SSL and GravityForms (payment forms w/ credit card)
-
Hello! I’m using the latest version of iThemes Security, GravityForms, and WordPress on a live site here: https://www.gcfwharton.org
Until I installed iThemes Security, I could have site users go to registration forms (that I created with GravityForms) and fill out all fields — including a credit card field — and submit it successfully. Now, it doesn’t work anymore. I’ve had several users report that they cannot make a payment, as Gravity Forms simply tells them “there is an error with your submission” and the credit card field gets highlighted.
Doesn’t matter if you use a credit card, debit card, etc. (I myself have tried it with my own credit/debit card multiple times).
I’ve checked all the iThemes Security settings I can think of that might be affecting this, especially the “SSL” and “System Tweaks” sections. These are the only options I have enabled in these sections of the plugin:
SSL
– Front End SSL Mode: Per ContentSystem Tweaks
– Remove File Writing Permissions: ON
– Disable PHP in Uploads: ONAll the other checkboxes are cleared/off. I have each page that the Gravity Forms form is located on w/ the credit card field set to “Enable SSL” (that little checkbox by the page properties).
Any help much appreciated.
-
@matt Sweeney
Please post the content of your .htaccess file while obscuring any sensitive info.
dwinden
Ok so I downloaded my .htaccess from my server, and all it had was this in it:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule># END WordPress
Is that supposed to be right? Because in my iThemes Security Dashboard, this is what shows in the “Rewrite Rules” section (I thought this is what should be in the .htaccess):
# BEGIN iThemes Security – Do not modify or remove this line
# iThemes Security Config Details: 2
# Enable HackRepair.com’s blacklist feature – Security > Settings > Banned Users > Default Blacklist
# Start HackRepair.com Blacklist
RewriteEngine on
# Start Abuse Agent Blocking
RewriteCond %{HTTP_USER_AGENT} “^Mozilla.*Indy” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Mozilla.*NEWT” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^$” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Maxthon$” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^SeaMonkey$” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Acunetix” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^binlar” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^BlackWidow” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Bolt 0” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^BOT for JCE” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Bot mailto\:craftbot@yahoo\.com” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^casper” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^checkprivacy” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^ChinaClaw” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^clshttp” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^cmsworldmap” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^comodo” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Custo” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Default Browser 0” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^diavol” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^DIIbot” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^DISCo” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^dotbot” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Download Demon” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^eCatch” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^EirGrabber” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^EmailCollector” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^EmailSiphon” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^EmailWolf” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Express WebPictures” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^extract” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^ExtractorPro” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^EyeNetIE” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^feedfinder” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^FHscan” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^FlashGet” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^flicky” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^g00g1e” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^GetRight” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^GetWeb\!” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Go\!Zilla” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Go\-Ahead\-Got\-It” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^grab” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^GrabNet” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Grafula” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^harvest” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^HMView” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^ia_archiver” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Image Stripper” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Image Sucker” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^InterGET” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Internet Ninja” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^InternetSeer\.com” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^jakarta” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Java” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^JetCar” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^JOC Web Spider” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^kanagawa” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^kmccrew” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^larbin” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^LeechFTP” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^libwww” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Mass Downloader” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^microsoft\.url” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^MIDown tool” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^miner” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Mister PiX” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^MSFrontPage” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Navroad” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^NearSite” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Net Vampire” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^NetAnts” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^NetSpider” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^NetZIP” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^nutch” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Octopus” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Offline Explorer” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Offline Navigator” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^PageGrabber” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Papa Foto” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^pavuk” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^pcBrowser” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^PeoplePal” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^planetwork” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^psbot” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^purebot” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^pycurl” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^RealDownload” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^ReGet” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Rippers 0” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^sitecheck\.internetseer\.com” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^SiteSnagger” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^skygrid” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^SmartDownload” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^sucker” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^SuperBot” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^SuperHTTP” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Surfbot” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^tAkeOut” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Teleport Pro” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Toata dragostea mea pentru diavola” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^turnit” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^vikspider” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^VoidEYE” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Web Image Collector” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Web