Sandbox testing

Before you try real transactions, make some test transactions using sandbox mode. You can use dummy bank account data instead of using actual bank details.

  • For Bacs, use the sort code 200000 and the account number 55779911

Setting up real payments

After you’ve carried out some testing and you know your way around Instant Bank Pay for WordPress, you’re ready to connect to your live GoCardless account.

  1. From the settings page, disable sandbox mode.
  2. Visit the connection settings page as you did when you connected to GoCardless in sandbox mode; only this time it will be done in live mode. Before you make the connection, there is an extra step to generate and save security keys. You must add two lines of code to your wp-config.php file. These have been generated for you and are shown in blue.Copy and paste these two lines into wp-config.php before ‘stop editing’ line. It should look similar to this (see lines 97 and 99. Your line numbers will likely differ):Refresh the connection settings page and if the Instant Bank Pay for WordPress plug-in can find your security keys, the GoCardless Credentials tab reverts to normal.
  3. Next, open another tab or window in your browser, and login to wpdirectdebit.com using the account that matches the email address of your GoCardless account.
  4. Go back to the original tab and click the connect button shown above to connect to GoCardless.
  5. You’ll be guided through some steps that should bring you back to where you started, in your admin dashboard. If all went to plan, you’ll see a message congratulating you on connecting successfully.

Safeguarding your API credentials

In live mode, your access token is encrypted and stored in your database.

Encryption is used because databases are not totally secure; databases are backed up and can be downloaded, so it can be hard to keep close tabs on your security credentials and it’s good to know that the access token cannot be read with decrypting them first.

Of course, it must be possible to decrypt these credentials in order to use them, and so the keys must be available somewhere. They should be stored in your wp-config.php file. This is as safe a place as any, as it’s where the database username and password are also kept. To improve the security of your wp-config.php file, consider moving it out of the root folder. WordPress should automatically find this file if it is stored in the directory above your root directory. Check with your web hosting provider.

Nevertheless, you might prefer to use environment variables instead of writing the settings directly into wp-config.php. Here is an interesting post discussing this possibility and giving one approach to doing so: https://matthewdaly.co.uk/blog/2019/09/22/storing-wordpress-configuration-in-environment-variables/

General security considerations

You’ll want to follow best practices to secure your website. As a minimum:

1) Ensure all your software is up to date; this includes the plugins, themes, WordPress itself and the version of php running on the server. Keep it up to date.

2) Use strong passwords for all admin accounts. We recommend you also enable 2-factor authorisation on your admin accounts. The Wordfence firewall plugin offers 2-factor authorisation and can enforce the use of strong passwords, even with the free version.

3) Use strong passwords on your web server account, webhosting provider account, database and any ftp accounts that can access your web server.

4) Consider moving your wp-config.php file out of the root folder.

5) Consider installing a firewall plugin such as WordFence or Sucuri.