InstantPay Blog

Updates, insights, and stories from the InstantPay team

November 28, 20255 min readInstantPay Engineering Team

v0.4 Sneak Peek: The WordPress Plugin That Changes Everything

v0.4 Sneak Peek: The WordPress Plugin That Changes Everything The star of v0.4 is undoubtedly our official **WordPress plugin**, a game-changer tha...

BlogSolana

v0.4 Sneak Peek: The WordPress Plugin That Changes Everything

The star of v0.4 is undoubtedly our official WordPress plugin, a game-changer that brings InstantPay directly into the world's most popular content management system. With WordPress powering over 43% of all websites on the internet, this integration represents a massive leap forward in our mission to make Solana payments accessible to everyone.

Why WordPress Matters

WordPress isn't just a blogging platform anymore. It's the foundation of millions of businesses, creators, and developers worldwide. By integrating InstantPay directly into WordPress, we're reaching a massive ecosystem of users who can now accept Solana payments without leaving their familiar dashboard.

The plugin allows WordPress site owners to:

  • Connect their InstantPay account directly from the WordPress admin panel
  • Manage all InstantPay features without ever leaving WordPress
  • Embed payment widgets using simple Gutenberg blocks or shortcodes
  • Sell digital products seamlessly within their WordPress content

This means creators, bloggers, and businesses can now monetize their WordPress sites with Solana payments in minutes, not hours.

Building the Plugin: A Developer's Journey

Building a WordPress plugin that integrates seamlessly with a modern Next.js application presented some unique challenges. Here's how we tackled them:

Architecture Decisions

We chose a minimal, secure architecture that prioritizes user experience and security:

php
// Core plugin structure
class InstantPay_Plugin {
    public function run() {
        $this->load_textdomain();
        $this->define_hooks();
    }
    
    private function define_hooks() {
        // Admin page, settings, shortcodes, blocks
        add_action('admin_menu', ...);
        add_action('init', ...);
    }
}

The plugin follows WordPress coding standards and best practices, ensuring compatibility with the vast WordPress ecosystem.

Security First: CSRF Protection

One of our first priorities was implementing robust security measures. WordPress plugins are a common attack vector, so we implemented comprehensive protection:

CSRF Protection with Nonces:

php
// AJAX endpoint with nonce verification
public function handle_update_connection() {
    if (!current_user_can('manage_options')) {
        wp_send_json_error(['message' => 'Unauthorized'], 403);
    }
    
    // CSRF protection
    if (!isset($_POST['nonce']) || 
        !wp_verify_nonce($_POST['nonce'], 'instantpay_update_connection')) {
        wp_send_json_error(['message' => 'Invalid security token'], 403);
    }
    
    // Process request...
}

Input Sanitization: All user inputs are sanitized using WordPress functions:

  • sanitize_text_field() for text inputs
  • esc_url_raw() for URLs
  • esc_attr(), esc_html() for output

Capability Checks: Only users with manage_options capability can modify plugin settings, ensuring that only administrators can configure InstantPay.

Embedded Dashboard Integration

One of the most interesting challenges was embedding our Next.js dashboard into WordPress. We needed to:

  1. Maintain security while allowing cross-origin communication
  2. Handle authentication between WordPress and InstantPay
  3. Sync connection status in real-time

We solved this using the postMessage API with strict origin validation:

javascript
// WordPress admin iframe handler
window.addEventListener('message', function(event) {
    if (!isAllowedOrigin(event.origin)) return;
    
    if (data.type === 'instantpay-admin-update-connection') {
        // Securely update WordPress options via AJAX
        window.jQuery.post(ajaxUrl, {
            action: 'instantpay_update_connection',
            nonce: config.nonce,
            username: payload.username,
            site_token: payload.siteToken
        });
    }
});

The embedded dashboard allows users to connect their wallet, manage their profile, and configure InstantPay settings, all without leaving WordPress.

Gutenberg Blocks & Shortcodes

We implemented both modern Gutenberg blocks and traditional shortcodes for maximum compatibility:

Gutenberg Blocks:

  • Visual block editor integration
  • Inspector controls for configuration
  • Live preview in the editor
  • Product selection dropdown (fetches from InstantPay API)

Shortcodes:

  • [instantpay_donate] - Donation widget
  • [instantpay_product id="..."] - Product purchase widget
  • [instantpay_page] - Full payment page embed

Both approaches use the same underlying shortcode system, ensuring consistency and maintainability.

API Integration

The plugin communicates with InstantPay via our public API endpoints. We implemented:

  • Product listing endpoint (/api/public/products-by-username)
  • CORS headers for cross-origin requests
  • Error handling with graceful fallbacks
typescript
// Next.js API route
export async function GET(request: NextRequest) {
    const { searchParams } = new URL(request.url);
    const username = searchParams.get('username');
    
    // Query Supabase with proper security
    const { data } = await supabase
        .from('digital_products')
        .select('id, title, price_sol')
        .eq('user_id', user.id)
        .eq('is_active', true);
    
    return NextResponse.json(data, {
        headers: {
            'Access-Control-Allow-Origin': '*',
            'Access-Control-Allow-Methods': 'GET, OPTIONS',
        },
    });
}

Responsive Widget Heights

One of the trickier aspects was ensuring embedded widgets display correctly across different WordPress themes. We implemented fixed heights with careful testing:

  • Donate widget: 550px
  • Product widget: 260px
  • Full page embed: 1500px with scrolling

These heights were fine-tuned through extensive testing to ensure widgets display correctly without excessive whitespace or content clipping.

Technical Highlights

WordPress Best Practices

  • Settings API for configuration management
  • Nonce verification for all AJAX requests
  • Capability checks for authorization
  • Proper escaping for all output
  • ABSPATH checks to prevent direct access
  • Text domain for internationalization

Security Audit

Before release, we conducted a comprehensive security audit:

  • CSRF protection
  • XSS prevention
  • Input validation
  • Output escaping
  • SQL injection prevention (via WordPress API)

All critical vulnerabilities were identified and fixed before the first release.

Performance Considerations

  • Lazy loading of admin scripts
  • Conditional asset enqueuing (only on pages with InstantPay content)
  • Efficient API calls with proper caching
  • Minimal plugin footprint (~50KB total)

What's Next

The WordPress plugin is just the beginning. In future versions, we plan to add:

  • WooCommerce integration for e-commerce sites
  • Analytics dashboard within WordPress
  • Multi-user support for WordPress multisite
  • Advanced customization options

Coming Soon

v0.4 and the first official InstantPay WordPress plugin will be released very soon. The plugin will be available for download and installation directly from WordPress sites, making it easier than ever to start accepting Solana payments.

Stay tuned for the official release announcement!

Built with ❤️ by the InstantPay team. Follow our journey as we make Solana payments accessible to everyone.

Share this post:

Stay Updated

Get notified when we publish new posts about features, updates, and insights.

Contact Us for Updates