Community Support Forums

[NickFox]

In the past 2 weeks, I've had 2 people subscribe to my website and I have gotten notifications from PayPal saying that they are now subscribers. Here is the problem, I have open registration turned OFF.

How in the world did these 2 people subscribe?

My website has 400 users and I use an Android application and the WP API to subscribe users. I have emailed these 2 users and asked them how they subscribed but have not gotten an answer back from them. The second one just happened this morning so I am hoping that I will get an answer from that person.

My concern is that these 2 users might be subscribing to get into my website to look for vulnerabilities. May be I'm being a little bit paranoid, but I need to find the answer to this question... Is it possible for them to subscribe by going directly to PayPal and passing the website altogether?

I really need help getting to the bottom of this.

thanks
Nick

[Jason Caldwell]

Hi Nick. Thanks for reporting this.

How in the world did these 2 people subscribe?

I just took a look at the log files you sent over. Your logs indicate a PayPal® transaction took place. So even though you've got Open Registration turned off, s2Member will always allow registration to a paying Customer. This is the intended behavior.

So the question is, how did someone in the public, formulate a link to PayPal, that would be pre-configured for s2Member, and subsequently, return them back to your site with registration access? And further, why would a hacker pay you? The answer to this, is almost always " you have a Button Code on your site somewhere ", or you published a Button Code inadvertently at one point or another. Even if this PayPal Button was deleted from your site, it's still possible for it to exist somewhere else on the web, where your content may have been syndicated by other services online.

Is it possible for them to subscribe by going directly to PayPal and passing the website altogether

Yes, anything is technically *possible*, although HIGHLY unlikely. The only way to avoid going through a Button that you generated, is if a Customer was smart enough to pre-configure their own Button Code with all of the proper return URLs, the `custom` value matching your domain, the proper `item_number` field, etc. Even then, the ONLY way a Customer would gain access after a successful transaction, is if s2Member communicates with PayPal and verifies through a direct connection, that the purchase being submitted to your WordPress installation is genuine ( i.e. VERIFIED by PayPal ).

On this same topic, there is an additional form of security that you can implement ( optional, but recommended ), where you can configure your PayPal account to reject ALL Button Codes that are unencrypted. Using PayPal's interface, you can create Button Codes that are encrypted by PayPal, and if you configure your PayPal account correctly, PayPal will reject any incoming Button Code that is UN-encrypted. s2Member does NOT natively support this in it's Button Generator ( yet )... however, this is coming very soon, it's on our @TODO list, but currently under review, due to some technical limitations.

Until then, you can use PayPal's Button Generator to secure your Buttons, or upgrade to s2Member Pro. This is not an issue at all with s2Member Pro, which implements PayPal® Pro Integration.
Video demo: [ viewtopic.php?f=4&t=304 ]

You can learn more about this security tip @ PayPal
https://cms.paypal.com/us/cgi-bin/?cmd= ... ebpayments
( this prevents hackers from changing prices, terms, etc. in your Button Code )

[Jason Caldwell]

Another quick tip.

If you're in the development phase, and you want to completely LOCK DOWN registrations, even with paid access, you can add this line to the functions.php file for your WordPress® theme.

Code: Select all

add_filter("ws_plugin__s2member_check_register_access", "__return_false");

If you're running s2Member on a Multisite Blog Farm, you'll also need this snippet:

Code: Select all

add_filter("ws_plugin__s2member_check_mms_register_access", "mms_lock_down");
function mms_lock_down(){ return "none"; }