Integrating a Third-Party Payment Gateway into a WordPress Plugin

Hassan Tahir

Last edited on April 30, 2025

Integrating a Third-Party Payment Gateway effectively into WordPress plugins for selling digital products is essential. This guide demonstrates all the important procedures, starting with gateway selection and ending with complex security protocols and compliance standards. Your knowledge of developing payment plugins will help you reach a point of understanding how to build secure systems that scale and offer user-friendly features.

Table of Contents

1. Choosing the Right Payment Gateway

Key Factors to Consider

Supported Features: Ensure the gateway supports digital products, subscriptions, and refunds.
Global Reach: Does it support multiple currencies and regions (e.g., Stripe vs. PayPal)?
API Documentation: Look for clear, well-maintained documentation with code samples.
Fees: Compare transaction fees (e.g., Stripe charges 2.9% + $0.30 per transaction).
PCI Compliance: Opt for gateways that minimize your PCI-DSS scope (e.g., Stripe.js for tokenization).

Popular Payment Gateways

Stripe: Developer-friendly with robust APIs, ideal for subscriptions and global payments.
PayPal: Supports one-time and recurring payments but requires PayPal accounts for some flows.
Square: Simple pricing and easy setup for small businesses.
Authorize.Net: Enterprise-grade solution with advanced fraud detection.

2. Setting Up a Secure Environment

Step 1: Enforce HTTPS

All payment-related traffic must use HTTPS. Use Really Simple SSL to redirect HTTP to HTTPS:

// In wp-config.php  

define('FORCE_SSL_ADMIN', true);

Step 2: Securely Store API Keys

Never hardcode API keys. Use environment variables or encrypted database storage.

Example: Encrypting Stripe Keys

// In wp-config.php

define('STRIPE_SECRET_KEY', 'sk_test_...');  

define('STRIPE_WEBHOOK_SECRET', 'whsec_...');  

// Encrypt keys before saving to the database  

$encrypted_key = openssl_encrypt(STRIPE_SECRET_KEY, 'AES-256-CBC', SECURE_AUTH_KEY);  

update_option('stripe_encrypted_secret', $encrypted_key);

Step 3: Tokenization

Use client-side tokenization to avoid handling raw credit card data. For Stripe:

// Frontend: Create a Stripe Elements form  

const stripe = Stripe('pk_test_...');  

const elements = stripe.elements();  

const cardElement = elements.create('card');  

cardElement.mount('#card-element');  

// On form submission  

stripe.createToken(cardElement).then(function(result) {  

    if (result.error) {  

        alert(result.error.message);  

    } else {  

        // Send token to server  

        jQuery.post('/wp-admin/admin-ajax.php', {  

            action: 'process_payment',  

            stripe_token: result.token.id  

        });  

    }  

});

3. API Communication and Server-Side Processing

Step 1: Server-Side Payment Processing

Use wp_remote_post() to interact with the payment gateway’s API.

Example: Stripe Charge Request

function process_payment() {  

    $stripe_secret = defined('STRIPE_SECRET_KEY') ? STRIPE_SECRET_KEY : get_option('stripe_secret_key');  

    $token = sanitize_text_field($_POST['stripe_token']);  

    $amount = absint($_POST['amount']); // In cents  

    $response = wp_remote_post('https://api.stripe.com/v1/charges', [  

        'headers' => [  

            'Authorization' => 'Bearer ' . $stripe_secret,  

            'Content-Type'  => 'application/x-www-form-urlencoded',  

        ],  

        'body' => [  

            'amount'      => $amount,  

            'currency'    => 'usd',  

            'source'      => $token,  

            'description' => sanitize_text_field($_POST['product_name']),  

        ],  

    ]);  

    // Handle response (covered in Section 4)  

}

add_action('wp_ajax_process_payment', 'process_payment');  

add_action('wp_ajax_nopriv_process_payment', 'process_payment');

Step 2: Input Validation

Sanitize and validate all user inputs:

$email = sanitize_email($_POST['email']);  

$product_id = absint($_POST['product_id']);  

$currency = sanitize_text_field($_POST['currency']);

4. Advanced Error Handling and Logging

Step 1: Graceful Error Responses

Handle API errors, timeouts, and invalid responses:

if (is_wp_error($response)) {  

    error_log('Payment API error: ' . $response->get_error_message());  

    wp_send_json_error([  

        'message' => 'Payment gateway unreachable. Please try again.'  

