WordPress & third Party Webhooks

By Muhammad Sohaib

Integrating WordPress with Webhooks: A Complete Guide

When integrating WordPress with webhook systems, it’s crucial to verify requests and handle notifications correctly. This guide will walk you through setting up webhook verification and processing webhook events in WordPress.

Understanding Webhook Verification

Before a webhook provider sends notifications to your webhook, it must be verified to ensure that the provided URL belongs to the application developer. The verification process typically involves two GET requests:

  • A request with the correct verification code, which must return a 204 No Content response.
  • A request with an invalid verification code, which must return a 404 Not Found response.

Example verification requests:

GET https://example.com/webhooks/?verification=verify_code HTTP/1.1
> expect 204 No Content

GET https://example.com/webhooks/?verification=invalid_code HTTP/1.1
> expect 404 Not Found

Setting Up Webhook Verification in WordPress

To handle verification requests, add the following code to your functions.php file:

function handle_webhook_verification() {
    if (isset($_GET['verification'])) {
        $correct_code = 'verify_code'; // Replace with the actual verification code
        if ($_GET['verification'] === $correct_code) {
            status_header(204);
            exit;
        } else {
            status_header(404);
            exit;
        }
    }
}
add_action('init', 'handle_webhook_verification');

This function ensures that your webhook URL responds correctly to verification requests at all times.

Determining Your Webhook URL

Based on the setup, the webhook URL you need to add to the webhook provider’s configuration panel is:

https://yourwebsite.com/webhooks/

Replace yourwebsite.com with your actual domain.

To verify the setup, visit:

https://yourwebsite.com/webhooks/?verification=verify_code

If configured correctly, this should return a 204 No Content response.

Handling Webhook Notifications in WordPress

Once the webhook is verified, the provider will send POST requests containing relevant data. To handle these notifications securely, implement the following:

function handle_webhook_notifications() {
    $headers = getallheaders();
    $body    = file_get_contents('php://input');
    $signature = $headers['X-Signature'] ?? '';
    $secret = 'your_webhook_secret'; // Set your secret key

    if (!verify_webhook_signature($body, $signature, $secret)) {
        status_header(403);
        exit;
    }

    $data = json_decode($body, true);
    if ($data) {
        file_put_contents(WP_CONTENT_DIR . '/webhook.log', print_r($data, true), FILE_APPEND);
    }

    wp_send_json_success();
}
function verify_webhook_signature($payload, $signature, $secret) {
    $computed_signature = hash_hmac('sha256', $payload, $secret);
    return hash_equals($computed_signature, $signature);
}
add_action('rest_api_init', function() {
    register_rest_route('webhook/v1', '/notify/', [
        'methods' => 'POST',
        'callback' => 'handle_webhook_notifications',
        'permission_callback' => '__return_true',
    ]);
});

Alternative REST API Endpoint

If you prefer using WordPress’s REST API for webhooks, use the following URL instead:

https://yourwebsite.com/wp-json/webhook/v1/notify/

This approach registers a dedicated REST API endpoint for receiving webhook data securely.

Final Thoughts

  • Ensure that your webhook URL is accessible and configured correctly.
  • Use the verification mechanism to allow only trusted sources to send notifications.
  • Implement signature verification to enhance security.
  • Log webhook events for debugging and auditing purposes.

By following this guide, you can successfully integrate WordPress with any webhook system, ensuring seamless and secure data exchanges.

Posted in Customise WordPress