Gravity forms add-on for WorldPay.
- Minimum Requirements
- Installation
- Setup
- Security Concerns about WorldPay HTML API
- Not Issue
- Features
- Not Supported / Not Implemented
- Best Practices
- Test Sandbox
- FAQ
- Public API
- Preflight
- Coding
- Author Information
- Feedback
- Change log
- License
- PHP v7.2
- php-curl
- WordPress v4.9.8
- Gravity Forms v2.3.3.2
$ composer require itinerisltd/gf-worldpayPayment response(redirection) and Enhancing security with MD5 are mandatory.
In the Integration Setup for your installation using the Merchant Interface > Installations option:
- Enable Enable the Shopper Response
- Enable Payment Response enabled?
- Enter
<wpdisplay item=MC_callback>as Payment Response URL - Enter a 25-char random passphrase as Payment Response password
- Enter a 30-char random passphrase as MD5 secret for transactions
- Enter
instId:amount:currency:cartIdas SignatureFields
Note that WorldPay truncate long Payment Response password without notices!
- Leaking MD5 secret for transactions
- Allow evil hackers to set up fake checkout pages, pretending to be the merchant
- WorldPay would accept these checkouts and charges the credit cards
- Money goes into the merchant's account
- Leaking Payment Response password
- Allow evil hackers to pretending to be WorldPay
- WordPress would accept evil hackers' payment callbacks and changes entries' payment statuses
If Payment Response password(also known ascallbackPW) is incorrect, InvalidResponseException is throw to stop the world.
Credit card holders see white screen of death or stuck in "wait for redirection" page in such case.
- Enhancing security with MD5
- Gravity Forms Logging
- Gravity Forms Notification Events
- Gravity Forms Confirmation
- Gravity Forms Conditional Logic
- Shipping address
- Reject according to fraud check results
- Token payment
- Recurring payment
- Refund
- Void
Although WorldPay accepts insecure HTTP sites, you should always use HTTPS to protect all communication.
Always double check payment status on WorldPay Merchant Interface.
Use this test credit card.
Gravity Forms capabilities behave differently on multi-user sites and its documents are incomplete.
If GF WorldPay is missing on form settings, grant yourself gf_worldpay and gf_worldpay_uninstall capabilities.
See: https://docs.gravityforms.com/role-management-guide/
ConfirmationHandler::buildUrlFor(Entry $entry, int $ttlInSeconds = 3600): string
Usage:
<?php
$entryId = 123;
$rawEntry = GFAPI::get_entry($entryId);
if (is_wp_error($rawEntry)) {
wp_die('Entry not found');
}
$url = ConfirmationHandler::buildUrlFor(
new Entry($rawEntry),
86400 // expires in 24 hours (24*3600=86400)
);
echo $url;
// https://example.com?entry=123&gf-worldpay-token=XXXXXXXXXXXXUse Case: With "using confirmation query strings to populate a form based on another submission":
- User fills in formA
- User completes WorldPay checkout form
- User comes back and hits
CallbackHandler CallbackHandlersends user to formB according to confirmation settings- User arrives formB url with merged query strings
If the user quits before completing formB, you could use ConfirmationHandler::buildUrlFor generate a single-use, short-lived url for the user to resume formB.
Note:
- The url continues Gravity Forms confirmation
- Whoever got the url will go on confirmation, no authentication performed
- The confirmation will use latest field values from database which could have changed
- No payment status checking
After form submit, this plugin sends order information to WorldPay in exchange for a redirect URL(the WorldPay hosted checkout form URL).
By default, when redirect URL retrieval fails:
- Mark entry payment status as
Failed - Log the error
wp_dieimmediately
Common failure reasons:
- Incorrect vendor code
- Server IP not whitelisted
Tips: Check the log.
You can use 'gf_worldpay_redirect_url_failure_wp_die' filter to:
- continue Gravity Forms' feed and confirmation flow
- perform extra operations
- redirect to a different error page
Important: If this filter returns false, normal Gravity Forms' feed and confirmation flow continues.
Improper settings might lead to disasters.
Example:
add_filter('gf_worldpay_redirect_url_failure_wp_die', function(bool $shouldWpDie, ServerAuthorizeResponse $response, Entry $entry, GFPaymentAddOn $addOn): bool {
// Do something.
return true; // Do `wp_die`
return false; // Don't `wp_die`, continue normal flow
return $shouldWpDie; // Undecisive
}, 10, 4);This plugin provides built-in support for preflight-command. No extra setup steps required.
Checker ID: gf-worldpay-production-mode
- ensure all gf-worldpay feeds are in production mode (i.e: not in test mode)
- can't be disabled
- no config options available
Read the followings before developing:
- WorldPay HTML API
- Gravity Forms: GFPaymentAddOn
- Gravity Forms: Entry Object
- Omnipay: WorldPay
- thephpleague/omnipay#255 (comment)
Gravity Forms has undocumented hidden magics, read its source code.
gf-worldpay is a Itineris Limited project created by Tang Rufus.
Full list of contributors can be found here.
Please provide feedback! We want to make this library useful in as many projects as possible. Please submit an issue and point out what you do and don't like, or fork the project and make suggestions. No issue is too small.
Please see CHANGELOG for more information on what has changed recently.
gf-worldpay is released under the MIT License.