    ]);  

} else {  

    $body = json_decode(wp_remote_retrieve_body($response), true);  

    if (isset($body['error'])) {  

        error_log('Stripe error: ' . $body['error']['message']);  

        wp_send_json_error(['message' => $body['error']['message']]);  

    } else {  

        // Save transaction ID to database  

        global $wpdb;  

        $wpdb->insert('wp_transactions', [  

            'transaction_id' => sanitize_text_field($body['id']),  

            'amount'         => $body['amount'] / 100,  

            'status'         => 'completed'  

        ]);  

        wp_send_json_success(['receipt_url' => $body['receipt_url']]);  

    }  

}

Step 2: Logging and Monitoring

Use Query Monitor or custom logging to track errors:

function log_payment_error($error, $context = []) {  

    if (WP_DEBUG_LOG) {  

        error_log('[Payment Error] ' . $error . ' | Context: ' . print_r($context, true));  

    }  

}  

// Example usage  

log_payment_error('Invalid currency', ['currency' => $_POST['currency']]);

Step 3: Fallback Mechanisms

Offer alternative payment methods if the primary gateway fails:

if ($gateway_unreachable) {  

    wp_send_json_error([  

        'message' => 'Stripe is unavailable. Please try PayPal.',  

        'fallback' => [  

            'url' => 'https://paypal.com/checkout',  

            'method' => 'paypal'  

        ]  

    ]);  

}

5. Security Best Practices

Practice 1: Rate Limiting

Prevent brute-force attacks by limiting payment attempts:

$user_ip = $_SERVER['REMOTE_ADDR'];  

$transient_key = 'payment_attempts_' . $user_ip;  

$attempts = get_transient($transient_key) ?: 0;  

if ($attempts >= 5) {  

    wp_send_json_error(['message' => 'Too many attempts. Try again in 1 hour.']);  

} else {  

    set_transient($transient_key, $attempts + 1, HOUR_IN_SECONDS);  

}

Practice 2: Nonces for CSRF Protection

Add nonces to payment forms:

// Frontend  

wp_nonce_field('process_payment_nonce', 'payment_nonce');  

// Backend  

if (!wp_verify_nonce($_POST['payment_nonce'], 'process_payment_nonce')) {  

    wp_send_json_error(['message' => 'Invalid request.']);  

}

Practice 3: Regular Security Audits

Use tools like WPScan to check for vulnerabilities and update dependencies.

6. PCI-DSS Compliance and Fraud Prevention

Reducing PCI Scope

Tokenization: Use Stripe.js or PayPal Smart Buttons to avoid handling raw card data.
Hosted Payment Pages: Redirect users to the gateway’s page (e.g., PayPal).

Fraud Detection Tools

Stripe Radar: Machine learning-based fraud detection.
Sift: Real-time risk scoring.

Example: Enabling Stripe Radar

$response = wp_remote_post('https://api.stripe.com/v1/charges', [  

    'headers' => ['Authorization' => 'Bearer ' . STRIPE_SECRET_KEY],  

    'body' => [  

        'amount' => 1000,  

        'currency' => 'usd',  

        'source' => $token,  

        'radar_options' => ['enable_risk_actions' => 'true']  

    ]  

]);

7. Webhooks for Asynchronous Processing

Step 1: Setting Up Webhooks

Create a custom REST API endpoint for webhooks:

add_action('rest_api_init', function() {  

    register_rest_route('payment/v1', '/stripe-webhook', [  

        'methods' => 'POST',  

        'callback' => 'handle_stripe_webhook',  

        'permission_callback' => '__return_true'  

