Stripe webhooks being blocked by htaccess blacklist
For anyone else that stumbles on this issue…
I have a client website that uses Gravity Forms to subscribe users to a monthly subscription. It has been working fine for almost a decade. But then suddenly a couple of weeks ago (approximately Sept 1 2021) all his webhook requests began to fail. Recurring invoices and other automated Stripe activities would all fail to process with a 403 “Forbidden” error.
I initially went to Gravity Forms with the issue, since it was their form and it all coincidentally started when I switched his Stripe authentication method (a required update you need to do sooner or later with the Gravity Forms Stripe addon). I did a full plugin and theme conflict test and even built a brand new streamlined form that did nothing but take name, email and subscribe them to a monthly amount. This also failed, even with no other plugins and Twenty Twenty one theme. But Gravity Forms insisted backwards and forwards that a 403 error would never come from their plugin and that an error like this always came from the host.
So I worked with the web host, in a long drawn out ticket which, after whitelisting all Stripe IP addresses, still produced no useful results. I was almost out of ideas but then the last support tech to take over my ticket (it’s always the last tech you work with just like it’s the last place you look!) sat on the phone and watched the logs in real time while I went through the process of making a webhook attempt. By doing this he figured out that the webhook was being blocked by a few lines of code in our .htaccess file, the code I got a few years earlier from Ultimate htaccess Blacklist 2 from Perishable Press.
This code has been in there and working great for the last 5 years. The site had been getting a large amount of bot traffic that was causing him to go over on his bandwidth quota at the host. So this code fixed that problem and has been great ever since — UNTIL Sept 1 2021! I noticed that on that same day Stripe had also made a bunch of changes to the appearance and design of their dashboard. (if you use Stripe you probably noticed this, that menus are now at the top of the page instead of the side, and a few other things such as the process to add events to a webhook are different). The only thing I can figure is that at the same time as they made this appearance change over at Stripe, they must have also made a change to their user agent, which now started triggering my bad bot blacklist.
Long story short, removing Ultimate htaccess Blacklist 2 from my .htaccess file allowed all Stripe webhook attempts to work once again!
So for anyone else who runs into this problem, I suggest you do not use this bad bot blocker on sites that integrate with Stripe (at least for anything requiring a webhook such as subscriptions).