I’m trying to set up an automated system where new users get created in WordPress whenever someone makes a purchase on my platform. I found a plugin that lets me create users through API calls like this:
https://mysite.com/wp-json/custom/v1/create-user/?user_email={{buyer_email}}&username={{buyer_email}}&token=xyz123
The automation tool can grab the customer’s email from the purchase and put it in the {{buyer_email}} field. That part works fine.
But I’m worried about security. Right now anyone can visit mysite.com/wp-json/custom/v1/get-token/?action=create&type=user and grab the authentication token they would need to create accounts.
What’s the best way to lock this down so only legitimate requests can create new users? I’m pretty new to working with APIs so any simple solutions would be great. Also wondering if there’s a way to do this whole thing without using third party automation tools at all.
Don’t put auth tokens in GET parameters - you’re basically broadcasting your credentials to the world. Skip the public endpoint token generation and use WordPress application passwords or JWT tokens that actually expire. Your payment processor probably has webhooks, which cuts out the middleman completely. I ditched a similar Zapier setup for direct webhooks after seeing how many things could break. With webhooks, your payment system talks straight to WordPress when someone buys something - no third-party delays or exposed tokens. If you’re stuck with Zapier, at least throw that token in environment variables and use POST requests with credentials in the body, not the URL. And add rate limiting to your user creation endpoint because automated systems love to go nuts and spam your database with duplicates.
that token endpoint is a super risky move! using API keys or OAuth is way better. also, check out webhook auth – most payment platforms can send secure webhooks right to WordPress, avoiding zapier altogether. much safer choice!
You’re right to worry about that public token endpoint - you’ve basically handed anyone the keys to create users. Had the same problem with client sites. Quick fix: ditch URL parameters and use proper auth headers instead. Most WordPress REST API plugins handle bearer tokens or basic auth through headers, so they won’t show up in browser requests. Just configure Zapier to send these in the headers, not the URL. I’ve also had good luck with IP whitelisting on the server. Zapier uses known IP ranges, so you can lock down the endpoint to only accept requests from those addresses. Gives you backup protection even if someone finds your token. If your payment platform does webhooks, skip Zapier completely and have payments hit WordPress directly. More reliable and secure, though it takes more setup upfront.
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.