WP Security blocking Paypal

Hi,
I personally haven’t had this issue but there could be permutations and combinations of settings which may cause this.
It might be one of the one firewall rules in your case.
I recommend instead of deactivating the whole plugin, try firstly only disabling the firewall rules and do a couple of test purchases to see if you can find which rule is causing this.

I just experienced this on a test site running WooCommerce using PayPal Standard (the version packaged with WooCommerce). I haven’t solved the problem yet, but one thing I noticed in the return URL is a few instances of %22. This string is among those blocked by the Advanced Character String Filter under Firewall > Additional Firewall Rules. I believe there are other issues as well since I disabled this feature and I still received the 403 error on return from PayPal. I’m guessing there are additional disallowed strings being blocked by other Firewall settings.

I will also say that in my own live store I instead use the PayPal Express Checkout module in the PayPal for WooCommerce plugin and it works fine even with all the Firewall settings enabled (including the Advanced Character String Filter). I believe I will switch to that in my test store since I don’t want to lower my security settings in order to use PayPal Standard.

OK, so I did some further digging and found all the offending strings that cause the PayPal return to be blocked. Your options are to manually make a few edits to your .htaccess file, or to disable all WP Security modules that place these strings in your .htaccess file. Keep in mind if you choose to make the few modifications to your .htaccess file, you will likely need to make those same modifications whenever you update the plugin and/or whenever you make any changes to its settings.

If you choose to disabled modules instead, it looks like you would need to disable Bad Query Strings and Advanced Character String Filter (both under Additional Firewall Rules), as well as the Legacy 5G Firewall Protection (under 6G Blacklist Firewall Rules). I believe disabling these modules would lower your score by 30 points.

Here are the areas of my .htaccess file that needed to be modified:

In the #AIOWPS_DENY_BAD_QUERY_STRINGS_START section, find the line:
RewriteCond %{QUERY_STRING} (\;|'|\"|%22).*(request|insert|union|declare|drop) [NC]
and change it to:
RewriteCond %{QUERY_STRING} (\;|'|\").*(request|insert|union|declare|drop) [NC]

In the #AIOWPS_ADVANCED_CHAR_STRING_FILTER_START section, remove the following lines:

RedirectMatch 403 \%22
RedirectMatch 403 \%7B
RedirectMatch 403 \%7D

In the # 5G:[QUERY STRINGS] section, there are two lines that need to be modified.
Change:
RewriteCond %{QUERY_STRING} (\"|%22).*(<|>|%3) [NC,OR]
to:
RewriteCond %{QUERY_STRING} (\").*(<|>|%3) [NC,OR]

And change:
RewriteCond %{QUERY_STRING} (\;|'|\"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR]
to:
RewriteCond %{QUERY_STRING} (\;|'|\").*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR]

I made these changes to my .htaccess file and my PayPal return was no longer blocked. For reference, under Basic Firewall Settings, I have everything enabled except Completely Block Access To XMLRPC (since I use Jetpack). Under Additional Firewall Rules and 6G Blacklist Firewall Rules I have everything enabled.

@jjbte, have you tried to implement the changes you mentioned above and adding them to the Custom Rules under Firewall tab? The Custom Rules tab feature was added to the plugin to help those who run into situations like the one you mentioned above.

In regards to the 5G settings can you test using 6G instead of 5G? Report back with any findings.

Thank you

I guess you could initially enable the Bad Query Strings, Advanced Character String Filter, and Legacy 5G Firewall Protection modules. Then copy their sections from the .htaccess file to the Custom Rules area, implementing the changes I suggested in my post. Then disable those three modules. That would lower your Dashboard score, but the (modified) protections would still be in your .htaccess file and you would not have to worry about your changes being wiped out when you update the plugin and/or its settings.

I do have 6G enabled. That section doesn’t appear to cause a problem. However, having Legacy 5G enabled adds two troublesome lines I listed in my post (both lines contain the problematic %22 string that PayPal includes in its return URL). Removing |%22 (don’t forget to remove the preceding | character along with the %22) from those lines, along with the changes in other sections, allows the PayPal return URL to function properly.

In addition to %22, the PayPal return URL also contains the strings %7B and %7D. All three strings trigger a 403 if the Advanced Character String Filter is enabled (unless the corresponding lines are removed from the .htaccess file).

Hi, you should only use one of the two options. For example if you enable 6G make sure you disable 5G. Alternative only use 6G because 5G is old. I am sure the developers will remove the 5G option in a future release.

Kind regards

OK, thanks for the additional info. I’ve been using this plugin since before 6G became available. I left 5G in place since it has never seemed to cause a problem on any of my sites.

As it relates to the topic here, disabling Legacy 5G still leaves Bad Query Strings and Advanced Character String Filter as problematic when using WooCommerce with PayPal Standard. I recommend making the .htaccess adjustments we’ve discussed, or just switching to the PayPal Express module of the PayPal for WooCommerce plugin. I’ve been using that plugin along with this one for about two years with no issues.

Thank you for your recommendation. The plugin developers will investigate further your request.

Kind regards

I wasn’t really making any requests. I think in this case your plugin is NOT the problem. We all have to weigh our options when we build websites. If we want to use PayPal Standard, then we have to deal with its quirks. Your plugin is designed to protect our sites from various known attack methods. Personally, I would just ditch PayPal Standard rather than compromise my site’s security by disabling/modifying some of your plugin’s security modules.

If I were to request anything, it would be to maybe add some warnings about the problematic strings included in PayPal Standard return URLs and advise users as to their options for making this plugin work with PayPal Standard. Then again, you already include warnings with the Deny Bad Query Strings and Enable Advanced Character String Filter modules (that they “might break some functionality”), so I really don’t know what more you can do.

That sounds like a reasonable request to make. It is always a great idea to have warnings displayed or popup in a site when certain features, services or plugins are installed. What could be the repercussions.

Thank you

• This reply was modified 7 years, 7 months ago by mbrsolution.

I decided just to use PayPal Express and it worked perfectly fine. Thank you both for your input and help.

@gatewaymedia, that is good news. If your issue is resolved and you don’t need any more help, can you mark this support thread as resolved.

Thank you