PayPal IPN Source IP Address Validation

SubscriptionBoss now features an option that allows you to verify that the Instant Payments Notifications are coming from a valid PayPal IP server address. This feature is found on the plugin Settings page and can be be configured during the SubscriptionBoss Six Step Setup.

Screenshot of set up of PayPal IPN Source IP Address Validation

Why You Might Want To Use This Security Feature

This feature is aimed at stopping one line of attack that hackers may use to compromise your website.

The hacker could be focussing on your site for any number of reasons; a personal grudge against your business; they want to fake a PayPal payment and so get your product without paying; they could be being paid to damage your business by one of your competitors; or maybe they are trying to break in just for the sake of the challenge.

The PayPal IPN Listener’s job is to listen for Instant Payment Notifications from PayPal, to acknowledge them and then to process them. A hacker could send some corrupt IPNs to your site with the idea of trying to crash your site and possibly reveal information about the system configuration that helps the hacker in targeting further attacks on the site.

If the source if the IPN is checked then there is no risk of processing a fake IPN.

How To Specify An IP Address Range

You need to enter the IP address ranges using CIDR (Classless Inter-Domain Routing) notation

Here are a few examples of valid IP addresses and CIDR IP address ranges:

  • 101.102.103.104 – single address
  • 101.102.103.104/32 – single address
  • 101.102.103.96/28 – range of 16 addresses from 101.102.103.96 to 101.102.103.111
  • 101.102.103.0/24 – range of 256 addresses from 101.102.103.0 to 101.102.103.255
  • 101.102.0.0/16 – range of 64,000 addresses from 101.102.0.0 to 101.102.255.255

Please note that there is a down side of using this feature. If PayPal adds a new server IP address that is not in your range of valid addresses AND PayPal just happens to send you some IPNs form the new server then these IPNs will be rejected (as the source is not on the list).

Therefore, if you do decide to use PayPal IPN Source IP Address Validation then on the PayPal Server IP addresses page, periodically check the notify.paypal.com line for changes . You can then take action and add any new addresses to the list of valid addresses.

Note that PayPal updated the list of IP addresses on 18th January 2021.

Leave a Reply