Woocommerce Webhooks Secret Key

Woocommerce Webhooks Secret Key

Let’s admit it, I spend too much time on Facebook. In my defense, it’s not all spent looking at memes. I have plenty of WordPress support groups that I follow.

One of the problems with Facebook is that it’s not spidered well by Google. And most groups require that you login and be a member to see the posts. Facebook’s own search system is practically useless. The end result is much of the knowledge is lost.

There was a question in the Advanced Woocommerce group about what the Webhook “Secret” field configured in the Woocommerce Webhooks dashboard area really means.

The woocommerce docs can be really poor. In this case it lacks important details such as what kind of hash is used and how to use this secret in your application receiving the hook. With no guidance on the value to put in this field, what is a user supposed to do?

(If anyone from Automattic or woocommerce is reading this, a link from the end user docs to tech docs would be super helpful for obscurely defined configuration fields like this one.)

In addition to the Woo dot-com docs and developer codex, there are little-known WC developer docs on github. These are designed for the Woocommerce REST API.

My first nugget of wisdom for WordPress developers: When the woocommerce.com PHP docs suck, sometimes more details can be found in the REST docs, as was the case here.

In my attempt to help the next person with the same question, here is my answer on how the woocommerce webhooks secret field is used. (links to this page are encouraged)

The Meaning Of The Woocommerce Webhooks Secret Field

The secret has a little better description on the github REST API docs than the woocmmerce.com end user docs. It is documented as the “Secret key used to generate a hash of the delivered webhook and provided in the request headers.”

Later on in the github docs is a description of how the hash is received – as a HTTP header in the webhook response. “X-WC-Webhook-Signature – A base64 encoded HMAC-SHA256 hash of the payload”.

You have to know a little bit about cryptography to understand this.

A hashed MAC is used to verify the data integrity and the authentication of a message. The SHA256 HMAC algorithm is satisfied by a 32 byte key. We’re talking a full entropy key (complete random characters in the key). The maximum key size is 64 bytes. Anything larger is reduced to 32 bytes.

You can use this php code to generate a base64 encoded hash MAC on your receiving side to compare with the X-WC-Webhook-Signature value in the HTTP header in order to validate the message. If your encoded hash signature and the one in the HTTP header match then you are able to assume this is a valid response from the woocommerce site.

$yourHashSig = base64_encode(hash_hmac('sha256', $request_body, $secret, true));

The secret used here is the same secret value set on the woocommerce webhooks configuration page.

The hooks are not replayed. If you miss it, it’s gone. Webhooks, unlike an API, are 1 way and don’t require a response.

OnSiteWP WordPress Support Plug

OnSiteWP is different from other WordPress support companies in that we have experienced WordPress developers on staff to answer questions when Google search fails you. As part of our 1-time WordPress Fix It service, we will be happy to explain an poorly documented plugin field to you.

If you have developed a lot of sites and don’t want to be responsible for plugin updates or if the site gets hacked, our WordPress maintenance affiliate program may be of interest to you.

Linux Command Line Basics For WordPress Developers

Linux Command Line Basics For WordPress Developers

I’ve written on many marketing and beginner topics. It is time to give my WordPress developers some love.

The linux command line is something that strikes fear into many WordPress developers. Even some really great ones. But there is no need to be scared. Learning the basic format of a command a few commonly used commands can get you jump started.

So many linux tutorials assume that you will be the server administrator. For a website developer that is not the case. The hosting company has the admin side handled. I am gearing this tutorial towards what is known as userland. The place where users happily get their work done.

Please remember that the linux command line is case sensitive. This means that upper case letters are considered distinct from lower case letters. All of the basic commands are going to be lower-case.

The Pattern of Commands

Most commands follow a common pattern:

  • The command name
  • The command options
  • The files to apply this command to

Every command starts with the command name. It always comes first. The linux philosophy is each command has a single small purpose. Later on when we get advanced, I’ll show you how to chain commands together to do incredible things with a few basic building blocks. Examples of commands are listing files (ls), changing directories (cd), unzipping files (unzip)… basically everything you can dream of.

