How to fix HTTP Errors in Infusionsoft HTTP POST

Web Server responses are divided into groups, 200-299, 300-399, 400-499, 500-599, etc. Each group is a related family of responses, 200 responses are normal, 300 are redirects, 400 are access denied or client errors, 500 are server errors, etc.

If you are receiving a 300 or 400 series error, then the HTTP POST from Infusionsoft is being blocked before Memberium can receive it. These errors are usually easily fixable, and we’ll walk through them below.

If you are receiving a 500 error, then the HTTP POST from Infusionsoft is being received, but something is causing a server crash and it will require some investigation. Contact us at Support with the details of how to reproduce the error.

We’ll go through the common errors below in order, and touch on how to solve them. The most common sources of errors are:

300 Errors

When you run across a 300 error, it means that the page that the HTTP POST is being made to is being redirected to another page. Infusionsoft’s HTTP POST system is fairly simple and unlike most systems cannot do redirects. If it runs into a redirect it will simply error and stop rather than going to the new URL. There are two main 300 errors, and you may run into either one; the differences between them are very subtle and unimportant for the purposes of solving this problem, and you can essentially treat them the same.

301 Moved Permanently or 302 Found / Moved Temporarily

This error is most often cause by one of two situations:

HTTP POST URL is Protected

If you are HTTP POSTing to a page that is protected, then you will need to find an unprotected page on your site to send the HTTP POST to. Any WordPress page or post URL will work equally well. We only use the homepage in our examples because it is the only page URL that we know exists.

HTTP POST URL is http:// on an https:// site

If you are HTTP POSTing to an http:// URL on an https:// site then you may have an .htaccess file, server configuration setting or script sending redirects to the secure URL. The solution to this is to change your HTTP POST URL to be https://

Unfortunately, Infusionsoft has compatibility issues with some SSL setups and may not be able to POST successfully to your URL either due to an incompatibility with your certificate issuer, or your server configuration.

We’ve seen errors such as: SSLHandshakeException: PKIX path building failed: unable to find valid certification path to requested target

Memberium has no control over what SSL certificates Infusionsoft / Keap will accept and they won’t provide us a list of trusted certificate providers that we can share with customers like yourself.

In these cases, we recommend LetsEncrypt. We use those on our own staging and development sites, they’re free, and most any decent web host will have built-in support for them. We’ve not experienced any issues with certificates and HTTP POSTs.

400 Errors

When doing an HTTP POST with Infusionsoft, Infusionsoft is the “client”, and your WordPress web host is the “server” If you are attempting to do an HTTP POST from Infusionsoft to your website and are running into a 400 series error, this almost always and without exception caused by a security setting on your web host or WordPress site.

401 Unauthorized

This error happens when your site or page requires “Basic Authentication” or “Basic Auth” and requires an extra username/password to access the URL. This is most commonly a setting on your web host or in a .htaccess file. It may also be generated by a plugin. It is often done when a site is under development to prevent people from viewing it. If you go to the URL in a new browser, you may see a dialog box like this come up:

Basic Authentication Dialog

If you don’t see the dialog then the restriction may be IP address based. In any case, you’ll need to either whitelist Infusionsoft’s IP address block, or disable the Basic Auth in order for the HTTP POST to be passed on to WordPress and Memberium for processing.

403 Forbidden

This error is similar to a 401 error, but the error happens when a client is not allowed to access the URL. If you’re running into this error then this is most likely a security plugin, or a security setting on your web host such as .htaccess. If it’s being generated by a security plugin, then you’ll either need to configure the security plugin to allow Infusionsoft to POST, or switch to a different plugin.

Infusionsoft no longer send HTTP posts from their static ip address. Previously, it was possible to whitelist traffic from this IP Address knowing it was coming from Infusionsoft. Currently, HTTP POST’s can be sent from a vide range of IP’s, which is why whitelisting IP won’t work.

Instead of using IP Addresses for the whitelist, you should use the User-Agent to check for Infusionsoft. Basically, check if HTTP POST header data has “Infusionsoft” (without quotes) as the User-agent.