Sucker” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^WebAuto” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^WebBandit” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^WebCopier” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^WebFetch” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^WebGo IS” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^WebLeacher” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^WebReaper” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^WebSauger” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Website eXtractor” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Website Quester” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^WebStripper” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^WebWhacker” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^WebZIP” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Wget” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Widow” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^WPScan” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^WWW\-Mechanize” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^WWWOFFLE” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Xaldon WebSpider” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^Zeus” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “^zmeu” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “360Spider” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “AhrefsBot” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “CazoodleBot” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “discobot” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “EasouSpider” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “ecxi” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “GT\:\:WWW” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “heritrix” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “HTTP\:\:Lite” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “HTTrack” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “ia_archiver” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “id\-search” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “IDBot” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “Indy Library” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “IRLbot” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “ISC Systems iRc Search 2\.1” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “LinksCrawler” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “LinksManager\.com_bot” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “linkwalker” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “lwp\-trivial” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “MFC_Tear_Sample” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “Microsoft URL Control” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “Missigua Locator” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “MJ12bot” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “panscient\.com” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “PECL\:\:HTTP” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “PHPCrawl” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “PleaseCrawl” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “SBIder” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “SearchmetricsBot” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “SeznamBot” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “Snoopy” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “Steeler” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “URI\:\:Fetch” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “urllib” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “Web Sucker” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “webalta” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “WebCollage” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “Wells Search II” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “WEP Search” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “XoviBot” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “YisouSpider” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “zermelo” [NC,OR]
RewriteCond %{HTTP_USER_AGENT} “ZyBorg” [NC,OR]
# End Abuse Agent Blocking
# Start Abuse HTTP Referrer Blocking
RewriteCond %{HTTP_REFERER} “^https?://(?:[^/]+\.)?semalt\.com” [NC,OR]
RewriteCond %{HTTP_REFERER} “^https?://(?:[^/]+\.)?kambasoft\.com” [NC,OR]
RewriteCond %{HTTP_REFERER} “^https?://(?:[^/]+\.)?savetubevideo\.com” [NC]
# End Abuse HTTP Referrer Blocking
RewriteRule ^.* – [F,L]
# End HackRepair.com Blacklist, https://pastebin.com/u/hackrepair# Disable XML-RPC – Security > Settings > WordPress Tweaks > XML-RPC
<files xmlrpc.php>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
</files><IfModule mod_rewrite.c>
RewriteEngine On# Disable PHP in Uploads – Security > Settings > System Tweaks > Uploads
RewriteRule ^wp\********(OBSCURED******/.*\.(?:php[1-6]?|pht|phtml?)$ – [NC,F]
</IfModule>
# END iThemes Security – Do not modify or remove this line@matt Sweeney
Normally these Rewrite Rules should be present in the .htaccess file.
Probably the Write to Files setting in the Global Settings section of the Settings page is not enabled.But at least now we know there are no iTSec plugin settings currently saved to the .htaccess file, so those cannot cause the issue.
For the moment keep it as it is and try the suggestion below.
(Once we figure out this issue you should enable the Write to Files setting).What happens when you set the Front End SSL Mode setting back to its default value (Off) ?
dwinden
Yes, that box is checked for “Allow writing to files” in the Global Settings. Strange…
I set the Front End SSL mode back to off, and waited for a while. Went back to a form to test payment with an active credit card, and it failed again.
I have installed a GravityForms tool for logging (from the GravityForms support team), and logged the error messages I get when the form is submitted. It shows that there is an “invalid configuration with processor” and tells me to contact my Merchant Service Provider (MSP). No idea what that is, but we’re digging into that one.
Thanks for the help, dwinden. Any other ideas/advice I should try? Or should I just see if this Merchant Service Provider is the issue here? Guess I’m still trying to figure out if it’s in my iThemes settings, or if it is going to be the MSP now…
@matt Sweeney
It is possible to manually edit the .htaccess file and remove the entire iTSec security section. Or perhaps a previous .htaccess file was restored from a backup.
But as soon as you save settings in the iTSec plugin the Rewrite Rules should be present again in the .htaccess file.You just changed the Front End SSL Mode setting back to its default value (Off) and saved … so I now expect the Rewrite Rules to be present in the .htaccess file.
Last thing you could try is to temporarily deactivate the iTSec plugin and see whether that resolves the issue. This will tell us whether using the iTSec plugin indeed causes the issue.
dwinden
Sorry dwinden, I’ve been out of the country and unable to come back to this post.
Yes, it was a problem with my Authorize.net account and merchant settings, which was causing this problem of cards not being accepted in the first place. So that has been resolved, and my site is accepting payments again normally.
Thanks for the assist here! I still do not know why my .htaccess won’t update when I click “Save” anywhere in iTSec, as that should definitely be happening (seeing this with other sites on my shared hosting, as well). I am copying all the configuration lines from the Dashboard there, and manually updating my .htaccess.
@matt Sweeney
No problem at all ??
Hmm, odd. Make sure the Write to Files setting in the Global Settings section of the Settings page is enabled.
Also check what web server is detected in the System Information metabox,
Server Information section->Server Type field, on the iTSec plugin Dashboard page.
Most likely Apache (version?), but you never know …dwinden
Yes sir, the Write to Files is checked. And the Server Information shows Apache (listed as Server Type: Apache/2.4).
I just clicked one of the blue “Save Settings” buttons, and went to FileZilla (my FTP program) and downloaded the .htaccess to view it. I noticed the time stamp on the file was correct for the last update to it. And when I opened it up this time, it was showing all the correct info! Weird. Maybe it “saved” it now that I had put all those lines in there manually a while back?? Because before, any time I would hit a “Save” button and go back to view the contents of the .htaccess, there would be nothing in there than the basic WP .htaccess lines.
Not the end of the world here, but surely wondering what may be causing this. Thanks for any advice!
- The topic ‘SSL and GravityForms (payment forms w/ credit card)’ is closed to new replies.
