Website got accessed – reset Stripe connection or API key?

Hi @markussss

Here is what you will want to do:

1. Login to stripe.com and go to https://dashboard.stripe.com/settings/apps
2. Revoke access for “Payment Plugins for Stripe WooCommerce”. That will ensure the secret key used by the plugin is revoked.
3. On the API Settings page of the Stripe plugin click “Delete Connection” and then re-connect.

Kind Regards

Thanks .. that worked ? but there are some more details to that

I wonder what would happen if I just “Delete Connection” and den “Connect” again without Step 2. I did that already a few hours ago as I needed to act fast.

I noticed in WooCommerce in your plugin settings, the Account ID stayed the same, the Webhook ID was changed, the Webhook url stayed the same, the Live Webhook Secret probably was changed. Does that sound right?

In https://dashboard.stripe.com/webhooks I now see additional webhooks. I think every time when I reconnect it creates an additional webhook. Shouldn’t there be only one webhook per site, e.g. 1 webhook for the live site, 1 webhook for the test-mode on the dev-site? So it probably means the old webhooks are still there and I am not sure if that is good?

At https://dashboard.stripe.com/apikeys I can see 1 public key and 1 secret key. The “Last used” date goes back approx. 1,5 years. Does that sound normal? Is your plugin not using the Stripe API?

It’s a sensitive topics, hence I try to understand a bit more details than usual about this.

Thanks again for your quick reply

I wonder what would happen if I just “Delete Connection” and den “Connect” again without Step 2.?

Deleting the connection in the plugin removes the API keys from your WordPress database. To revoke the API keys, you must follow step 2.

the?Account ID?stayed the same, the?Webhook ID?was changed, the?Webhook url?stayed the same, the?Live Webhook Secret?probably was changed. Does that sound right?

The Account ID would never change. That’s how Stripe identifies your account. The Webhook URL wouldn’t change, since that’s your website’s url. Yes, the webhook secret was changes. That is correct.

Does that sound normal? Is your plugin not using the Stripe API?

API keys generated by the Connect process are never shown in the Stripe dashboard. They are more secure than normal API keys because they aren’t exposed. That’s why you have to follow Step 2 in order to revoke the keys.

Kind Regards

Thanks for explaining in more details

kind regards
Markus

Hi again,

I missed one part, and now I got an email from Stripe informing me about a webhook error. I assume those are the “old” webhooks that are just “lying around” and not needed anymore

In https://dashboard.stripe.com/webhooks I now see additional webhooks. I think every time when I reconnect it creates an additional webhook. Shouldn’t there be only one webhook per site, e.g. 1 webhook for the live site, 1 webhook for the test-mode on the dev-site? So it probably means the old webhooks are still there and I am not sure if that is good?

The webhooks I see in the Stripe Dashboard all look exactly the same and are all active, e.g.
https://www.mywebsite.com/wp-json/wc-stripe/v1/webhook

I see the different level of error rates though.

Can those webhooks be deleted? Perhaps it is even absolutely necessary for security reasons to delete them?

Can those webhooks be deleted? Perhaps it is even absolutely necessary for security reasons to delete them?

My recommendation is to delete all the webhooks via the stripe.com dashboard and on the API Settings page of the Stripe plugin, click the create webhook button. That will create a brand new webhook entry.

So it probably means the old webhooks are still there and I am not sure if that is good?

It’s not a security concern, there is only ever one webhook secret stored on your site which is the latest webhook that’s been created. But per my recommendation, I think you should delete them all and create a new one.

Alright .. just done that right away. Thanks again for confirming and instructions