Since the release of WooCommerce 8.5.1 yesterday, we received reports about stores getting
403 Forbidden errors caused by Web Application Firewall (WAF) rules set up in their hosting configuration while the Order Attribution feature is enabled. We have identified a number of server configurations affected by this issue, and would like to suggest several workarounds while we work on a solution.
How can I tell if this affects me?
If you have the Order Attribution feature set to enabled and, you also have Web Application Firewall (WAF) rules set up in your hosting configuration, you may be affected.
📝 Important: The Order Attribution feature is set to enabled by default as of 8.5.0. Check the Order Attribution feature docs to disable this if you are affected.
What action should I take?
- Plesk already has a help article targeting this issue, identifying Comodo rule with
ID 218500being false-positively triggered when Woocommerce 8.5 is in use. They recommend disabling the rule following the steps on their page.
- Check with your host to see if ModSecurity is enabled. If that is the case, you may ask your host to adjust the firewall rules to allow the cookies set by Woo’s Order Attribution feature. You can find more information about the cookies used by this feature in our documentation.
- If the above doesn’t work for you, disable the Order Attribution feature to prevent future users from seeing the 403 errors by going to WooCommerce > Settings > Advanced > Features and toggling the Order Attribution feature off.
We are currently working with the affected hosting solutions to address the root cause of the issue. We will certainly make an announcement in this blog when it is resolved.
Special thanks to these contributors for raising this issue: