WooCommerce 8.5.1 issues with Web Application Firewall (ModSecurity) 

Since the release of WooCommerce 8.5.1 yesterday, we received reports about stores getting 403 Forbidden errors caused by Web Application Firewall (WAF) rules set up in their hosting configuration while the Order Attribution feature is enabled. We have identified a number of server configurations affected by this issue, and would like to suggest several workarounds while we work on a solution.

How can I tell if this affects me?

If you have the Order Attribution feature set to enabled and, you also have Web Application Firewall (WAF) rules set up in your hosting configuration, you may be affected.

📝 Important: The Order Attribution feature is set to enabled by default as of 8.5.0. Check the Order Attribution feature docs to disable this if you are affected.

What action should I take?

  • Plesk already has a help article targeting this issue, identifying Comodo rule with ID 218500 being false-positively triggered when Woocommerce 8.5 is in use. They recommend disabling the rule following the steps on their page.
  • Check with your host to see if ModSecurity is enabled. If that is the case, you may ask your host to adjust the firewall rules to allow the cookies set by Woo’s Order Attribution feature. You can find more information about the cookies used by this feature in our documentation.
  • If the above doesn’t work for you, disable the Order Attribution feature to prevent future users from seeing the 403 errors by going to WooCommerce > Settings > Advanced > Features and toggling the Order Attribution feature off.

We are currently working with the affected hosting solutions to address the root cause of the issue. We will certainly make an announcement in this blog when it is resolved.

Special thanks to these contributors for raising this issue:

11 responses to “WooCommerce 8.5.1 issues with Web Application Firewall (ModSecurity) ”

  1. I have 5 sites using Woocommerce. When I disabled the above rule ID, it worked great on 4 of them. On one site, I got a 500 internal server error and it only works if I completely turn off the firewall.

    1. Julia Amosova Avatar
      Julia Amosova

      Thank you for confirming that the issue had been resolved on 4 of your sites after adjusting the firewall settings. When it comes to remaining site that gives you troubles – can you please provide us with the name of your hosting company which can help us in resolving this further.

  2. A new ModSecurity rule set for Comodo (free) has rolled out within Plesk this morning which seems to have resolved the issue across all my affected sites.

    1. Julia Amosova Avatar
      Julia Amosova

      This is great to know! Thank you for confirming.

  3. Hi, on my website the Order Attribution feature is enabled. But I had stil problems. Now the hosting adjust the firewall rules. Now the website looks oke. Can I wait for a new relaese from Woocommerce? Or must I take other actions?

    1. Julia Amosova Avatar
      Julia Amosova

      Thank you for letting us know that the issue had been resolved on your site after the hosting company adjusted the firewall settings. It is great news!

      As far as the next steps, we released WooCommerce 8.5.2 today, however, it doesn’t resolve the firewall issue yet. We are still working on the solution to address the root cause of the issue. We will announce on this blog once it is resolved – please keep an eye on it. There is nothing to do in th meantime though – you seem to be all set.

      1. Hi Julia,

        Is the problem solved? So that I can update Woocommerce on my website?

  4. Again It is not possible for me to enter my website and webshop. Did the release of 8.5.2. change anything with the firewall again?
    After the release of 8.5.1. my hosting company changend something so I had access again.

  5. I’m also waiting for the fix, we are an agency and all our client websites were down due to the WooCommerce update now we roll back to WooCommerce 8.3.1 and waiting for a version that fixes the issue.

  6. Thanks that you are still working on the solution to address the root cause of the issue.

  7. This problem come up a month ago, ever since I run v8.3.1 on about 200 websites we manage, how is possible WooCommerce didn’t fix this problem yet?

Leave a Reply

Your email address will not be published. Required fields are marked *