Since version 2.10, Paid Memberships Pro is now _always_ creating a user as the first step of checkout. Creating the user first means that even if the payment or subscription setup fails, a user account is still created.

For onsite checkouts, your site attempts the payment and subscription setup first, and creates the user only if payment was successful. Previously, this behavior was only in place for “offsite” gateways like PayPal Standard and Stripe Checkout.

There are pros and cons to this choice.

This post will go into those pros and cons and also share some of the history behind how we’ve been handling checkouts in the past and how we came to this decision. We will also share steps that can be taken now to stop spam and other issues at checkout, as well as some things we are working on.

How Paid Memberships Pro Handles User Creation at Checkout

The PMPro Checkout Process: Some History

Back in 2011, a big selling point of PMPro was a singular checkout page. Our checkout page has always handled both user creation and payment. Since then, web standards have changed, and multistep checkouts are the standard. To move toward multistep checkout, PMPro 2.10 standardized all gateway integrations to create users as the first step of checkout.

Why the Web Has Moved Toward Multistep Checkout

Today, more and more checkout processes you see online are “multistep”. A multistep checkout means that the user completes the checkout process across several pages. They incrementally add more information to the checkout as they progress.

You may notice the extreme of this on Amazon.com. The Amazon.com “Log In” page, for example, asks for your email address on a separate page from your password.

Today’s UX specialists realize that separating each step of the checkout flow creates a better experience. Multistep also allows for more customization and even unlocks new sales/marketing opportunities. For example, by getting the user’s email and contact information upfront, you’ve got built-in capability to do “abandoned cart” recovery.

Why We Create Users Before Payment

As we grow as a platform, we want to focus on consistency across our core plugin and integrations. By always creating the user before payment, we standardized our code across every gateway we integrate with. Not only the gateways in the core plugin, but also in our gateway Add Ons.

While some sites may not choose to use the feature, we also plan to add multistep checkout to PMPro. The change to always create a user before payment is a necessary component of moving toward multistep.

Lastly, a small number of sites see an issue where payments are accepted, but the user account fails to create. This change helps to ensure that your site does not accept any payment from someone without having a user to attach the payment to. You can now have complete confidence that ever member will immediately receive their user account. And that account lets them immediately gain access to protected content.

Quick Note on Users vs. Members

We have always recommended that you build your site in a way that accounts for logged in users who are not yet members.

Instead of restricting your WordPress site based on whether the user is logged in or not, you should restrict the site based on what membership level the user has.

There are many cases where someone may have a user account, but not be a member. One common one is when a user cancels. This user may still like to log in later to check their invoice history or manage some of their info on your site.

It’s good practice to allow this kind of behavior on your site. Expired or cancelled members should be able to regain access to their account history. They may even purchase membership again.

These users who fail at checkout do not receive a membership level. You should always require a membership level to view protected content. If you are using an integration that syncs users to a third party platform, always use a function that hooks into the membership level change, not user creation.

Downsides to Having a User Account Created First

With all this positive benefit, there are certainly a few issues that we will still be working on. Site owners may also need to do some work and make some changes to support the new model of user creation introduces in PMPro v2.10+.

The primary downside is that you might get a lot of spam user accounts.

Since user accounts are created before payment, it is possible that someone who is using your site to test credit cards will target your site. They may be able to create user accounts for credit card testing. And they may be able to create a TON of them in a very short period of time.

There are also some things to think about here with respect to privacy. At checkout, your site collects the data to create the user. If that user doesn’t complete checkout, it may not be clear to them that your site has collected that data and in fact created the user login. They may want their information forgotten and deleted.

We’re addressing this by developing a script to delete users who abandoned checkout and never used the created account (details in the last section below).

As a privacy concern, though, the user did provide their full information and set up a password into a form. They did click submit. So it’s not at all unreasonable for your site to create an account with that user.

How to Combat Checkout Spam

Spam might seem like a never-ending problem, but there are plenty of measures you can take to protect your PMPro site from spammers and bots. Read more in our post How to Stop Spam on Your Paid Memberships Pro Site.

Some Things We Are Working On

We are listening to our users, and we know that there are a handful of you that are experiencing a heavy load of checkout spam. Our team is continuing to add new features to the core plugin as well as look into new Add Ons and code recipes that can help our customers combat checkout spam and maintain a clean, authentic list of users and members.

  • We are working on a tool or possibly a core feature to delete old, inactive users. Similar features like this are already built in the WooCommerce plugin, where users who have no orders in two weeks after registration are automatically deleted.
  • We are looking at other options to protect sites from checkout spam in addition to the protections added through services like Akismet.
  • We are going to set the Spam Protection setting to Yes by default for all new Paid Memberships PRo sites on activation.
  • We are adding an admin notification message to show that Checkout Spam Protection is not enabled for existing sites in the Memberships admin area.
  • We are looking at methods to create a multistep checkout process. Not only is this a planned improvement for core PMPro, it also creates new opportunities for built-in abandoned “cart” recovery, in addition to the recovery features in the Recapture Integration.
  • Now that our gateway code is more consistent, we can also develop better support for offering multiple payment gateway options during checkout. We currently support PayPal Express as an additional gateway option. In the future, we want to allow sites to add other gateway options to their sites, too.
Cover image from ebook 29 Nuggets of Wisdom Volume 1 - Sample Collection

Download the free ebook: Get 29 insights and ‘aha moments’ for new or veteran membership site business owners. Use these nuggets of wisdom to inspire or challenge you.

Was this article helpful?
YesNo