Try insert this small rewrite rune into the .htaccess:
RewriteCond %{QUERY_STRING} (add-to-cart|add_to_wishlist) [NC]
RewriteCond %{HTTP_USER_AGENT} (bot|crawler|spider|indexer) [NC]
RewriteRule .* – [F]
In our case, a bot called meta-webindexer was making hundreds of such requests per hour, increasing the server load.
Hello, we have exactly this same problem. Website becomes unreachable because CPU reaches 100& because of a lot of “add_to_wishlist” requests. These come from different IP addresses but not real customers for sure. The number of these requests happens suddenly, sometimes it goes for an hour. Two weeks ago it almost took a day……and we could not get it under control.
We tried limiting the requests thru cloudfare to max 2 requests per 10 seconds for each IP address but as IP addresses keep changing this does not help….would the above help?
Example line : https://dynamitemagic.nl/nieuwe-producten/?add_to_wishlist=146446&_wpnonce=604b0204b7&add-to-cart=4313&product-page=81
Any help is welcome 🙂
Hi,
yes, we eventually had to disable the wishlist plugin on many sites as we did not find any reasonable solution. A shame as it probably is useful function for some users.
The problem with .htaccess rewrite rule solution is that the User-Agent needs to be recognizable. If it is, then this works. But I have notcied that lately many bots don’t give this information any more only some general User-Agent that implies for a browser. But no human is adding concstantly thousands of products to their wishlist in a few hours timeline.
There is similar pattern to many other different functions like filtering plugins etc. The solution would be that the plugin does not create indexable url’s for bots to use. But the YITH Wishlist plugin is not supporting this. i asked their support.
I hope YITH will step in to fix this issue. In the meantime (we are struggling for a year to find out what issue was causing the website to go down and lost tens of thousands of $ every time it was out of reach for our customers for many hours) I also looked for a replacement and found the “savetowishlist” which claims to be much lighter in the working and has an import function from YITH as well.
I am not technical at all, I have company maintaining my webshop so I don’t change things myself and asked them for an opinion in this . I would love to keep YITH but not if it takes my site down on some moments. I know many customers use the list so disabling it for me is not an easy option.
I was just checking traffic and I don’t see the enormous amount of “add-to-cart / add_to_wishlist” url’s that flooded my website for many months. Traffic has gone down significantly, are there any other people that can confirm the same? Has the problem been solved and changes been made to the plugin?
We have the same issues. We had over 30,000 hits in an hour with ?_wpnonce=xxxxxxxxxxx&add_to_wishlist=###### so what we did was:
edited the .htaccess file
RewriteEngine On Block WooCommerce wishlist/add-to-cart bot pattern
RewriteCond %{QUERY_STRING} (^|&)_wpnonce=[a-f0-9]+(&|$) [NC]
RewriteCond %{QUERY_STRING} (^|&)add_to_wishlist=[0-9]+(&|$) [NC]
RewriteRule ^ – [F,L] Optional: block combined add-to-cart + wishlist requests
RewriteCond %{QUERY_STRING} (^|&)add-to-cart=[0-9]+(&|$) [NC]
RewriteCond %{QUERY_STRING} (^|&)add_to_wishlist=[0-9]+(&|$) [NC]
RewriteRule ^ – [F,L]
This makes all connections to go through to a 403 error page. We then saw a reduction but hits continued so we rerouted the DNS through cloudflare, turned on proxying and created a custom rule to only allow connections from certian countries. The load significantly dropped however, we host many sites and only one site is effected and the issue repeats every few weeks as we slowly remove these blocks. We do get the old connection still but not the 30k hits we saw. I think it’s a plugin issue and told our client they can no longer have it or she needs to find another provider.
There is no point blocking IP’s as you be going around in circles.