As long as you are just adding a 'paypal' like API button or something WordPress is usable but not for any volume or secure application. in the editor -- select the text tab and just paste the API HTML. Whoever developed the API should have made the code acceptable to that editor.
The picture below is pretty much self explanatory. If you have problems: try looking for an online formatting tool that will
escape the HTML characters for PHP
Bots posting to your API will affect the server it posts to -- the API processor. The processor should anticipate this and take whatever counter-measures the processor deems necessary.
The best counter-measure for wordpress security is not to use plugins without some search engine reading -- preface the plugin with 'exploit'+ plugin name > see if there are known issues before you install them. And you need to constantly update the wordpress code to the newest version as wordpress is the holy grail of code-kiddie hackers.
https://www.
yourdomain.com/wp-admin/plugin-install.php?s=ip+ban&tab=search&type=term
Use a IP log-in blocker for code-kiddies (C0d3-k1ddi3s) that will try to brute force their way in. WordPress' SEO features like feeds and ping backs are like beacons to low skill hackers using automated exploit tools.