Setting up real payments and subscriptions
After you’ve carried out some testing and you know your way around WPdirectdebit, you’re ready to do it for real, with real payments. Before you start, make sure you have access to your site’s wp-config.php file because you’ll need to edit it. Ask your webhosting company for help if you don’t know how to do this.
Disable the sandbox webhook; this will prevent your site from receiving sandbox events when you are in live mode. You can do this from your GoCardless dashboard:
Login to GoCardless at https://manage-sandbox.gocardless.com
Navigate to developers -> webhook-endpoint ( https://manage-sandbox.gocardless.com/developers/webhook-endpoints ).
Click on the webhook that you created earlier and click the Disable button.
From the Gravity Forms GoCardless settings tab, disable sandbox mode.
Return to your WPdirectdebit settings page; it should now look like this when you select the GoCardless Credentials tab. Two lines of text, both starting with ‘define(‘ have been generated.
Now edit your site’s wp-config.php file and copy and paste the two lines to wp-config.php. It should look similar to this (see lines 41 and 43). Save the file.
Refresh the connection settings page and if WPdirectdebit can find your security keys, the GoCardless Credentials tab reverts to normal. Follow the steps in this video to connect your site to GoCardless and to create a webhook and store its settings.
Safeguarding your API credentials
In live mode, your access token and webhook secret are encrypted and stored in your database.
Encryption is used because databases are not totally secure; databases are backed up and can be downloaded, so it can be hard to keep close tabs on your security credentials and it’s good to know that the access token and webhook secret cannot be read with decrypting them first.
Of course, it must be possible to decrypt these credentials in order to use them, and so the keys must be available somewhere. They should be stored in your wp-config.php file. This is as safe a place as any, as it’s where the database username and password are also kept. To improve the security of your wp-config.php file, consider moving it out of the root folder. WordPress should automatically find this file if it is stored in the directory above your root directory. Check with your web hosting provider.
Nevertheless, you might prefer to use environment variables instead of writing the settings directly into wp-config.php. Here is an interesting post discussing this possibility and giving one approach to doing so: https://matthewdaly.co.uk/blog/2019/09/22/storing-wordpress-configuration-in-environment-variables/
General security considerations
You’ll want to follow best practices to secure your website. As a minimum:
1) Ensure all your software is up to date; this includes the plugins, themes, WordPress itself and the version of php running on the server. Keep it up to date.
2) Use strong passwords for all admin accounts. We recommend you also enable 2-factor authorisation on your admin accounts. The Wordfence firewall plugin offers 2-factor authorisation and can enforce the use of strong passwords, even with the free version.
3) Use strong passwords on your web server account, webhosting provider account, database and any ftp accounts that can access your web server.
4) Consider moving your wp-config.php file out of the root folder.
5) Consider installing a firewall plugin such as WordFence or Sucuri.