{"id":327166,"date":"2026-06-22T10:14:49","date_gmt":"2026-06-22T10:14:49","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/forgelayer-crypto-payments-for-woocommerce\/"},"modified":"2026-06-22T10:14:24","modified_gmt":"2026-06-22T10:14:24","slug":"forgelayer-crypto-payments-for-woocommerce","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/forgelayer-crypto-payments-for-woocommerce\/","author":23517445,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.1.2","stable_tag":"1.1.2","tested":"7.0","requires":"5.8","requires_php":"7.4","requires_plugins":null,"header_name":"ForgeLayer Crypto Payments for WooCommerce","header_author":"ForgeLayer","header_description":"Accept Bitcoin, Ethereum, BSC, and Tron cryptocurrency payments at checkout via ForgeLayer.","assets_banners_color":"","last_updated":"2026-06-22 10:14:24","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/github.com\/forgelayer-tech\/forgelayer-woocommerce","header_author_uri":"https:\/\/forgelayer.io","rating":0,"author_block_rating":0,"active_installs":0,"downloads":25,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.1.2":{"tag":"1.1.2","author":"forgelayer01","date":"2026-06-22 10:14:24"}},"upgrade_notice":{"1.1.0":"<p>This release includes important security hardening \u2014 progressive IP lockout, admin endpoint rate limiting, webhook replay prevention, and expanded HTTP security headers. Upgrade recommended for all production sites.<\/p>"},"ratings":[],"assets_icons":[],"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.1.2"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"<strong>Payment selection at checkout<\/strong> \u2014 customers choose their preferred network and token from a clean radio grid.","2":"<strong>Payment instructions page<\/strong> \u2014 shows the wallet address, QR code, exact amount, countdown timer, and network warning.","3":"<strong>Gateway settings \u2014 API &amp; webhook<\/strong> \u2014 API key field, sandbox mode toggle, and one-click webhook registration.","4":"<strong>Gateway settings \u2014 chain &amp; token management<\/strong> \u2014 per-chain enable toggles with token checkboxes and the Refresh Token List button.","5":"<strong>Account usage dashboard<\/strong> \u2014 real-time usage bars for wallet addresses, webhooks, and API requests.","6":"<strong>Admin notice \u2014 usage warning<\/strong> \u2014 contextual notice when a resource approaches its plan limit."}},"plugin_section":[],"plugin_tags":[1886,12611,18737,6593,286],"plugin_category":[45],"plugin_contributors":[268324],"plugin_business_model":[],"class_list":["post-327166","plugin","type-plugin","status-publish","hentry","plugin_tags-bitcoin","plugin_tags-cryptocurrency","plugin_tags-ethereum","plugin_tags-payment-gateway","plugin_tags-woocommerce","plugin_category-ecommerce","plugin_contributors-forgelayer01","plugin_committers-forgelayer01"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/forgelayer-crypto-payments-for-woocommerce.svg","icon_2x":false,"generated":true},"screenshots":[],"raw_content":"<!--section=description-->\n<p><strong>ForgeLayer Crypto Payments<\/strong> connects your WooCommerce store to the <a href=\"https:\/\/forgelayer.io\">ForgeLayer<\/a> non-custodial crypto payment infrastructure. Customers can pay with Bitcoin, Ethereum (ERC-20), BNB Smart Chain (BEP-20), and Tron (TRC-20) tokens. Payments are sent to wallet addresses generated by your ForgeLayer account \u2014 ForgeLayer does not custody or control merchant funds.<\/p>\n\n<h4>Key Features<\/h4>\n\n<ul>\n<li><strong>Multiple networks<\/strong> \u2014 Bitcoin, Ethereum, BSC, and Tron supported out of the box.<\/li>\n<li><strong>50+ tokens<\/strong> \u2014 USDT, USDC, DAI, LINK, UNI, AAVE, CAKE, and dozens more with automatic price conversion via CoinGecko.