Cloudflare blocking Payment Gateways access with 403

Hi there,

First time posting on the forum.

My clients website is in the process of using a new payment gateway for a Wordpress website.
The payment page after checkout, is hosted by the payment provider and on completion of payment, it does what it should and returns you to the success page with your order details.
What it isn’t doing is updating orders from pending payment to completed, as it has a 403 forbidden when it tries to access the site. This is no use as the customer and admin do not receive order details via email until the order is marked as completed, which should happen automatically.

Any suggestions within Cloudflare on adjustments to settings? Should there be an IP allowlisted for the payment provider, or should a setting be turned off?

Please check on https://dash.cloudflare.com/?to=/:account/:zone/security/events why the request was blocked.

Further steps depend on the reason for the block.

1 Like

Thanks for your response Laudian.

It doesnt seem to be listed in events. I can see other entries in there, though none relating to the payment gateway.

I wonder if it’s a hostng side or security plugin that’s blocking the process? As mentioned, it completes the payment and can be seen on the payment gateways portal, its also redirecting backc to the website after complteing the transaction, though the final part seems to be sticking, where it is not changin the status of the order to complete in Woocommerce.

1 Like

If the event doesn’t show up in Cloudflare’s events list, that is very likely.

1 Like

I’ve now allowed the IP addresses from the payment provider and I am starting to see logs in WAF for it now after test payments. Unfortunately the status of orders are staying the same in the back end of the website.

I’ve ruled out the security plugin as it has a log, which has no entries relating to this. Hosting also don’t have any blocks on it too.

Can you show those entries? We would need to know the reason for the block to offer any help.

2 Likes


Hi Laudian,

I have attached the last entry recorded if this helps.

Thanks in advance.

That’s not a block, just a skip action.

This is only logged because of your new rule, which doesn’t really do anything if Cloudflare wasn’t blocking the request in the first place.

2 Likes

Thanks Laudian.

Am I right in saying if Cloudflare was blocking it originally then it would have had a block event present in that WAF list?

Thanks in advance.

1 Like

Yes, that’s how it would be.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.