WordPress.org
Get WordPress
WordPress.org

Plugin Directory

ForgeLayer Crypto Payments for WooCommerce

ForgeLayer Crypto Payments for WooCommerce

By forgelayer01
Download

Description

ForgeLayer Crypto Payments connects your WooCommerce store to the ForgeLayer non-custodial crypto payment infrastructure. Customers can pay with Bitcoin, Ethereum (ERC-20), BNB Smart Chain (BEP-20), and Tron (TRC-20) tokens. Payments are sent to wallet addresses generated by your ForgeLayer account — ForgeLayer does not custody or control merchant funds.

Key Features

  • Multiple networks — Bitcoin, Ethereum, BSC, and Tron supported out of the box.
  • 50+ tokens — USDT, USDC, DAI, LINK, UNI, AAVE, CAKE, and dozens more with automatic price conversion via CoinGecko.
  • Instant webhook confirmation — HMAC-SHA256 signed webhooks trigger order fulfillment in real time, no polling required.
  • Background price caching — WP-Cron keeps cryptocurrency prices fresh so checkout never calls an external API on page load.
  • WooCommerce Blocks compatible — fully supports the block-based Cart and Checkout pages alongside the classic shortcode checkout.
  • HPOS compatible — officially declared compatible with WooCommerce High-Performance Order Storage.
  • Address reuse — optionally reuse inactive addresses to conserve your plan’s address quota.
  • Late payment grace period — configurable window to auto-reopen cancelled orders when payment arrives after the deadline.
  • Plan usage dashboard — real-time usage bars for addresses, webhooks, and API requests right on the settings page. Email alerts at 80%, 90%, and 100%.
  • Security hardened — HMAC signature verification, nonce CSRF protection, rate limiting on AJAX endpoints, progressive IP lockout, replay-attack prevention, input whitelisting, and comprehensive HTTP security headers on the payment page.
  • Non-custodial — ForgeLayer never holds your funds. Crypto goes straight to your wallet.

Supported Networks and Tokens

Network
Native Coin
Example Tokens

Bitcoin
BTC

Ethereum
ETH
USDT, USDC, DAI, LINK, UNI, AAVE, WBTC

BNB Smart Chain
BNB
USDT, USDC, BUSD, CAKE, XVS, WBNB

Tron
TRX
USDT, USDC, BTT, WIN, JST, SUN

Custom CoinGecko IDs can be added in settings for any token not in the built-in directory.

How It Works

  1. A customer selects a network and token at checkout.
  2. ForgeLayer generates a unique deposit address for the order.
  3. The customer sends the exact crypto amount to the displayed address (with QR code).
  4. ForgeLayer fires a signed webhook when the deposit is confirmed on-chain.
  5. The WooCommerce order status moves to Processing automatically.

Security

This plugin implements defense-in-depth security:

  • All webhook payloads are verified with HMAC-SHA256 signatures before any processing.
  • Transaction hashes are deduplicated to prevent replay attacks.
  • Webhook payload timestamps are validated within a ±5-minute window.
  • Admin AJAX endpoints are rate-limited (max 10 requests/minute per user).
  • The payment poll endpoint uses IP-based progressive lockout (3 strikes = 60s, 10 strikes = 1h).
  • The payment page sends X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, and a tight Content-Security-Policy header.
  • All input is validated against strict whitelists before use.
  • No sensitive data (API key, webhook secret, address IDs) is ever output in HTML source.

External services

This plugin connects to the following external services:

ForgeLayer API (api.forgelayer.io)

Used for all core payment functions: generating blockchain deposit addresses, registering webhooks, and verifying payment confirmations. The store’s ForgeLayer API key and order-related data (amount, currency, chain, token) are sent when a customer initiates checkout. This service is required for the plugin to function.

CoinGecko (api.coingecko.com)

Used to fetch current cryptocurrency prices for fiat-to-crypto conversion. Only coin IDs and the store’s fiat currency are sent — no customer or order data is transmitted. Prices are cached server-side by WP-Cron; CoinGecko is not called during individual customer checkouts under normal operation.

QRServer (api.qrserver.com) — optional

Used to generate QR code images on the payment page. Disabled by default. Merchants can enable it under WooCommerce > Settings > Payments > ForgeLayer > Show QR Codes. When enabled, the blockchain wallet address (not customer personal data) is sent to api.qrserver.com to render a QR image.

Installation

  1. Upload the forgelayer-woocommerce folder to the /wp-content/plugins/ directory, or install via the WordPress plugin installer.
  2. Activate the plugin through the Plugins screen in WordPress.
  3. Go to WooCommerce > Settings > Payments and click ForgeLayer Crypto Payments.
  4. Enter your API key — get one at forgelayer.io/dashboard. Use a flk_test_ key to test in sandbox mode.
  5. Enable chains — check the Bitcoin, Ethereum, BSC, and/or Tron checkboxes.
  6. Refresh Token List — click the button to pull your configured tokens from ForgeLayer.
  7. Setup Webhook — click Setup Webhook to register your store’s endpoint with ForgeLayer automatically.
  8. Save settings and make a test purchase.

Minimum Requirements

  • WordPress 5.8+
  • WooCommerce 6.0+
  • PHP 7.4+
  • An active ForgeLayer account

FAQ

Do I need a ForgeLayer account?

Yes. ForgeLayer manages the blockchain address infrastructure, balance monitoring, and webhook delivery. Create a free account at forgelayer.io to get your API key.

Where do customer payments go?

Payments are sent to wallet addresses generated by your ForgeLayer account. ForgeLayer does not custody or control merchant funds — you retain full ownership of your private keys and wallet balances. You can transfer funds to any external wallet directly from your ForgeLayer dashboard.

