[Hummingbird] Caching Showed Customers Personal Data

Hi,
We was made aware of an issue today that has been causing certain pages of our WHMCS installation to show customers personal data that had been cached by your plugin. We've since exempted /client-area* from the plugin and this seems to have stopped that from happening but I just wanted to double check with you to see if we had missed anything else.

Also, we're getting a strange JS error Uncaught SyntaxError: Unexpected token <

at https://digital.estage.net/client-area which is preventing the main JS script to load and causing us quite some issues - this did start happening quite recently and we've only just started using your plugins so I just wanted to ensure that this wasn't caused by any of the WPMU plugins as well.

Looking forward to hearing back from you,
Joe Berry.

  • James Morris

    Hello Ian Taylor

    I hope you are well today. I'm terribly sorry to hear of the inconvenience you've experienced.

    Regarding caching...

    Any front facing page has the capability of being cached with Hummingbird. Which is why the exclusion functionality is built in. However, this is true of most full-page caching plugins. About the only way to exclude this type of scenarios would be to only cached pages for anonymous visitors. Hummingbird gives you the option in WP Admin -> Hummingbird Pro -> Caching -> Page Caching to exclude logged in users.

    Include logged in users
    Caching pages for logged in users can reduce load on your server, but can cause strange behavior with some themes/plugins.

    In your situation it would be best to turn off caching for logged in users.

    Regarding the JavaScript error...

    Checking the code, I found the following code appended to the main script (I have anonymized the data with *****):

    <script type='text/javascript' src='https://stats.wp.com/e-*****.js' async='async' defer='defer'></script>
    <script type='text/javascript'>
    	_stq = window._stq || [];
    	_stq.push([ 'view', {v:'ext',j:'1:6.1',blog:'*****',post:'*****',tz:'0',srv:'*****.*****.net'} ]);
    	_stq.push([ 'clickTrackerInit', '*****', '*****' ]);
    </script>

    Since this code is being included in a js file that is called inside of a <script> tag, this will always cause an error because of the extra <script> tags. This code is added by WordPress stats (Jetpack). Was this added manually? The direct script URL is https://*****.*****.net/client-area/js/?ajax=1&js=templates/digitalintegration/js/scripts.min.js?v=2db9ba

    This URL reference does not resemble the type that Hummingbird creates. Do you have any other method of combining scripts configured on your site?

    Looking forward to hearing back from you.

    Best regards,

    James Morris