PayPal has announced several security updates set to roll out in 2016 which will impact sites using PayPal gateways. This post covers the TLS 1.2 and HTTP/1.1 upgrade scheduled for June 17, 2016. If all actors involved (your host, WordPress, Paid Memberships Pro, and PayPal) update before June (we plan to), you should experience no disruption in your service. However, if you are using the PayPal sandbox environment now or otherwise want to make sure your host and website are ready, please review the content below.

We’ve outlined the steps to take now to ensure compatibility and avoid a disruption of service.


Note: The contents of this post are highly technical and should be reviewed by your web hosting company and an experienced web developer.

About the TLS 1.2 and HTTP/1.1 Upgrade

PayPal is upgrading the protocols used to secure all external connections made to their system. This includes every connection your site makes with PayPal (onsite or offsite Membership Checkout and via IPN). TLS 1.2 and HTTP/1.1 will become mandatory for communication with PayPal on June 17, 2016.

The latest versions of Paid Memberships Pro have already been updated to use HTTP 1.1 in its API calls to PayPal. However, your server still needs to be updated to use TLS 1.2 for SSL communication.

If your server does not support TLS 1.2 and HTTP/1.1, payments processed via PayPal gateways (PayPal Express, PayPal Standard, and PayPal Website Payments Pro) will fail. You may notice the following error message after clicking to checkout at PayPal:

methodName_ failed: SSL connect error

In addition to this PayPal security update, WordPress also needs to be updated to specify the SSLVERSION for cURL to support PayPal Express moving to TLS 1.2.


Verify Support for TLS 1.2 and HTTP/1.1 With Your Webhost

To avoid disruption in service, you must first verify if your web server supports these security protocols. Contact your web host and find out if your server supports TLS 1.2 and HTTP/1.1. If the answer is no, you will need to work with your web host to enable support. In general, the host only needs to “upgrade OpenSSL to the latest stable version”.


Specify the SSLVERSION for cURL in your WordPress Site

After verifying that your server supports TLS 1.2 and HTTP/1.1, you will also need to make an update to your WordPress site to set an SSLVERSION for cURL (a tool on your server that transfers data from or to a server, using one of the supported protocols). For your site to continue to be able to communicate with PayPal, you need to set your version of cURL to explicitly use the TLS 1.2 protocol. Setting this version prior to PayPal’s TLS 1.2 rollout should not impact current communications with PayPal.

Here’s a code gist for setting the SSLVERSION for cURL that we will continue to develop and improve over time. Copy this code into your active theme’s functions.php file or a custom plugin.

Note: This or some version of this code will be moved in Paid Memberships Pro core or WordPress core prior to the security update in June. The above code gist is only needed if you need to use PMPro with PayPal in sandbox mode in the meantime or if you want to be sure your site will be ready before the updates roll out in the coming months.

Test Checkout via the PayPal Sandbox

The PayPal Sandbox endpoints have already been configured with the latest security standards to which the Production endpoints will be moving.

You can set your Payment Gateway in Paid Memberships Pro to the PayPal Testing/Sandbox Mode to verify support prior to the security release on July 17. See this post on PayPal Sandbox with Paid Memberships Pro »


1. This is *massively* frustrating. I buy software to solve these things – not multiply them. Why are you foisting these problems onto your paying customers? Why don’t you fix this crap with an upgrade?

2. I followed the top two items sufficiently to open a support ticket with my host and try to insure we’re compliant. However, the third item makes ZERO SENSE – to me or anyone I can find. The headline reads: “Specify the SSLVERSION for cURL in your WordPress Site”

A search of the entire server shows no file named “my_http_api_curl.php”.

So, precisely WHERE “IN MY WORDPRESS SITE” is this steaming pile of code supposed to be?

Am I supposed to EDIT some existing code in some other file?

Am I supposed to insert the code from above? If so, into WHICH file – because the file name referenced is non-existent.

This is seriously aggravating / angry-making after paying for a product to have this kind of “you’re on your own with a bag of jargon” crap.

You do realize that if this inscrutable nonsense renders your software non-functional that the blow-back isn’t going to be pretty?

How about some *ACTUAL* help- doing what looks like a repair of the software I purchased as something that won’t fall apart?

Seriously pissed-off.

Sorry that we had to get technical here. These issues affect a few different players and who needs to fix what isn’t always so clear. If all goes well, everyone involved (including us) will have our updates out by June and you won’t notice anything. However, we wanted to give everyone a heads up (especially since users using the PayPal sandbox will potentially see errors) so the information is out there.

To be clear, unless you are testing against the PayPal sandbox and receiving errors, you can sit back and wait for us or WordPress to include that final fix in our core software. You’ll be able to update and things will work as long as your host has updated as well.

Hi jason,
I can only assume this is why my site is no longer accepting payments after the 1.8.8 upgrade.

There are a few tickets on the WordPress “Core Trac” around this issue. They should have a fix in the next release of WP. If they don’t in time, we’ll have something in PMPro.

p.s. I realize now how scary the original article is and have added some language to the post to make it clear that most users should just be able to wait for updates, but if you want to be proactive you can look into the steps above.

[snipped – I read it. Thanks for having our back.]

@Jason, thanks for the detailed info here and in your follow-up post – I’ve been following some of this on the WP tix side, sounds like they can’t make up their minds yet…it’s unfortunate as this is going to affect a LOT of plugins.

Reference: https://core.trac.wordpress.org/ticket/36320

Leave a Reply

Your email address will not be published. Required fields are marked *