Does the plugin support the new WooCommerce block-based checkout?

Yes. The plugin is fully compatible with both the classic shortcode checkout and the WooCommerce Blocks (Gutenberg) Cart and Checkout pages.

What happens if a customer pays after the order timer expires?

If Accept Late Payments is enabled (the default), orders are automatically reopened when payment arrives within your configured grace period (default 60 minutes). Payments that arrive beyond the grace period trigger an admin email for manual review — the funds are still in your ForgeLayer wallet.

How do I add a token that is not in the built-in list?

  1. Add the token to your ForgeLayer account via the dashboard.
  2. In WooCommerce > Settings > Payments > ForgeLayer, click Refresh Token List.
  3. If the token needs price conversion, find its CoinGecko ID (the slug in the URL on coingecko.com) and add it to the Custom CoinGecko IDs field in the format SYMBOL|coingecko-id.

Is the plugin compatible with WooCommerce HPOS (High-Performance Order Storage)?

Yes. The plugin has been tested with HPOS and declares compatibility via the WooCommerce FeaturesUtil API. All order data is read and written through WooCommerce’s order API, not raw database queries.

How can I test the integration without real crypto?

Generate a flk_test_ API key from your ForgeLayer dashboard, enter it in settings, and enable Sandbox / Test Mode. Test transactions do not require real funds.

What should I do if the price shows “Calculating…” at checkout?

This means the WP-Cron price cache has not been populated yet. Save your settings to trigger an immediate cache warm, or wait for the next cron run (default 5 minutes). You can also verify WP-Cron is running correctly on your host.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“ForgeLayer Crypto Payments for WooCommerce” is open source software. The following people have contributed to this plugin.

Contributors

Translate “ForgeLayer Crypto Payments for WooCommerce” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.1.2

  • Fix: renamed all PHP functions, classes, constants, options, transients, cron hooks, and Ajax actions from the short fl_/FL_ prefix to forgelayer_/Forgelayer_/FORGELAYER_ to comply with WordPress.org plugin review requirements (minimum 4-character unique prefix).
  • Fix: updated external service links for QRServer in readme.txt.

1.1.1

  • Fix: webhook order lookup now matches by address only (ForgeLayer never populates userRef); userRef fast-path removed.
  • Fix: deposit addresses are stored and queried in lowercase to prevent case-mismatch with checksummed EVM addresses returned by the API.
  • Fix: webhook validates received asset against the order’s stored token contract address; wrong-token deposits are ignored.
  • Fix: removed 1% payment tolerance — received amount must equal or exceed the displayed amount; partial payments stay pending until a top-up webhook arrives.
  • Fix: txid deduplication transient extended from 1 day to 7 days; added per-order fl_tx_seen meta as a permanent backstop against double-counting after transient expiry.
  • Fix: verify_payment is now a pure database reader — removed balance API call; all confirmation is handled exclusively by the webhook.
  • Fix: payment layout no longer collapses into the 180 px QR column when QR codes are disabled; two-column grid only activates with the fl-has-qr class.
  • Fix: added BTC, ETH, BNB, TRX to $coingecko_map so native-coin price lookups go through the documented path; removed defunct FTT entry.
  • Fix: confirmed payment banner now shows a checkmark icon instead of duplicate “Payment confirmed” text.

1.1.0

  • Security: added IP-based progressive lockout on the payment poll AJAX endpoint (3 strikes = 60s, 10 strikes = 1h).
  • Security: added rate limiting (max 10 req/min per user) on fl_refresh_tokens, fl_setup_webhook, and fl_refresh_usage admin AJAX endpoints.
  • Security: added timestamp validation (±5 min) and txHash deduplication (24h transient) to prevent webhook replay attacks.
  • Security: expanded security headers on the payment page — added X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, and a tight Content-Security-Policy.
  • Security: added WP_DEBUG admin notice warning that the API key is stored as plaintext when debug mode is on.
  • Security: chain_id values are now whitelisted against a strict allowlist before any use.
  • Security: token symbol values are validated against [A-Z0-9]{1,20} before use.
  • Security: order_key is validated against the wc_order_[a-zA-Z0-9]+ pattern on the AJAX check endpoint.
  • Security: find_inactive_address() now sanitizes chain_id before passing it to the meta_query.
  • Security: all order meta writes now use sanitize_text_field() and absint() defensively.
  • Feature: account usage dashboard with live progress bars and 80/90/100% email alerts.
  • Feature: Accept Late Payments setting with configurable grace period.
  • Feature: Address reuse option to conserve plan quota.
  • Feature: WooCommerce Blocks (Gutenberg) checkout compatibility.
  • Feature: HPOS (High-Performance Order Storage) compatibility declared.
  • Feature: 50+ token directory with automatic CoinGecko price conversion.
  • Feature: background price caching via WP-Cron — checkout never calls CoinGecko directly.
  • Fix: nonce length is now capped at 64 characters before verification to prevent oversized input.
  • Fix: order_id is strictly cast with absint() before any use.

1.0.0

  • Initial release.
  • Bitcoin, Ethereum, BSC, and Tron network support.
  • HMAC-SHA256 webhook signature verification.
  • Per-order nonce CSRF protection on the payment poll endpoint.
  • CoinGecko price conversion with batch caching.
  • WP-Cron background payment checking every 5 minutes.
  • Duplicate payment detection with admin email notification.

Meta

Ratings

No reviews have been submitted yet.

Your review

See all reviews

Contributors

Support

Got something to say? Need help?

View support forum