How in the world did these 2 people subscribe?
I just took a look at the log files you sent over. Your logs indicate a PayPal® transaction took place. So even though you've got Open Registration turned off, s2Member will always allow registration to a paying Customer. This is the intended behavior.
So the question is, how did someone in the public, formulate a link to PayPal, that would be pre-configured for s2Member, and subsequently, return them back to your site with registration access? And further, why would a hacker pay you? The answer to this, is almost always " you have a Button Code on your site somewhere ", or you published a Button Code inadvertently at one point or another. Even if this PayPal Button was deleted from your site, it's still possible for it to exist somewhere else on the web, where your content may have been syndicated by other services online.
Is it possible for them to subscribe by going directly to PayPal and passing the website altogether
Yes, anything is technically *possible*, although HIGHLY unlikely. The only way to avoid going through a Button that you generated, is if a Customer was smart enough to pre-configure their own Button Code with all of the proper return URLs, the `custom` value matching your domain, the proper `item_number` field, etc. Even then, the ONLY way a Customer would gain access after a successful transaction, is if s2Member communicates with PayPal and verifies through a direct connection, that the purchase being submitted to your WordPress installation is genuine ( i.e. VERIFIED by PayPal ).
On this same topic, there is an additional form of security that you can implement ( optional, but recommended ), where you can configure your PayPal account to reject ALL Button Codes that are unencrypted. Using PayPal's interface, you can create Button Codes that are encrypted by PayPal, and if you configure your PayPal account correctly, PayPal will reject any incoming Button Code that is UN-encrypted. s2Member does NOT natively support this in it's Button Generator ( yet )... however, this is coming very soon, it's on our @TODO list, but currently under review, due to some technical limitations.
Until then, you can use PayPal's Button Generator to secure your Buttons, or upgrade to s2Member Pro. This is not an issue at all with s2Member Pro, which implements PayPal® Pro Integration.
Video demo: [ viewtopic.php?f=4&t=304 ]
You can learn more about this security tip @ PayPal
https://cms.paypal.com/us/cgi-bin/?cmd= ... ebpayments
( this prevents hackers from changing prices, terms, etc. in your Button Code )Statistics: Posted by Jason Caldwell — August 25th, 2010, 12:21 am
]]>