CCBill Webhooks – Renew and Cancel Accounts not working

Home Forums BulletProof Security Pro CCBill Webhooks – Renew and Cancel Accounts not working

Tagged: ,

Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
  • #21142


    Please bear with me; I’m decent with computers, but I’m new-ish to working on the web, so there may be a slight learning curve. And forgive me if the answer is obvious.

    We run a small members-only video streaming site on wordpress. We use CCBill as our payment gateway, functioning with WP eStore and managed by WP eMember. We started using Bulletproof Security on Christmas of 2014 and then quickly upgraded to pro. Since installing Bulletproof, eMember has stopped receiving the webhooks from CCBill that renew or cancel accounts. (It does, thankfully, still receive the webhooks that initiate an account.)

    Assuming the issue was the firewall, I tried autopilot and the cURL scanner, and I’ve interfaced with CCBill to find out the IP addresses the webhooks would be coming from to manually whitelist those in the “allow from” window. And for good measure, I added an “allow from” as well. So far, we’re still not receiving the renewal webhooks. We aren’t getting any dings in the security logs that look like they’re relevant, and I have run out of things I know to do. Any suggestions would be helpful.

    As a disclaimer, we actually had this same renewal webhook problem for a few months when we first integrated CCBill and eMembers. However, it was solved when CCBill added a “/” to the end of the link the webhooks were being sent to (although neither they nor I knew why that fixed it). With those fixes, it worked perfectly until the day we installed Bulletproof. I’ve spoken to both WP and CCBill, and they both said I needed to talk to you. I would be thrilled if you guys could help me get this working again.

    Thanks guys! Love the program otherwise~

    AITpro Admin

    Since you do not have any Security Log entries to post that are related to any of the plugins that could be involved in this issue/problem then do the BPS Pro standard troubleshooting steps below to confirm, eliminate or isolate the issue/problem.

    After doing each troubleshooting step, test whatever is not working.

    1. On the Security Modes page, click the Root Folder BulletProof Mode Deactivate button. See Custom Code Note if doing this step works.
    2. On the Security Modes page, click the wp-admin Folder BulletProof Mode Deactivate button.  See Custom Code Note if doing this step works.
    3. On the Security Modes page, click the Plugin Firewall BulletProof Mode Deactivate button.
    4. On the Security Modes page, click the UAEG BulletProof Mode Deactivate button.
    5. If an issue/problem is related to files being locked with F-Lock then unlock files on the F-Lock page.
    6. If an issue/problem is related to Login Security turn Off Login Security on the Login Security & Monitoring page.
    7. If an issue/problem is related to JTC Anti-Spam|Anti-Hacker turn Off JTC Anti-Spam|Anti-Hacker on the JTC Anti-Spam|Anti-Hacker page.
    8. If an issue/problem is related to a custom php.ini file (if you created a custom php.ini file for your website) rename it to php.ini.BAK
    9. If an issue/problem is related to files being autorestored and/or quarantined turn Off AutoRestore|Quarantine on the AutoRestore page. Note: If you are manually editing or uploading files to your website see the AutoRestore|Quarantine Manual File Editing/Uploading Correct Usage steps:

    AITpro Admin

    I just noticed the troubleshooting steps have not been updated to the new BPS Pro 10+ naming conventions.  This will be updated today.


    Thanks. I’ll try all of these. Unfortunately, I have no way of testing the webhooks manually – I have to wait for a renewal webhook to be sent naturally in each situation. So it may take a week or two to try each of these. If it doesn’t solve the problem, I’ll return.

    Thanks for the help.

    AITpro Admin

    What is webhooks?  All payment gateways or other types of applications that make API connections should have a way to test connections.  That is an industry standard.  Typically a sandbox developer mode is provided with the application.

    This is the best clue – “…stopped receiving the webhooks from CCBill that renew or cancel accounts. (It does, thankfully, still receive the webhooks that initiate an account.)”.  Typically ALL API connections would either work or none of them would work since there is typically only 1 API script that would handle all of these things:  new account, renew account, cancel account.  Do you see any php errors in your php error log?  Do you see any log entries in your server logs that is related to any of these plugins and/or webhooks?

