[Defender] WP Defender is messing up with Wishlist Member new members creation


I had a problem on my website Labo.Marketing. On this website, I sell a subscription product. My members pay using the ThriveCart shopping cart and are then added automatically as new members in the Wishlist Member plugin (due to an integration between ThriveCart and Wishlist Member).

In theory, that's how it's supposed to work. The member pay and is automatically and seamlessly added as a new member in Wishlist. However, after doing some testing I realized it wasn't working.

After contacting both Wishlist Member and ThriveCart support and doing a plugin test, it was revealed that WP Defender is the plugin causing the problem :

When WP Defender is activated, and a new member purchase, simply nothing happen related to wishlist (no new member created).

The Wishlist member team told me that some security plugins are messing up with the Wishlist Member's API.

I had to deactivate WP Defender to proceed with my launch.

Now obviously that's only a short term solution, cause I don't want my website less secure because I had to deactivate Defender because it messes up with my membership creation process.

Also, since Wishlist Member is one of the most popular membership plugin out there, I thought you'd want to know and fix the incompatibility as quickly as possible.

Please let me know how I can solve the problem (or what you need me to give/tell you), so both plugins can work properly together.


  • DJExp
    • The Incredible Code Injector

    Hi Predrag,

    The issue stopped happening as soon as Defender was deactivated, that's all I can tell you. I'd rather avoid to a whole registration test for each options and tweaks, it would take quite a long time that I don't have (also, most tweaks stay active even though Defender is deactivated, if I'm not mistaken).

    However, the support from Wishlist Member sent me quite a thorough answer, so let me copy and paste the pertinent parts below, so hopefully it can help you understand what could cause the problem :

    As you know, WLM installed on your site has REST API capability so that other system can tap on your site to add a level, member etc. Whenever an API request is made to your site, it will reply with a serialized string to the other party. Normally, the string should only be the serialized string but in your case, some hidden characters are added before the serialized string. Example, instead of "a:2:{s:7:"success";i:1;s:4:"lock";s:32:"e767b940e8db405c996c42cc6e6670f2";}" it returns "BB%RBFF%a:2:{s:7:"success";i:1;s:4:"lock";s:32:"e767b940e8db405c996c42cc6e6670f2";}". This cause the issue because the string cannot be read by the requestor.

    To prevent this type of issue in the future, we cleared the output buffer first before returning the result for all WLM API requests output.

    We were not able to identify the cause of the issue whether its a plugin or server settings. This is the first time we encountered it and given the sensitivity of the situation we were not able to dig much deeper into it. Rest assured that the fix will work for whatever cause the issue.

    and :

    WP Defender and other security plugins has settings that may have blocked API requests to your site. You may need to whitelist or add to exceptions request to your site that starts with this string "https://labo.marketing/?/wlmapi/2.0/*" or Thrivecart's server itself, whatever option is available.

    Is there a way to do that in Defender ?

    Also, based on these informations, are you able to more accurately guess what part of Defender could cause the problem, so I can do only one test or a few instead of a dozen?

    Thanks a lot for your valuable help,


  • DJExp
    • The Incredible Code Injector

    P.S : I also got some additional informations from the ThriveCart (my shopping carg that integrates actually creates the new member after payment using the Wishlist Member API), here's what they say about the issue :

    Yes, security plugins can impact connectivity between services. Typically they block traffic of specific types being received by the website. ThriveCart uses Amazon AWS to send data to your site to create your customer's membership. So if you have a security plugin install which is set to disable data from here, this will prevent the customer from being created.

    I've not personally used WP Defender, but they should support the ability to whitelist URLs. You can then whitelist the Wishlist API URL so that our data isn't blocked. Most security plugins also have logging built in so they can track failed attempts, they may even support the ability to exclude us. But again you'd best check with WPMU directly regarding features of their plugin.

    Hope this helps. Please let me know if there is a way to keep Defender while having my payment/member creation system still operationnal.


Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.