<\/li>\n<li><strong>Instant webhook confirmation<\/strong> \u2014 HMAC-SHA256 signed webhooks trigger order fulfillment in real time, no polling required.<\/li>\n<li><strong>Background price caching<\/strong> \u2014 WP-Cron keeps cryptocurrency prices fresh so checkout never calls an external API on page load.<\/li>\n<li><strong>WooCommerce Blocks compatible<\/strong> \u2014 fully supports the block-based Cart and Checkout pages alongside the classic shortcode checkout.<\/li>\n<li><strong>HPOS compatible<\/strong> \u2014 officially declared compatible with WooCommerce High-Performance Order Storage.<\/li>\n<li><strong>Address reuse<\/strong> \u2014 optionally reuse inactive addresses to conserve your plan's address quota.<\/li>\n<li><strong>Late payment grace period<\/strong> \u2014 configurable window to auto-reopen cancelled orders when payment arrives after the deadline.<\/li>\n<li><strong>Plan usage dashboard<\/strong> \u2014 real-time usage bars for addresses, webhooks, and API requests right on the settings page. Email alerts at 80%, 90%, and 100%.<\/li>\n<li><strong>Security hardened<\/strong> \u2014 HMAC signature verification, nonce CSRF protection, rate limiting on AJAX endpoints, progressive IP lockout, replay-attack prevention, input whitelisting, and comprehensive HTTP security headers on the payment page.<\/li>\n<li><strong>Non-custodial<\/strong> \u2014 ForgeLayer never holds your funds. Crypto goes straight to your wallet.<\/li>\n<\/ul>\n\n<h4>Supported Networks and Tokens<\/h4>\n\n\n\n\n  Network\n  Native Coin\n  Example Tokens\n\n\n\n\n  Bitcoin\n  BTC\n  \u2014\n\n\n  Ethereum\n  ETH\n  USDT, USDC, DAI, LINK, UNI, AAVE, WBTC\n\n\n  BNB Smart Chain\n  BNB\n  USDT, USDC, BUSD, CAKE, XVS, WBNB\n\n\n  Tron\n  TRX\n  USDT, USDC, BTT, WIN, JST, SUN\n\n\n\n\n<p>Custom CoinGecko IDs can be added in settings for any token not in the built-in directory.<\/p>\n\n<h4>How It Works<\/h4>\n\n<ol>\n<li>A customer selects a network and token at checkout.<\/li>\n<li>ForgeLayer generates a unique deposit address for the order.<\/li>\n<li>The customer sends the exact crypto amount to the displayed address (with QR code).<\/li>\n<li>ForgeLayer fires a signed webhook when the deposit is confirmed on-chain.<\/li>\n<li>The WooCommerce order status moves to Processing automatically.<\/li>\n<\/ol>\n\n<h4>Security<\/h4>\n\n<p>This plugin implements defense-in-depth security:<\/p>\n\n<ul>\n<li>All webhook payloads are verified with HMAC-SHA256 signatures before any processing.<\/li>\n<li>Transaction hashes are deduplicated to prevent replay attacks.<\/li>\n<li>Webhook payload timestamps are validated within a \u00b15-minute window.<\/li>\n<li>Admin AJAX endpoints are rate-limited (max 10 requests\/minute per user).<\/li>\n<li>The payment poll endpoint uses IP-based progressive lockout (3 strikes = 60s, 10 strikes = 1h).<\/li>\n<li>The payment page sends <code>X-Content-Type-Options<\/code>, <code>X-XSS-Protection<\/code>, <code>Referrer-Policy<\/code>, and a tight <code>Content-Security-Policy<\/code> header.<\/li>\n<li>All input is validated against strict whitelists before use.<\/li>\n<li>No sensitive data (API key, webhook secret, address IDs) is ever output in HTML source.<\/li>\n<\/ul>\n\n<h3>External services<\/h3>\n\n<p>This plugin connects to the following external services:<\/p>\n\n<h4>ForgeLayer API (api.forgelayer.io)<\/h4>\n\n<p>Used for all core payment functions: generating blockchain deposit addresses, registering webhooks, and verifying payment confirmations. The store's ForgeLayer API key and order-related data (amount, currency, chain, token) are sent when a customer initiates checkout. This service is required for the plugin to function.<\/p>\n\n<ul>\n<li><a href=\"https:\/\/forgelayer.io\/terms\">ForgeLayer Terms of Service<\/a><\/li>\n<li><a href=\"https:\/\/forgelayer.io\/privacy\">ForgeLayer Privacy Policy<\/a><\/li>\n<\/ul>\n\n<h4>CoinGecko (api.coingecko.com)<\/h4>\n\n<p>Used to fetch current cryptocurrency prices for fiat-to-crypto conversion. Only coin IDs and the store's fiat currency are sent \u2014 no customer or order data is transmitted. Prices are cached server-side by WP-Cron; CoinGecko is not called during individual customer checkouts under normal operation.<\/p>\n\n<ul>\n<li><a href=\"https:\/\/www.coingecko.com\/en\/terms\">CoinGecko Terms of Service<\/a><\/li>\n<li><a href=\"https:\/\/www.coingecko.com\/en\/privacy\">CoinGecko Privacy Policy<\/a><\/li>\n<\/ul>\n\n<h4>QRServer (api.qrserver.com) \u2014 optional<\/h4>\n\n<p>Used to generate QR code images on the payment page. <strong>Disabled by default.<\/strong> Merchants can enable it under WooCommerce &gt; Settings &gt; Payments &gt; ForgeLayer &gt; Show QR Codes. When enabled, the blockchain wallet address (not customer personal data) is sent to api.qrserver.com to render a QR image.<\/p>\n\n<ul>\n<li><a href=\"https:\/\/goqr.me\/de\/rechtliches\/agb-logo.html\">QRServer Terms of Service<\/a><\/li>\n<li><a href=\"https:\/\/goqr.me\/de\/rechtliches\/datenschutz-goqrme.html\">QRServer Privacy Policy<\/a><\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li><strong>Upload<\/strong> the <code>forgelayer-woocommerce<\/code> folder to the <code>\/wp-content\/plugins\/<\/code> directory, or install via the WordPress plugin installer.<\/li>\n<li><strong>Activate<\/strong> the plugin through the Plugins screen in WordPress.<\/li>\n<li>Go to <strong>WooCommerce &gt; Settings &gt; Payments<\/strong> and click <strong>ForgeLayer Crypto Payments<\/strong>.<\/li>\n<li><strong>Enter your API key<\/strong> \u2014 get one at <a href=\"https:\/\/forgelayer.io\/dashboard\">forgelayer.io\/dashboard<\/a>. Use a <code>flk_test_<\/code> key to test in sandbox mode.<\/li>\n<li><strong>Enable chains<\/strong> \u2014 check the Bitcoin, Ethereum, BSC, and\/or Tron checkboxes.<\/li>\n<li><strong>Refresh Token List<\/strong> \u2014 click the button to pull your configured tokens from ForgeLayer.<\/li>\n<li><strong>Setup Webhook<\/strong> \u2014 click <strong>Setup Webhook<\/strong> to register your store's endpoint with ForgeLayer automatically.<\/li>\n<li><strong>Save settings<\/strong> and make a test purchase.<\/li>\n<\/ol>\n\n<h4>Minimum Requirements<\/h4>\n\n<ul>\n<li>WordPress 5.8+<\/li>\n<li>WooCommerce 6.0+<\/li>\n<li>PHP 7.4+<\/li>\n<li>An active <a href=\"https:\/\/forgelayer.io\">ForgeLayer<\/a> account<\/li>\n<\/ul>\n\n<!--section=faq-->\n<dl>\n<dt id=\"do%20i%20need%20a%20forgelayer%20account%3F\"><h3>Do I need a ForgeLayer account?<\/h3><\/dt>\n<dd><p>Yes. ForgeLayer manages the blockchain address infrastructure, balance monitoring, and webhook delivery. Create a free account at <a href=\"https:\/\/forgelayer.io\">forgelayer.io<\/a> to get your API key.<\/p><\/dd>\n<dt id=\"where%20do%20customer%20payments%20go%3F\"><h3>Where do customer payments go?<\/h3><\/dt>\n<dd><p>Payments are sent to wallet addresses generated by your ForgeLayer account. ForgeLayer does not custody or control merchant funds \u2014 you retain full ownership of your private keys and wallet balances. You can transfer funds to any external wallet directly from your ForgeLayer dashboard.<\/p><\/dd>\n<dt id=\"does%20the%20plugin%20support%20the%20new%20woocommerce%20block-based%20checkout%3F\"><h3>Does the plugin support the new WooCommerce block-based checkout?<\/h3><\/dt>\n<dd><p>Yes. The plugin is fully compatible with both the classic shortcode checkout and the WooCommerce Blocks (Gutenberg) Cart and Checkout pages.<\/p><\/dd>\n<dt id=\"what%20happens%20if%20a%20customer%20pays%20after%20the%20order%20timer%20expires%3F\"><h3>What happens if a customer pays after the order timer expires?<\/h3><\/dt>\n<dd><p>If <strong>Accept Late Payments<\/strong> is enabled (the default), orders are automatically reopened when payment arrives within your configured grace period (default 60 minutes). Payments that arrive beyond the grace period trigger an admin email for manual review \u2014 the funds are still in your ForgeLayer wallet.<\/p><\/dd>\n<dt id=\"how%20do%20i%20add%20a%20token%20that%20is%20not%20in%20the%20built-in%20list%3F\"><h3>How do I add a token that is not in the built-in list?<\/h3><\/dt>\n<dd><ol>\n<li>Add the token to your ForgeLayer account via the dashboard.<\/li>\n<li>In WooCommerce &gt; Settings &gt; Payments &gt; ForgeLayer, click <strong>Refresh Token List<\/strong>.<\/li>\n<li>If the token needs price conversion, find its CoinGecko ID (the slug in the URL on coingecko.com) and add it to the <strong>Custom CoinGecko IDs<\/strong> field in the format <code>SYMBOL|coingecko-id<\/code>.<\/li>\n<\/ol><\/dd>\n<dt id=\"is%20the%20plugin%20compatible%20with%20woocommerce%20hpos%20%28high-performance%20order%20storage%29%3F\"><h3>Is the plugin compatible with WooCommerce HPOS (High-Performance Order Storage)?<\/h3><\/dt>\n<dd><p>Yes. The plugin has been tested with HPOS and declares compatibility via the WooCommerce FeaturesUtil API. All order data is read and written through WooCommerce's order API, not raw database queries.<\/p><\/dd>\n<dt id=\"how%20can%20i%20test%20the%20integration%20without%20real%20crypto%3F\"><h3>How can I test the integration without real crypto?<\/h3><\/dt>\n<dd><p>Generate a <code>flk_test_<\/code> API key from your ForgeLayer dashboard, enter it in settings, and enable <strong>Sandbox \/ Test Mode<\/strong>. Test transactions do not require real funds.<\/p><\/dd>\n<dt id=\"what%20should%20i%20do%20if%20the%20price%20shows%20%22calculating...%22%20at%20checkout%3F\"><h3>What should I do if the price shows \"Calculating...\" at checkout?<\/h3><\/dt>\n<dd><p>This means the WP-Cron price cache has not been populated yet. Save your settings to trigger an immediate cache warm, or wait for the next cron run (default 5 minutes). You can also verify WP-Cron is running correctly on your host.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.1.2<\/h4>\n\n<ul>\n<li>Fix: renamed all PHP functions, classes, constants, options, transients, cron hooks, and Ajax actions from the short <code>fl_<\/code>\/<code>FL_<\/code> prefix to <code>forgelayer_<\/code>\/<code>Forgelayer_<\/code>\/<code>FORGELAYER_<\/code> to comply with WordPress.org plugin review requirements (minimum 4-character unique prefix).<\/li>\n<li>Fix: updated external service links for QRServer in readme.txt.<\/li>\n<\/ul>\n\n<h4>1.1.1<\/h4>\n\n<ul>\n<li>Fix: webhook order lookup now matches by address only (ForgeLayer never populates userRef); userRef fast-path removed.<\/li>\n<li>Fix: deposit addresses are stored and queried in lowercase to prevent case-mismatch with checksummed EVM addresses returned by the API.<\/li>\n<li>Fix: webhook validates received asset against the order's stored token contract address; wrong-token deposits are ignored.<\/li>\n<li>Fix: removed 1% payment tolerance \u2014 received amount must equal or exceed the displayed amount; partial payments stay pending until a top-up webhook arrives.<\/li>\n<li>Fix: txid deduplication transient extended from 1 day to 7 days; added per-order <em>fl_tx_seen<\/em> meta as a permanent backstop against double-counting after transient expiry.