Yep, I understand your concern.
Let me address everything in detail for you...
First of all, understand that both the APM developer and DAP developer are mostly full of BS. They both gave stupid responses.
When a developer feeds customers wrong (or even mostly-wrong) info, I lose respect for them. Their knowledge is suspect.
SHA-256 (part of SHA-2) is a balance between
- certificate authorities (CAs aka issuers of SSL) and their certificates
- and the scripts/apps in use
Your server is cPanel-based, thus the server supports it, and has for quite some time now (2014). Also realize that 256 is just a SHA-2 minimum. Current cPanel 11.50.x+ server supports SHA-2's SHA-384 and SHA-512 as well.
See also: https://features.cpanel.net/topic/ge...ate-sha-1-csrs
So your server is fine.
But that's only part of the issue. Again:
1. Does the script support it?
Given the lousy response from the WordPress plugin developer, who knows? (Remember that WordPress plugins, even paid ones, are often coded by amateurs, and not companies with better/formal coding practices. The entire reason I've posted this email in the forum is to shame that developer for giving a stupid answer. I get rather tired of lazy half-wit so-called 'developers' that always give knee-jerk "It's the server's/host's fault" as a response to anything asked.)
2. Does both the SSL CA issuer -and- the SSL cert support it?
I'm not aware of any CA that does not support it. If you cert is old, simply reissue it. Note that some CAs may have certs that only carry SHA-1, and to get SHA-2, you'll have to pay for a more expensive SSL (which can be used as SSL or SNI in cPanel). I'm not up-to-date on what CAs are doing, so you may need to further scrutinize your own site certs. You can use this tool: https://www.ssllabs.com/
3. Does the person's browser support it?
If somebody is using an outdated browser, the person visiting the site is SOL. Nothing can be done. He/she must upgrade. For example, IE6 on Windows XP is a no-no.
All this said, from my understand, this only applies to Paypal transactions occurring from your own domain.
If your domain transfers them over to https://www.paypal.com
for the actual transaction, then there's nothing that you need to do. Paypal's scary emails seemingly went out to everybody processing a payment, and not just those using the "Pro" version of IPN.
So if not using payment on site (your own domain appears in the URL bar), then this is all non-applicable anyway.
Sometimes owning a site is overly complicated for no reason.