Safely Saving PayPal API Credentials

As of Events Manager 2.5, we allow you to store API credentials in your PayPal Gateway Settings page.

Events Manager needs PayPal API credentials to communicate with PayPal to verify whether or not a booking has been paid for, specifically before deleting bookings automatically. This prevents accidental deletions of bookings which have been paid for, but for whatever reason were not marked as confirmed due to not receiving a valid IPN notification from PayPal.

API Credentials are particularly sensitive bits of information which can give access to your PayPal account, and therefore must be stored safely. For this reason, we prevent API information from being displayed or stored via unencrypted admin pages. If your site does not support SSL, you will need to store this information in another way.

Recommended Solution – Get SSL!

This may seem obvious, and we appreciate that not everyone can enable SSL on their hosting environment. However, if you can, we strongly suggest you consider doing this! Not only will your PayPal API keys be safely transferred between your browser and your site, but everything else will be too, such as your WordPress username and password!

You can force your whole admin area to use SSL simply by adding this line to your wp-config.php file:

define('FORCE_SSL_ADMIN', true);

Please see the WordPress official documentation for enabling SSL in your admin dashboard.

One Exception – Sandbox Credentials

If you have PayPal Mode set to ‘Test Mode (Sandbox)’ in your PayPal settings, then you will see the option to show your API credential fields allowing you to view and store them. We still don’t show them to you by default, just in case you’ve stored real API credentials in there and just switched to sandbox mode.

We STRONGLY advise against switching to ‘Test Mode’ and choosing to show and/or store your real API keys when not using SSL.

Install via PHP Script

Some technical knowledge is required here, but it’s the only ‘convenient’ and ‘safe’ alternative.

If you cannot enable SSL on your admin area, and you want to add API credentials to your Events Manager settings, you could upload a file to your site via secure FTP or via your host control panel. Many hosts these days enforce secure FTP connections to your site files, or alternatively allow you to edit files via their control panels which are over HTTPS. This way, you can securely upload a script that saves your API information directly to your database, and then delete it.

If you can do the above, then it’s pretty straightforward. Copy this snippet of code into a new .php file, and upload it to /wp-content/mu-plugins folder, as indicated in our tutorial.

Make sure you replace YOUR USERNAME, YOUR PASSWORD and YOUR SIGNATURE with the relevant information. Once you upload this, visit your PayPal gateway settings page and you should see the first and last letters of each bit of information. That’s it! When you’re done, delete that file.