    ]);  

});  

function handle_stripe_webhook(WP_REST_Request $request) {  

    $payload = $request->get_body();  

    $sig_header = $request->get_header('stripe-signature');  

    try {  

        $event = \Stripe\Webhook::constructEvent(  

            $payload,  

            $sig_header,  

            STRIPE_WEBHOOK_SECRET  

        );  

        switch ($event->type) {  

            case 'payment_intent.succeeded':  

                // Update order status  

                break;  

            case 'charge.refunded':  

                // Process refund  

                break;  

        }  

        return new WP_REST_Response('Webhook processed', 200);  

    } catch (Exception $e) {  

        error_log('Webhook error: ' . $e->getMessage());  

        return new WP_Error('invalid_signature', 'Invalid signature', ['status' => 403]);  

    }  

}

8. Localization and Multi-Currency Support

Step 1: Currency Formatting

Use number_format_i18n() to format prices based on the user’s locale:

$price = 1000; // In cents  

$formatted_price = number_format_i18n($price / 100, 2);  

echo get_woocommerce_currency_symbol() . $formatted_price;

Step 2: Geolocation

Detect the user country and set the currency dynamically:

$geo = new WC_Geolocation();  

$country = $geo->geolocate_ip($_SERVER['REMOTE_ADDR'])['country'];  

$currency = ($country === 'GB') ? 'GBP' : 'USD';

9. Subscription Management

Step 1: Recurring Payments with Stripe

Create a subscription using Stripe API:

$response = wp_remote_post('https://api.stripe.com/v1/subscriptions', [  

    'headers' => ['Authorization' => 'Bearer ' . STRIPE_SECRET_KEY],  

    'body' => [  

        'customer' => $customer_id,  

        'items' => [['price' => 'price_12345']]  

    ]  

]);

Step 2: Handling Cancellations

Use webhooks to detect subscription cancellations and update your database:

case 'customer.subscription.deleted':  

    $subscription_id = $event->data->object->id;  

    $wpdb->update('wp_subscriptions', ['status' => 'canceled'], ['stripe_id' => $subscription_id]);  

    break;

10. Testing and Debugging

Step 1: Simulating Edge Cases

Failed Payments: Use test cards like 4000000000000002 (Stripe’s “payment failed” card).
Network Errors: Disable the internet temporarily to test timeouts.

Step 2: Automated Testing

Write PHPUnit tests for critical flows:

public function test_payment_success() {  

    $_POST['stripe_token'] = 'tok_visa';  

    $response = $this->process_payment();  

    $this->assertTrue($response['success']);  

}

Frequently Asked Questions

Use the gateway refund API:

wp_remote_post('https://api.stripe.com/v1/refunds', [  

    'headers' => ['Authorization' => 'Bearer ' . STRIPE_SECRET_KEY],  

    'body' => ['charge' => $charge_id]  

]);

Yes! Use a factory pattern to switch between Stripe, PayPal, etc., based on user choice.

Encrypt sensitive data.
Comply with GDPR by providing data export/delete options.

Subscribe to the gateway’s API changelog and test updates in a staging environment.

Let the gateway handle conversions or use a service like Open Exchange Rates.

Conclusion

Integrating a third-party payment gateway into a WordPress plugin requires meticulous attention to security, error handling, and user experience. By leveraging tools like tokenization, webhooks, and fraud detection, you can build a system that’s both secure and scalable. Always prioritize compliance with PCI-DSS and GDPR, and rigorously test your integration under real-world conditions. For further learning, explore the Stripe API Documentation and WordPress REST API Handbook.

About the writer

Hassan Tahir wrote this article, drawing on his experience to clarify WordPress concepts and enhance developer understanding. Through his work, he aims to help both beginners and professionals refine their skills and tackle WordPress projects with greater confidence.

VPS SSD:

Lifetime Hosting:

DEDICATED SERVERS:

USA:

ASIA:

Europe:

Other Location: