    // Added by Phenomlab - you cannot use wp_ajax as unauthenticated user unless you specifty "nopriv"
    add_action('wp_ajax_nopriv_handle_curl_request', 'handle_curl_request');
    
    

    In addition, the site clearly states that it may take up to 30 seconds for any data to be returned, and yet, the timeout is hardcoded at 10 seconds!

                                    setTimeout(function() { 
                                        $.ajax({
                                            url: my_plugin_ajax.ajaxurl,
                                            type: 'POST',
                                            data: data,
                                            dataType: 'html',
                                            success: function(responseData) {
                                                // Handle the response data here
                                                jQuery('.my-plugin-container .trx_addons_loading').css({"display":"none"});
                                                $('.my-plugin_images_columns_wrap').prepend(responseData);
                                            },
                                            error: function(responseData) {
                                                console.log('AJAX Error' + responseData);
                                            }
                                        });
                                    }, 10000);
    

    This makes no sense whatsoever. The API is remote, and may well take in excess of 30 seconds to return data depending on how busy it is. I have changed this so that it waits for a minute - in my testing, it’s always less than that, but the wording on the page (in the sense of the 30 seconds…) should also be changed as to not set expectations.

                                    setTimeout(function() { 
                                        $.ajax({
                                            url: my_plugin_ajax.ajaxurl,
                                            type: 'POST',
                                            data: data,
                                            dataType: 'html',
                                            success: function(responseData) {
                                                // Handle the response data here
                                                jQuery('.my-plugin-container .trx_addons_loading').css({"display":"none"});
                                                $('.my-plugin_images_columns_wrap').prepend(responseData);
                                            },
                                            error: function(responseData) {
                                                console.log('AJAX Error' + responseData);
                                            }
                                        });
                                    }, 60000);
    

    Clearly, this plugin has been generated in an automated fashion given the references to my-plugin... etc, and to be honest, it’s very poorly written and contains a couple of vulnerabilities where the code response could be intercepted and manipulated in some isolated cases.

    I mostly do not comment on other people’s coding work, but this is some of the worst code I’ve ever seen - mostly because of the API being exposed in the console, which I’ve removed.

    Can you please test it now with both a logged in user, and guest? It should be returning data in both cases.

  • phenomlabundefined phenomlab has marked this topic as unsolved on
  • Oh gosh, I recall 10seconds not being enough, so the setTimeout in front end was set to 30000ms

    I didnt know there was another timing set backend

    Can you explain why that ajax command requires login?

  • @Panda said in WP / Woocommerce Mystery:

    Can you explain why that ajax command requires login?

    Because it is being called as wp_ajax_ which would require an associated logged in account (in WordPress). I’ve added the same functions, but with wp_ajax_nopriv_ so that it will work if the user is not logged in. There should actually be error handling in the code to determine if the request originates from a guest, or a logged in account.

    The fact that it isn’t there is either a lack of knowledge on the code authoring part, or just laziness.

  • @phenomlab
    Yes its working, reliably! 😁
    Screenshot_20230724_144214_Chrome~2.jpg


Did this solution help you?
Did you find the suggested solution useful? Why not buy me a coffee? It's a nice gesture, and a great way to show your appreciation 💗

Related Topics
  • How to deploy WordPress.org Developer theme

    Solved Configure
    4
    1 Votes
    4 Posts
    401 Views

    @Hari the real issue here is that I don’t think it can be used as a theme for WordPress because of the dependencies it clearly has, including its own Web server.

    My view here is that this is designed to be a complete development environment outside of the WordPress core.

  • 2 Votes
    11 Posts
    573 Views

    Thanks for your inputs ♥️

  • No valid role attribute on elements

    Solved WordPress
    10
    0 Votes
    10 Posts
    550 Views

    I found it here, ins elements can not have aria elements

  • How to position ads responsively

    Solved WordPress
    13
    3 Votes
    13 Posts
    644 Views

    @phenomlab yes that’s the problem with these J’s, I will try my best , If I find something better I will share. Thanks

  • Flarum - WordPress Journey

    WordPress
    59
    22 Votes
    59 Posts
    5k Views

    @Sala I will likely need admin access to your site for this.

  • 1 Votes
    13 Posts
    1k Views

    @phenomlab said in Hardening WordPress - Reducing the attack vector:

    @jac Microsoft’s and Google’s Authenticator both support TOTP - essentially, a time based system that changes every 30 seconds. The main principle here is that the device itself carrying the One Time Passcode only needs to be in sync with the source server in terms of time, and can be completely offline with no internet access.

    Provided the time matches on both devices, the One Time Passcode will be accepted. Applications such as Microsoft Authenticator and Authy also support push notification meaning you just choose either yes or no on your device when prompted, and then that response is sent back to the origin which then determines if access is granted or not.

    One of the best looking password less authentication models was CLEF - sadly, this product died out due to a lack of funding (if I recall correctly) although some open source implementations of this have appeared quite recently.

    Essentially, both products will achieve the same goal. TOTP is an industry standard, and widely accepted across the board. Not all services offer push confirmation.

    Many thanks for the detailed reply mate.

    There’s some great advice in there that will help me secure my accounts.

  • WordPress installation

    WordPress
    6
    0 Votes
    6 Posts
    523 Views

    @phenomlab said in WordPress installation:

    @jac that plugin is for single sign on between WordPress and NodeBB. The plugin you really need is this

    Brilliant, that does look good! 😁

  • WordPress & NodeBB

    Solved WordPress
    6
    0 Votes
    6 Posts
    644 Views

    @jac That won’t matter. You just redirect at nginx or apache level and it’ll work. The generally accepted standard though is to use a subdomain.