How to Resolve 406/403 Not Acceptable – ModSecurity Issues
In This Document
ModSecurity is an open source firewall solution that some web hosts automatically enable on their servers. Some configurations of ModSecurity can accidentally block valid requests to your server which can in turn cause WP Simple Pay to not function correctly.
Error Returning from Stripe Checkout (checkout.stripe.com)
A common request ModSecurity may block is returning from an off-site Stripe Checkout page. It is important that ModSecurity does not block requests from any of Stripe’s fully qualified domain names:
api.stripe.com checkout.stripe.com files.stripe.com js.stripe.com m.stripe.com m.stripe.network q.stripe.com
Your web host will be able to add these domains to the ModSecurity whitelist to ensure your users see their Payment Success page after a Stripe Checkout payment.
Error Attempting an On-Site Payment Form
ModSecurity can also incorrectly block requests to your website’s WordPress REST API. This can occur in certain instances such as using a custom field to collect a URL, which ModSecurity may flag when the form’s content is submitted.
Your web host will be able to see POST
requests to the /wp-json/wpsp
REST API endpoints and whitelist any rules that have been improperly triggered that may be blocking requests.
See our documentation article on the WordPress REST API for more information.
Still have questions? We’re here to help!
Last Modified: