Tagged: PayPal CC Payment 403 Error
November 13, 2012 at 12:28 pm #189
Question copied from the BulletProof Security free plugin WordPress Forum and answered here:
I am testing a new site and ran into a 403 forbidden error in a specific case with the PayPal sandbox environment.
I am using PayPal Standard to accept donations. If the user has a PayPal account the flow works great. Both IPN and PDT work without issue. If the user has no PayPal account however and attempts to pay with a CC, then the string that is passed back by PayPal results in the 403 error. I am not sure exactly what BPS does not like in the string nor how to configure it to allow this condition.
The URL passed back that results in the error is:
If I deactivate BPS, then the transaction completes successfully. I read the other threads on the BPS 403 errors but no of them seem to apply.
Running BULLETPROOF PRO 5.2.2.
Thanks for any guidance.
First off the paypal script/file should be in its own folder/directory. The best site design/architecture is to compartmentalize paypal IPN or PDT or other scripts of this type.
For important scripts such as this script you would want the ability to be able to have isolated/directory/folder specific control of the security/protection of this script file. Also by compartmentalizing this script you do not have to make security exceptions or allowances in your website root folder and throughout your entire website because of this 1 script/file.
Let’s say you move the paypal script/file to a folder called /paypal. you can now add an .htaccess file in the /paypal folder that will ONLY apply to files in the /paypal folder and not any other files or folders throughout your entire website. .htaccess files work in a hierarchical way – if an .htaccess file exists in a particular folder then all files in that particular folder will ONLY follow the rules of that .htaccess file.
website root folder .htaccess file – all files in the root folder will follow the security rules in this .htaccess file and all subfolders that DO NOT have .htaccess files in them will also follow the security rules in the website root .htaccess file.
paypal folder .htaccess file - all files in the /paypal folder will follow the security rules in this .htaccess file and not the security rules in the website root folder .htaccess file.
To turn off security completely for ONLY the /paypal folder you would add a RewriteEngine Off .htaccess file by doing these steps below.
1. Open NotePad on your computer (not Word and not WordPad)
2. Add one line of .htaccess code in the file: RewriteEngine Off
3. Save the text file with this file name: nosecurity.txt
4. Upload the nosecurity.txt file to the /paypal folder
5. Rename the nosecurity.txt file to .htaccess
6. The /paypal folder now has its own compartmentalized security rules, which are No Security/Rewriting is turned off.November 14, 2012 at 2:43 pm #200
I always appreciate your insight. Of course you are correct, but this plug-in does not lend itself to this structure without some rewrite. I was hoping for … well an easy answer but I guess there is none so back to the code.
Thanks again.November 14, 2012 at 2:58 pm #201
Ok if the plugin has the API / PayPal / or whatever other script in a specific folder within that plugin’s folders then the simple solution is just to create the RewriteEngine Off .htaccess file in that particular folder. It is better security practice to limit things as much as possible so by doing this method then only that particular folder would be less secure as opposed to adding a security exception site-wide in your root .htaccess file.
November 14, 2012 at 3:08 pm #203
- This reply was modified 6 months, 1 week ago by AITpro Admin.
I can of course provide you with some sort of security exception rule in your root .htaccess file and if all else fails then that is what i will do, but this should be considered as a last resort. ;)November 14, 2012 at 3:08 pm #204
I can of course provide you with some sort of security exception rule in your root .htaccess file and if all else fails then that is what i will do, but this should be considered as a last result method. ;)
You must be logged in to reply to this topic.