Offsite payment gateways like PayPal Standard or Stripe Checkout help users feel more confident making a purchase—but as a site owner you may be surprised by how your membership plugin has to handle this checkout scenario.

This post aims to explain why your membership site is creating users before their payment is successfully received. We’ll cover why this is a necessary effect of using an offsite gateway, and how to protect your members-only content the right way so users without a membership level do not gain access to locked content.

Users Created Before Payment is Received with PayPal Standard

How PMPro Works with Offsite Gateways Like PayPal Standard

Is this happening in your membership site? The user account is being created with full access before the payment is processed.

Or a similar scenario: A user goes through the signup process on the site, creates their username and password, then goes to pay a PayPAl. At this point they are considered Subscribers to the site, but haven’t paid. Then they hit the back button on the browser, go back to my site, and have full access without paying.

Paid Memberships Pro has to create a WordPress user account before sending the customer to PayPal to pay. When this happens, the user does NOT have a PMPro membership level. The membership level is only given to the user once PayPal sends an IPN message that the payment has gone through.

The user must be created first with PayPal Standard for technical reasons. Primarily, it’s a huge security hole if your site tries to remember the password they entered while the site waits to hear back from PayPal.

The reason this may be extra confusing is that some other membership plugins work different from ours: they process payment and then give users a way to sign up for a WordPress account. What’s great about PMPro is that (when using any other gateway besides PayPal Standard) we create the WordPress account at the same time that payment is processed. This is a better work flow for users since they only have one checkout/signup page to deal with.

Lock Your Site Content for Non-Members

Users logged into their WordPress user account without a level in PMPro should not have access to your members-only content.

If you believe that users can access member content, double check that all of your content is locked for members only. You can double check restricted post categories for your membership levels, or use code like this, or use any of the tactics in our documentation, to lock down your content.

Read this post for all the ways to protect content with Paid Memberships Pro.

Why does PayPal Standard work this way?

If you are interested, the reason we’ve programmed our PayPal Standard integration to work this way is that when the user goes to PayPal, we have no way of knowing if or when they will come back to the site. Even if they pay, they might not click the “return to site” link to return to your site.

Other membership plugins will typically check that payment has gone through and then direct users to sign up and create their user account after payment. We’d like users to be able to enter everything on one checkout page and so ask for the username and password up front and create the user account then.

There are more reasons to avoid using PayPal Standard.

Other gateways like PayPal Express don’t work this way. With PayPal Express, we get an immediate response from PayPal after the user checks out. So we can wait for payment to go through before creating the user account. If there is an issue with payment, we won’t create a WordPress user account.

However, even though other gateways will wait to create a user account, we still recommend that you lock your site down for members vs. non-members. When members cancel, they retain their WordPress user account (and just lose their membership level) and there are generally other ways to gain an WordPress user on your site without a membership level.

It’s a good idea to think more about members vs. non-members than users vs non-users.