<\/li>\n<li>Fix: verify_payment is now a pure database reader \u2014 removed balance API call; all confirmation is handled exclusively by the webhook.<\/li>\n<li>Fix: payment layout no longer collapses into the 180 px QR column when QR codes are disabled; two-column grid only activates with the fl-has-qr class.<\/li>\n<li>Fix: added BTC, ETH, BNB, TRX to $coingecko_map so native-coin price lookups go through the documented path; removed defunct FTT entry.<\/li>\n<li>Fix: confirmed payment banner now shows a checkmark icon instead of duplicate \"Payment confirmed\" text.<\/li>\n<\/ul>\n\n<h4>1.1.0<\/h4>\n\n<ul>\n<li>Security: added IP-based progressive lockout on the payment poll AJAX endpoint (3 strikes = 60s, 10 strikes = 1h).<\/li>\n<li>Security: added rate limiting (max 10 req\/min per user) on fl_refresh_tokens, fl_setup_webhook, and fl_refresh_usage admin AJAX endpoints.<\/li>\n<li>Security: added timestamp validation (\u00b15 min) and txHash deduplication (24h transient) to prevent webhook replay attacks.<\/li>\n<li>Security: expanded security headers on the payment page \u2014 added X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, and a tight Content-Security-Policy.<\/li>\n<li>Security: added WP_DEBUG admin notice warning that the API key is stored as plaintext when debug mode is on.<\/li>\n<li>Security: chain_id values are now whitelisted against a strict allowlist before any use.<\/li>\n<li>Security: token symbol values are validated against [A-Z0-9]{1,20} before use.<\/li>\n<li>Security: order_key is validated against the wc_order_[a-zA-Z0-9]+ pattern on the AJAX check endpoint.<\/li>\n<li>Security: find_inactive_address() now sanitizes chain_id before passing it to the meta_query.<\/li>\n<li>Security: all order meta writes now use sanitize_text_field() and absint() defensively.<\/li>\n<li>Feature: account usage dashboard with live progress bars and 80\/90\/100% email alerts.<\/li>\n<li>Feature: Accept Late Payments setting with configurable grace period.<\/li>\n<li>Feature: Address reuse option to conserve plan quota.<\/li>\n<li>Feature: WooCommerce Blocks (Gutenberg) checkout compatibility.<\/li>\n<li>Feature: HPOS (High-Performance Order Storage) compatibility declared.<\/li>\n<li>Feature: 50+ token directory with automatic CoinGecko price conversion.<\/li>\n<li>Feature: background price caching via WP-Cron \u2014 checkout never calls CoinGecko directly.<\/li>\n<li>Fix: nonce length is now capped at 64 characters before verification to prevent oversized input.<\/li>\n<li>Fix: order_id is strictly cast with absint() before any use.<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release.<\/li>\n<li>Bitcoin, Ethereum, BSC, and Tron network support.<\/li>\n<li>HMAC-SHA256 webhook signature verification.<\/li>\n<li>Per-order nonce CSRF protection on the payment poll endpoint.<\/li>\n<li>CoinGecko price conversion with batch caching.<\/li>\n<li>WP-Cron background payment checking every 5 minutes.<\/li>\n<li>Duplicate payment detection with admin email notification.<\/li>\n<\/ul>","raw_excerpt":"Accept Bitcoin, Ethereum, BNB Smart Chain, and Tron cryptocurrency payments directly in WooCommerce via ForgeLayer.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/327166","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=327166"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/forgelayer01"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=327166"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=327166"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=327166"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=327166"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=327166"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=327166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}