The command options are… get ready for this… optional. Sometimes a command does what you want by default. Other times you use an option to modify the behavior of a command. Take the ls command used to list files. With no options ls simply prints the names of the files in your current directory. I find it much more useful to see the “long” listing because it displays the file permissions, date, size and name together. “ls -l” is the option to get the long listing.

Often times the command will take an action on a file or directory. This file or directory is given last in the command. A common task is changing into a directory. (think double-clicking into a folder on windows or your mac) The change directory (cd) command needs to know the name of the directory to switch to. When I’m at the top of my wordpress folder and want to change into wp-content the command is “cd wp-content“.

Level 1

I’m going to split this into two levels. The first will show you how to move around the filesystem and read files. The second level will really make you look like a pro!


The exit command is simple. For our purposes it serves as the logout command.

Connect to your web hosting account with ssh, type exit and press enter. You will be logged out. Repeat this as many times as it takes to feel comfortable.


ls lists files. It is similar to the dir command for people who know the DOS/Windows command line.

The command line scares many people because they feel lost. They don’t know what folder they are in or what files are in that folder. Type ls and press enter. This will show your files.

ls is one of those commands with a ton of command line options. When you read the manual you will see that the developers ran out of lower case letters and started mixing in options with upper case letters too!

For our purposes there is one ls to rule them all: ls -la

This lists our files in long format and shows ALL files. Linux systems by default don’t show filenames beginning with a dot (.) in the name. Dot-files as they are known are typically used for system configuration files. In daily life, the config files can clutter things up so the designers of linux decided to omit them unless the -a option is given. As a web developer there is an important dot file to watch for: .htaccess. I’m sure you are already aware .htaccess is used to modify how apache treats files, can handle redirects and more.

There are two special directories you’ll see in every ls -la. This are “.” and “..”. The single dot is a reference to the current directory. Double-dot “..” references one directory up from your current directory.


pwd shows what your present working directory is. Knowing your current directory helps you understand where in the filesystem the files you are looking at exist. When you forget where you are, pwd will remind you.


cd changes directories. As mentioned above, it is just like double clicking a folder in a GUI.

Tying it together: cpanel style servers will drop you in what’s known as your Home directory. This is the common starting point for your files. Type ‘ls -l‘ and you will see the public_html folder. Type “cd public_html” and you will get changed into the public_html folder. Type “ls -l” again and you’ll see your WordPress files. Repeat “cd wp-content” and “ls -l” to switch and view your wp-content folder files. Type “cd ..” to hop up a folder level. Type “pwd” to show which folder you are in.

If you are ever totally lost, type cd alone with no directory name. This will reset you back to your Home directory.

And like that, with 3 commands, you are a full filesystem explorer.


Moving up and down the filesystem is one thing. Do you want to read a file? Use the less command.

Change into your WordPress public_html folder and type “less index.php“. This opens the index.php file in the file reading program.

Pressing Enter moves you down one line at a time. Pressing space bar moves down a page at a time. Pressing b moves you back a page towards the top of the file. Pressing q will quit out of less, which returns you to the command line.

In WordPress index.php is pretty boring. Using “less wp-config.php” or “less .htaccess” is much more common when exploring a site on the command line.


cp is used to copy a file. As a wordpress user I most frequently use cp make a backup copy of a file before uploading a change.

cp takes two parameters, the original filename and the new filename.

In order to copy wp-config.php to a new name such as wp-config-backup.php you would type: cp wp-config.php wp-config-backup.php

Now if you mess up your wp-config.php you can always copy the backup on top of the messed up version like this: cp wp-config-backup.php wp-config.php

cp like many linux commands doesn’t give you many “are you sure?” roadblocks like windows or a mac. Linux assumes you are doing this on purpose and cp overwrites the file before you can blink. You’ll be rushing for your website backups if you get careless with cp, mv, rm or any of the file operations.

There is one trick to know about cp. It is used to copy files. It can also copy directories if given the -r option.

cp wp-content wp-content-backup will complain wp-content is a directory. cp -r wp-content wp-content-backup will copy the entire wp-content directory tree to a new wp-content-backup folder.


mv moves a file. Everything I said about cp applies to mv.

The difference between a copy and a move is that in a copy, the original file is not changed. A move renames the file. Think of it like copying the file and removing the original.

