3 years ago
by
no comments

Cleaning Up Bot Registrations in WooCommerce

…or Optimizing Slow Sub-Queries in WordPress

Bot registrations are a nuisance in many WooCommerce sites. Cleaning them up seems to be a trivial task: just delete all users without a placed order from a month ago and backwards.

select * from wp_users where user_registered < "2020-07-01 00:00:00";                                                                                                         
47665 rows in set (0.06 sec)

select meta_value from wp_postmeta where meta_value = '_customer_user';                                                                                                       
51253 rows in set (0.44 sec)

Okay, so we almost 50 thousand customers and a bit over 50 thousand orders.

The query to delete all the users that have no order is seemingly a simple one:

delete from wp_users where user_registered < "2020-07-01 00:00:00"
and id not in (select meta_value from wp_postmeta where meta_key = '_customer_user' group by meta_value);

Great. Yet there's a huge issue: Query OK, (59 min 7.22 sec)

Ooomph! This won't effing do!

Continue reading

Published 3 years ago by with no comments tagged in WordPress

WordPress


4 years ago
by
7 comments

WooCommerce Can’t Count Either

In continuation of yesterday’s post about bbPress, I decided to look for a more impactful race condition vulnerability. What’s more impactful on an online business than ecommerce?

WooCommerce is up for the thread-safety test in this post and probably a couple of other to follow.

WooCommerce Can't Count Either

Continue reading

Published 4 years ago by with 7 comments tagged , in WordPress

WordPress


4 years ago
by
4 comments

bbPress Can’t Count

In a highly-concurrent high-load environment bbPress will not count the topics and replies correctly. This happens due to several race conditions in the code. While not a critical vulnerability, it’s annoying. I wonder how the dotorg forums keep the numbers accurate? Maybe they don’t and nobody cares 🙂 but it’s something I’ve been very passionate about – data accuracy and race conditions.

bbPress Can't Count

Continue reading

Published 4 years ago by with 4 comments tagged , in WordPress

WordPress


4 years ago
by
no comments

On Startup Partnerships

As a contractor, I’m often approached by startup founders (or founders-to-be). They’re looking to reach some kind of partnership deal, where I would do backend development work without charging any money. As a wantrepreneur, I’m sometimes approached to fund some sort of startup. When, or rather, if the startup becomes profitable, I would get a cut of the profits.

I’ve learned some important lessons in the past 10 years. These help me deal with new partnership proposals without getting carried away, and steer some of friends and colleagues away from lucrative business proposals.

Continue reading

Published 4 years ago by with no comments tagged in Uncategorized

Uncategorized


4 years ago
by
no comments

W3TCache + nginx + subdirectories

This is a simple instruction on how to make W3Total Cache (version 0.13.1) work with nginx (version 0.14) and subdirectory installs.

W3TCache + nginx + subdirectories

Continue reading

Published 4 years ago by with no comments in WordPress

WordPress


4 years ago
by
2 comments

Bustone – Time and Space

…or the lost and found of underground ultra rare Christian Hip-Hop songs

…or “Are you insane? You haven’t written anything programming-related in over a year and you come back with this nonsense?”

Continue reading

Published 4 years ago by with 2 comments in Uncategorized

Uncategorized


6 years ago
by
no comments

Testing Race Conditions in WordPress

WordPress is not thread-safe.

I’ve spoken about this, and even started work on a plugin called WP_Lock that will aim to introduce some thread-safety into core to address the occasional TOCTOU bug under high load (and concurrency). For example ticket #44568 is an easy-to-reproduce complaint about concurrent REST API access 😉

Testing Concurrency Issues in WordPress with PHPUnit

If you thought writing thread-safe code in WordPress plugins is hard, unit testing the code for concurrency issues is even harder. One of the ways I found works best is by utilizing the PCNTL module in PHP to fork and test critical sections.

Continue reading

Published 6 years ago by with no comments tagged , , in WordPress

WordPress


6 years ago
by
no comments

do_action Moscow 2018

or creating a chat bot for WordPress in 2 days.

My first WordPress hackathon! do_action Moscow 2018 was organized this past past weekend by Теплица социальных техонологий, a Russian non-profit organization operating around the country.

Around 20 non-profit organizations took part in the hackathon over two days using WordPress to advance their causes. I was assigned to a team called Второе дыхание, a non-profit based in Moscow that gathers and recycles unwanted clothes, toys, etc.

Their idea was to create a chat bot for WordPress to help alleviate e-mail and Facebook chat support resource hogging.

Continue reading

Published 6 years ago by with no comments in Uncategorized

Uncategorized


7 years ago
by
one comment

Part 3: Safety nets vs. bad code

If you haven’t looked at part 1 and 2 here, I suggest you do before reading on. This is a direct continuation of part 1.

So the original $wpdb->prepare vulnerability, which, I remind you is based on a potential typo in third-party code, is followed up with a new potential vulnerability based on double preparing a query. So again, bad third-party code.

So here’s one for you. If a developer does $wpdb->prepare( "SELECT * FROM wp_users where ID = %d OR %d". $_GET['param1'], $_GET['param2'] ); (note the . instead of the ,) do I also get a $500 bounty? How far will this go? Will the method be removed completely because #security? To what extent should WordPress and PHP be blamed for potential developer mistakes?

Shouldn’t these be addressed in the actual third-party code and not in core? I’m at a complete and utter loss now. What’s next?

Shout outs to Slavco for bringing all these issues up both with the codebase and the community, and how things are or should be handled.

Published 7 years ago by with one comment tagged , in WordPress

WordPress


7 years ago
by
3 comments

On WordPress Security and Contributing

…and how neither really worked today.

A sad story in two parts, where I’m rash, harsh and untactful. An explanation, a rant, a call for support, a call for action. You do not have to agree with me, I may be just an asshole and haven’t realized it yet 😉

Continue reading

Published 7 years ago by with 3 comments tagged , in WordPress

WordPress



← older posts newer posts → back to top