Recently we’ve been getting a lot of questions along these lines from PMPro users using PayPal Standard:
All a user has to do is go through the signup process on the site, create a username/password, be taken to the Paypal portion,(at this point they are considered Subscribers to the site now without actually paying yet) then simply hit the back button on the browser to go back to your site and they have full access without paying
This is how our integration with PayPal Standard works. Before the user is taken to PayPal to pay, we create a WordPress user on your site. However, that user does NOT have a PMPro membership level yet. The membership level is only given to the user once PayPal sends an IPN message that the payment has gone through.
The solution here is to simply lock down your site for non-members. Users with a WP user, but no PMPro level should not have access to your member content.
You need to check “Require Membership” on your member content, or check categories for your membership levels, or use code like this, or use any of the tactics in our documentation, to lock down your content.
If you are interested, the reason we’ve programmed our PayPal Standard integration to work t this way is that when the user goes to PayPal, we have no way of knowing if or when they will come back to the site. Even if they pay, they might not click the “return to site” link to return to your site. Other membership plugins will typically check that payment has gone through and then direct users to sign up and create their user account after payment. We’d like users to be able to enter everything on one checkout page and so ask for the username and password up front and create the user account then.
Other gateways like PayPal Express don’t work this way. With PayPal Express, we get an immediate response from PayPal after the user checks out. So we can wait for payment to go through before creating the user account. If there is an issue with payment, we won’t create a WP user account.
However, even though other gateways will wait to create a user account, we still recommend that you lock your site down for members vs. non-members. When members cancel, they retain their WP user account (and just lose their membership level) and there are generally other ways to gain an WP user on your site without a membership level. So it’s a good idea to think more about members vs. non-members than users vs non-users.