    AITpro Admin

    Ok I see that webhooks is a specific CCBill thing:
    I will look at it some more to understand what webhooks is and how you would troubleshoot|test webhooks.


    Sorry; I assumed “webhooks” was a standard term. That’s what CCBill always said to me when I asked them about this. From what I can tell, any time their site receives payment and sends information to our site as to how to affect the membership, that transmission is called a “webhook.”

    Anyway, I just spoke to them and they did say that I am only able to do test transactions for new memberships and that for a renewal, I’d have to wait for one to occur naturally. I’m not sure if this is helpful, but CCBill doesn’t function through a plugin of its own; they provided script that integrates their payment gateway into the WP eStore and WP eMember programs (per instructions provided by these wordpress programs), and it sends these “webhooks” to our site to interact with the WP eMember membership management program. (I’m not sure if that makes sense to you. Again, forgive me. I’m still trying to learn the language of web development)

    I do have some php errors. These are new – up until a few days ago, I only had PHP errors related to a wordpress theme I don’t use. Here they are:

    [24-Feb-2015 00:31:33 UTC] PHP Fatal error:  Call to undefined method stdClass::get() in /home4/lolpics/public_html/wp-content/plugins/wp-eMember/eMember_auth_utils2.php on line 495
    [22-Feb-2015 17:10:52 UTC] PHP Warning:  include_once(): Failed opening 'wp_pg_subscription_class.php' for inclusion (include_path='.:/opt/php54/lib/php') in /home4/lolpics/public_html/wp-content/plugins/wp-payment-gateway/lib/ccbill/wp_pg_ccbill_class.php on line 488

    Both of those repeat a few times. These are new within the past few days. (Forgive me, but I don’t know how to reach server logs. Is that part of BPS, or is that part of the site’s framework?) I have to imagine that the scripts are different for renewal vs. new account because this is the same problem we had before CCBill “fixed” the location where the webhooks were being sent. We were getting new accounts, but not renewals. Then they fixed it, and it worked fine until we had BPS installed. So I have to imagine if they were the same script, there shouldn’t be a reason why one would work and the other wouldn’t, right?

    AITpro Admin

    UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

    I am not sure if the php errors are just coding mistakes in WP eMember or if they are related to anything that is relevant.

    Ok after looking at the Webhooks User Guide I believe I have found what is being blocked.  The User Agent has “Java” in the User Agent name|string.  By default BPS blocks the “java” User Agent string in the Root .htaccess file.  Do the Custom Code steps below.

    POST /webhooks.php?clientAccnum=999999&clientSubacc=9999&eventType=Expiration&eventGroupType=Subscription HTTP/1.1
    X-Allowed-Satellites: PHX,ASH,AMS
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 102
    User-Agent: Java/1.6.0_03
    Via: 1.1 (squid/2.7.STABLE5), 1.0 internal
    Cache-Control: max-age=0
    Connection: keep-alive
    clientAccnum=999999&clientSubacc=9999&subscriptionId=0913024401000012340&timestamp=2013-01-25 03:22:44

    Custom Code Steps:
    1. Copy the BPS Query String Exploits code below (the java user agent has already been removed in the code below) to this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker. 
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    AITpro Admin

    Also add this Plugin Firewall whitelist rule just in case this file needs to be whitelisted:


    Plugin Firewall Manual Setup Steps
    1. Copy and paste plugin scripts/whitelist rules to the Plugins Script|File Whitelist Text Area.
    2. Click the Save Whitelist Options button.
    3. Turn AutoPilot Mode On.
    4. Click the Plugin Firewall BulletProof Mode Activate button.


    Thank you so much! I’ve inserted the custom code. I have a member set to renew later today, so that will give me a chance to test it. If the payment goes through but the membership does not renew, I’ll come back and let you know. But otherwise, I sincerely appreciate the help!


    It seems like your solution has solved the problem. Thank you so much for your help. We greatly appreciate it.

    AITpro Admin

    Great!  Thanks for confirming that it worked.

Viewing 12 posts - 1 through 12 (of 12 total)
  • You must be logged in to reply to this topic.