If you want to move your wp-config.php out of the way to an “old” version so that your FTP program doesn’t complain the file already exists when uploading you can rename it with mv wp-config.php wp-config-old.php Please be aware that your wordpress site won’t run until you upload a new wp-config.php or move the old version back into place with mv wp-config-old.php wp-config.php


rm removes a file. It is swiftly deleted.

If you want to trash your .htaccess file so that saving permalinks writes a new one: rm .htaccess

rm has the same directory protection as cp and mv. If you want to remove an entire directory use the -r option. If you hate your entire website and want to remove it so that you can drop in a new duplicator installer.php and zip file, first cd into your public_html folder and run: rm -r *

The * means all files in the directory. (all files except dot-files)


unzip does the obvious, it unzips a zip file.

If you want to manually install a plugin, upload it to your wp-content/plugins folder. cd wp-content/plugins Run ls to make sure you see the file in there. Then type unzip yourpluginname.zip to get it unzipped. From your wordpress dashboard you will see it listed and available to be activated.

Level 2

Coming soon!






WP Template Parts vs CSS Styles And Scripts

WP Template Parts vs CSS Styles And Scripts

One of our major goals at OnSiteWP is to make WordPress sites easy for businesses to own. Both Mark and I enjoy digging under the hood of websites but you may not hear us “speaking geek” because we understand that our clients have better things to do than listen to us ramble about html, css, php and the like. But just because you don’t hear us spouting jargon doesn’t mean we don’t know how to. While most of our clients like to turn over the keys of their site and know that it’s going to be well taken care of, we also offer consulting services to developers who get in over their head.

I was helping a WordPress designer/developer understand how the parts of a WordPress theme relate to each other. It started as a woocommerce template question but it really applies to all WordPress themes in general.

He was working on a theme file that imported several sections with the WordPress get_template_part() function and was confused about how to apply CSS to his template part file.

get_template_part() is a fancy WordPress function that behaves like a PHP require statement at the end of the day. Once you get past this mental hurdle, the way in which you apply CSS styles and javascript selectors becomes obvious. You don’t write CSS for the template part, you write it for the final HTML output because that is how your web browser sees the page.

For added measure, I got him to pull out his inline javascript snippets and use the WordPress wp_enqueue_script() function for his custom js code. The benefit to using wp_enqueue_script() is proper dependency management.

We will never dive into these sorts of details with 98% of our clients. They want a WordPress site that is reliable, secure, and performant. But don’t be afraid to contact us with your hardest development questions. We are up for the challenge! A couple hours consulting with us is much cheaper than spending weeks of frustration on your own.


Reduce Distractions on Android Phones

Reduce Distractions on Android Phones

While we are a WordPress based company, we still have other technology in our lives. Today I’d like to step away from WordPress and give a productivity tip.

Lately the Facebook and Twitter apps on my phone have been alerting like crazy. Maybe that’s a good thing and signals that our OnSiteWP marketing is working. Yet still, it’s a huge distraction from important alerts to hear my phone buzz every 3 minutes. This type of problem is so common that it has a name: alert fatigue.

On Android it is possible to stop apps from sending notifications to the top menu/notification area. What you want to do is swipe down on the top menu to open up the notifications. Then long-press on the notification that you want to stop. It will open up a window like this one:

Tap the toggle switch on the Allow Notifications setting to turn off notifications for that app. Repeat this for each app that you want to silence. I did this an hour ago and I already feel so much less stress that I had to blog about it. 🙂

You need not worry about changing in-app behavior. When you open up the app it will still show notices in their usual place:

Follow us on twitter, facebook, and instagram @onsitewp if you’d like to see more business, marketing, and WordPress tips.


Photo by jasonbolonski

Convert Your WordPress Website to Use SSL and https://

Convert Your WordPress Website to Use SSL and https://

What is HTTPS and do you even need it?

Many people are looking to convert their site from plain HTTP to the secure version (HTTPS). Sometimes this is called adding an SSL certificate to your website. An SSL certificate is what makes the secure HTTPS transport possible. The “S” in HTTPS stands for secure. The SSL certificate provides the encryption key that makes the encrypted HTTPS protocol possible. (more…)