I received one of those scary messages from PayPal today - 'Instant Payment Notifications sent to the following URL(s) are failing:'
I did some searching and found plenty of discussion here in wpmudev but nothing quite like the issue I had. After half an hour or so of digging and head scratching I found the cause - and it's one which may well affect other bloggers.
I checked the IPN log on PayPal and in my case it was showing a 404 error on the paymentreturn/paypalexpress URL. I browsed to the page and this also produced a 404 error.
Anyway, to cut a longish story short the culprit was the Better Wordpress Security plugin. For me the plugin is an essential security tool that does a particularly good job of keeping the bad guys away. The specific cause was a line that BWS adds to the .htaccess file:
# BEGIN Better WP Security
The -Indexes setting in .htaccess is useful because it prevents directories that have no index.php or index.html from being viewed from the web. This messes with the IPN URL as well though as the IPN URL is (I assume) something akin to a permalink and the -Indexes is seeing it like a directory with no index.php|html file in it.
When I removed the -Indexes setting, the IPN URL was browseable and showing the expected 'missing POST variables' message.
Anyways, I hope this saves someone some head scratching at some time in the future.