User-Agent is a field that’s included in the HTTP POST Header. HTTP Post Header contains details about the post, such as IP address post sent from/server info/client info (the raw body contains the details of the post such as contact ID/email etc).

Screenshot of a HTTP POST header data from a test HTTP POST

In order to set up the User-agent whitelist, you will need to reach out to your web hosting provider directly on how to set this up or reach out to security plugin developer/support on how to whitelist User-agent (in case you use security plugin).

In case you use Cloudflare, you shold be able to whitelist User-agent, since they already have a way of doing that:

Whitelisting User-agent in Cloudflare

404 Not Found

Most people are familiar with this error, and it simply means that no page is at the URL. If you’re getting this error in your HTTP POST, first check to make sure that the page you’re POSTing to exists. If the page exists and you’re getting this error then it is most likely a plugin or setting on your web host that is blocking the page from being accessed in a manner similar to a 403 error.

405 Method Not Allowed

This error is caused when your web host is configured to not allow HTTP POSTs to the URL, and only allows HTTP GET’s such as a regular web browser. This is most commonly caused by a setting in your .htaccess file.

Web Host Configuration


These files are usually found in the top level folder of your site and contain configuration information for your Apache web server. They usually contain a few standard lines of code for WordPress. Other plugins may add many more configuration settings here for caching or security. iThemes Security is notorious for permanently altering your .htaccess file and leaving it’s settings in place even after removal. If you have issues with your .htaccess file you may need to consult with your web host for assistance.

Security Plugins

There are a number of security plugins for WordPress that you may have installed on your site. This list includes, but is not limited to Sucuri, WordFence, and iThemes Security.

The first step is to disable all security plugins.

The second step is to examine your .htaccess file and look for configuration options that would block or redirect POSTs. iThemes Security for example does this, and leaves it’s security restrictions permanently in place even if you disable the plugin. You may have settings in here even if you have only run iThemes Security once, long ago.

The third step is to do a test HTTP POST and see if it succeeds:

If it does not succeed then there is a server configuration issue and you’ll need to contact your web host for assistance.

If the HTTP POST does succeed, then one of the plugins you disabled is blocking the HTTP POST. You’ll next want to turn on your plugins one-by-one, and re-test the HTTP POST each time until it fails again. Once it fails, you’ve found a problem plugin.

(Please refer to the “403 Forbidden” above regarding whitelist) Check your plugin’s settings for an IP Whitelist feature. If your plugin is missing this feature please contact the plugin authors and request it. If your plugin does support this feature, then you’ll want to whitelist the following IP ranges

An alternate format would be:


For iThemes Security, you’ll need to go to iThemes Security > Settings > Lockout White List, and add the above IP addresses. You’ll also need to go to iThemes security > Settings > Banned Users and uncheck the “Enable’s Blacklist Feature”. Be sure to save your changes when done.

Screen Shot 2014-09-01 at 3.42.41 PM

Once you’ve updated your plugin settings, re-try sending your HTTP POST. Verify that it’s working successfully before proceeding to the next plugin.

If your security plugin lacks any configuration features and the author is unresponsive or unhelpful, then we’d suggest trying one of the other security plugins listed above instead.

If you’re stuck or would like help, please contact Support so that we can help!

  • Was this Helpful?
  • YesNo
9 ways to add more value to your membership site

Table of Contents

Keep Reading

Memberium AutoLogin

This feature enables you to provide a link for your users to click that will automatically log them into your site without requiring them to enter their username and password. After you enter your autologin auth key and save your settings, Memberium will create example links and display them at the bottom of the Memberium > Settings > HTTP post/links page. You can copy these autologin URL’s into your email template, and edit the URL of the redirect page to reflect where you’d like your members to arrive to. Memberium also provides an example autologin link to use with Order Forms and Web Forms. Autologin links all use the same kinds of parameters, but depending on what you want to do, and where your user is linking from, you will use some parameters but not others.

Read More »

Want to get some fresh ideas on how you can improve your membership site or course?

Download our free ebook!

Book a Call

Welcome to Memberium!

We are very excited for you to be part of our family. 

We would love to answer any questions that you have!

Please choose the best time for you to get in a call with us. 

For Technical Support, you can contact us at or Email us at