This week PayPal have been sending out scary emails and causing a lot of panic, these emails are titled:
“IMMEDIATE ATTENTION REQUIRED: PayPal service upgrades.”
You may have received this email if you use Instant Payment Notification (IPN). IPN is a message service that automatically notifies merchants of events related to PayPal transactions. It is commonly used in eCommerce plugins and themes for WordPress.
However, the emails are not very helpful for most users and encourages people to consult with the individuals responsible for their PayPal integration since the changes are technical in nature.
What changes are being made?
At the end of September, 2015, PayPal is changing the way it is encrypting web traffic. Encryption is the process of encoding information so that when it’s sent over the internet, it cannot be read by hackers. PayPal (and the industry as a whole) is moving to a new and much more secure encryption method, SHA-256. This is a good thing!
The “bad” thing is that it is no longer accepting the old, out-dated encryption method. We as developers, have no control over what method is used for most of our clients, since the encryption occurs on the server which is controlled by the hosting company. If your host does not have OpenSSL 0.9.8o (the encryption software) or higher, it could stop your payment system on your website from doing important things like marking a sale as paid or from telling you a payment has been reversed. This SHOULD not affect actual payments being processed.
What do I have to do?
Most people will have nothing to worry about as this should be taken care of by your web host, people on shared hosting would not even have the ability to do anything about this as the changes that need to be made can only be done by a server admin and most likely will have been done a long time ago. The server software that is fully compatible with the SHA-2 was released on the 1st June 2010 and there has been a new release of the software almost every month since then so the chances are the server your website is running on has been updated. If you are hosted on our preferred hosts, WP Engine or siteground, you have nothing to worry about, as you can see here or here.
If you are not using one of those hosts, you can do the following:
- Test your SSL (if you are using one) at https://shaaaaaaaaaaaaa.com/ If you see an error then contact your SSL provider and ask them to reissue the SSL.
- Test your server or put in a support ticket and ask what OpenSSL version they are using. If it is out of date, I would personally move hosting companies but at the very least ask them to update OpenSSL to 0.9.8o or higher. If you have a WordPress site, you can test by:
- Go to https://gist.github.com/mikejolley/0941e0882efcad64ea40
- Click download zip.
- Upload the zip folder to your plugins at Plugins > Add New > Upload Plugin After you install it go the the plugins page and find this: PayPal Sandbox IPN Tester
- Click the link in the description. If it says SUCCESS – you’re good.