Support » Plugin: WooCommerce » Stripe warning: … secret API key for Stripe publicly visible …

  • I just received a warning message from Stripe.Com. The message notes:

    We’re writing to let you know that you (or someone on your team) made your secret API key for Stripe publicly visible on your site, on the following page(s): . . .

    I did not alter the .php code to expose my API secret keys. Have no idea how the listed pages – how that code was inserted / thus exposed.

    Has anyone else encountered a similar Stripe warning?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support Rynald0s

    (@rynald0s)

    Automattic Happiness Engineer

    Hi @souldancer!

    1. Disconnect your Stripe.com account or remove your current API keys
    2. Go to your Stripe.com account and roll your Test and Live keys as per
    https://stripe.com/docs/keys#rolling-keys
    3. Enter these new keys in the correct input fields on the Stripe extension settings page of your site.

    Please let us know if that helps.

    Cheers!

    Aloha Rynald0s, thanks for the assist. I followed your steps the second I received Stripe’s warning email. What remains a mystery is how that code (to include my API key) was accessed – and then – inserted into wordpress generated pages. This is the first time in five years I’ve encountered this kind of event.

    Plugin Support Rynald0s

    (@rynald0s)

    Automattic Happiness Engineer

    Hi @souldancer!

    What remains a mystery is how that code (to include my API key) was accessed – and then – inserted into wordpress generated pages.

    I wish I had an answer for that.

    Do you have any other developers working on the site? Anyone else that has access that may have made some changes?

    Have you scanned for security issues? If not, you can use something https://wordpress.org/plugins/sucuri-scanner/ for that, to make sure there isn’t or wasn’t a breach of some sort.

    Cheers!

    Aloha Rynald0s,

    The only admin access to the site in question is me. Thanks for the plugin suggestion. Downloaded and installed sucuri-scanner. Scan found a malware issue. No other issues found.

    Since I wrote last, all the sites I host on my Godaddy multi-site hosting platform now has the same malware. Godaddy places the resolution solely on me. I lack the understanding why Godaddy’s servers don’t block malware attacks like this.

    The mystery continues. Thanks again for all your insights and suggestions!

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.