“Hide Login” Blocking Stripe Webhook

  • Resolved bzle

    (@bzle)


    4 years, 11 months ago

    Hi,

    I’m using WP Full Stripe to integrate Stripe payment processing with my site. They create a webhook for Stripe that looks like this: https://zellous.design/wp-admin/admin-post.php?action=handle_wpfs_event&auth_token=(your unique token)

    I recently discovered that Stripe was triggering tons of 404 errors and tracked it down to whether or not the “Login Protection > Hide Login” feature in Shield Security was enabled.

    Seems likely that there’s some blanket “return 404” rule put in place to prevent redirection to the actual login page when someone requests a /wp-admin/ URL. However, in the case of this webhook, no redirection will take place, even if the person/bot is not logged in.

    Is there any way to make Shield Security compatible with Stripe accessing a webhook URL?

    Thanks,
    Brandon

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Paul

    (@paultgoodchild)

    Hi Brandon,

    This is the purpose of the hide login/wp-admin – to present a 404 with any attempt to access the login or admin, unless you’re already logged in.

    Using an admin URL for a non-authenticated webhook call is strange, but if that’s what you need to do, you’ll have to turn off the hide wp-login/admin option altogether.

    Thread Starter bzle

    (@bzle)

    Hi Paul,

    Thanks for the reply. Yeah, that makes sense. I was hoping maybe there was a way to whitelist certain URLs that don’t need to be protected with a 404.

    Don’t know why the webhook endpoint is in wp-admin. I assume it’s just the way the plugin is setup. I’ve reached out to them asking about setting a location outside wp-admin, but I don’t have high hopes.

    Plugin Author Paul

    (@paultgoodchild)

    Nope, there’s no way to whitelist URLs in that manner… it’d further complicate what is already a complicated feature, I’m afraid.

    I can look to automatically whitelisting Stripe’s IP addresses, though I can’t say if/when that may be. Keep an eye on the Changelog for that just-in-case.

    [EDIT] It turns out Stripe makes it easy (as always) to list their service IP addresses so we’ve added Stripe whitelisting to Shield 9.0.

    • This reply was modified 4 years, 11 months ago by Paul.
    Thread Starter bzle

    (@bzle)

    Thanks!!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘“Hide Login” Blocking Stripe Webhook’ is closed to new replies.