Featuring:
And we are so, so sorry
We will explain how some security upgrades caused login and billing issues in this blog post. If you’re interested in tech stuff, security, or any of the topics below, stick around and have a read through. Otherwise, scroll to the very bottom of this post for a little present from us to you!
Key Topics: WordPress, Woocommerce, CCBill, iThemes Security, HackRepair.com, Login problems, Blacklists, Whitelists, Sloppy Programming
Security Upgrades
Security has always been important to us, which is why we use SSL across our whole website.
We thought we would step-up our security game even more, and add additional security against hackers, DDoS attacks, and bots. Over the past two weeks we have been performing these additional security upgrades.
But the upgrades were too powerful and caused login and billing issues
We will discuss our fixes and solutions to both of these problems below.
1) Login Issues
Some users contacted us after the security updates telling us that they were unable to login. We are assuming that many other users had login issues too, due to the increased number of password changes that we saw over the past two weeks.
We forced a security change that only allowed users to login with their e-mail address. Previously, users were allowed to login with either their username OR their e-mail address. Therefore, users that logged in with their e-mail addresses would have encountered no problem, but users that logged with their usernames would have seen an error message.
When we implemented the “e-mail only” login setting, we did not realize that this new requirement was not being properly communicated on the login page. We do not like to confuse our customers, so for now, we have turned this login requirement OFF. We will turn the “e-mail only” setting back on again after we have properly redesigned the login page to reflect this requirement.
So carry on! And continue to login with either your e-mail address OR your username. The choice is yours (for now).
2) Billing Issues
If you tried to purchase a new membership or individual pay-per-post item within the past two weeks, you may have encountered an issue after paying for your order with our billing provider CCBill.
Here’s how the process should go, when everything is going smoothly:
- Add a full membership or pay-per-post membership to your cart
- Head to the checkout and fill out your information
- Click the “proceed to checkout” button, and are then redirected to our billing provider, CCBill
- Fill out your credit card details and pay via CCBill form
- CCBill redirects you back to KimCums.com, where you can choose to go to our homepage, or go to your “My Account” page
- CCBill lets our ecommerce system know that your payment was successful
- Our ecommerce system marks your order as “complete” and grants you immediate access to the digital content you purchased
We knew the the billing issue was caused by a communication error around step 6. We could see that individuals were being redirected properly to CCBill, and we were receiving e-mails from CCBill that showed that our customer’s payments were successful. However, for some reason our server was not getting information from our billing company’s server, and since our ecommerce system was not receiving any information about whether or not your payment was successful, it was not marking any orders as “completed”. Instead, it marked orders as “payment pending”, and then as “cancelled” after the order timed out.
We were not even sure if it was being caused by our new security updates, or if it was being caused by separate updates to our ecommerce system resulting in a compatibility issue. It was a long process of elimination and I finally narrowed down the cause this afternoon.
Solutions
Here we start to dive deeper into some security and tech details. Below is the abbreviated account of our troubleshooting and solution. Before we begin, here’s a brief overview of our site configuration. Our website is WordPress-based and running the following plugins: iThemes Security, WooCommerce with a CCBill payment gateway add on.
In order to guarantee that my billing company can send information about a successful payment back to my server and WooCommerce system, their IP addresses and ranges need to be whitelisted. An IP whitelist means that my server trusts my billing company’s server and accepts communications from them.
However, I had already added all of the required CCBill IP address and ranges to the whitelist for my server firewall and to the separate whitelist for the iThemes Security plugin. I had also double-checked the iThemes Security blacklist in case CCBill’s IPs had been mistakenly added to that list as part of an automated process.
There was no setting on the iThemes security plugin or on my server firewall that should have been resulting in CCBill’s servers being blacklisted or blocked. However, I temporarily disabled the plugin and confirmed that it was the iThemes security plugin causing the problem. I then further narrowed down the problem to the “Banned Users” setting. The “Banned Users” setting contains the blacklist that I had checked earlier, but it also contains an additional setting to use a blacklist compiled HackRepair.com. The iThemes plugin describes this blacklist as a starting point.
Once I disabled HackRepair.com’s blacklist feature, my WooCommerce order system began communicating with CCBill’s server immediately. I performed a few more tests, toggling this feature on and off, and confirmed that this particular security feature was the culprit. I was a bit frustrated to learn that a third-party blacklist feature was coded to override and prioritize itself over multiple whitelists (that hierarchy does not make sense to me), but I was happy to finally have a solution.
We are sorry for the trouble this has caused and we did some manual fixes for affected customers
If your order was affected by this issue, you should have already received an e-mail from us going something like this:
Dear Customer,
We have recently discovered that there was an issue on KimCums.com that led to some of our customers experiencing problems with their membership and pay-per-post orders. This problem occurred between June 20th – June 28th.
You are receiving this e-mail because your order/attempted order occurred within this time period.
We apologize for the inconvenience, and we have manually approved your order. You should now have full access to the memberships and pay-per-post items that you were attempting to purchase.
Please let us know if you experience any further issues.
Kind Regards,
KC Support Team
If you think your order was affected, and you did not receive an e-mail like the one above OR an automated “Your order is complete” e-mail from our WooCommerce system, please check your spam folder first. If you still do not see any communication from us, please contact us at admin@kimcumsdev.wpengine.com. We would love to resolve this problem for you!
For everyone else
Please remember to let us know if you experience a problem or encounter a bug anywhere on KimCums.com. We do not always know there is a problem, and we cannot fix problems that we don’t know about. We also offer our bug catchers coupon codes, free memberships, or membership extensions for helping us out because we really, really appreciate our community members that help us out!
Also, please be patient with us! It’s just a frustrating for us when something goes wrong as it is for you. We’re only a small team (it’s just me and Jay) and we do all of the content creation, tech support, and upgrades ourselves. Sometimes these updates go smoothly and other times it’s a dumpster fire. It’s the joy of running a small, independent business. So just send us as much information as you can about the problem you are experiencing, and we will fix it up ASAP.
Enjoy the following coupon code as our apology for the inconveniences these past weeks.
Have 20% off because we upgraded our security and broke everything. Please forgive us!
[ms_button style=”normal” link=”https://kimcums.com/cart/?apply_coupon=SECURITYOVERKILL2018″ size=”xlarge” shape=”square” shadow=”no” block=”yes” target=”_self” gradient=”no” color=”#ff8d3f” text_color=”#ffffff” icon=”” icon_animation_type=”” border_width=”0″ class=”” id=””]Apply SECURITYOVERKILL2018[/ms_button]
limit 1 per user, expires July 31, 2018.
Thanks for all of your patience,
xoxo Kim