WordPress.org

Magyar

WordPress letöltése
WordPress.org

Plugin Directory

Velocity Guard for WooCommerce

Velocity Guard for WooCommerce

Szerző: junkoe
Letöltés

Leírás

Is your store getting waves of failed orders and surprise payment-processor fees? That’s almost always a card-testing attack — and Velocity Guard stops it automatically.

What is card-testing? Criminals buy lists of stolen card numbers and need to find which ones still work. They do it by running hundreds of small orders through real checkouts like yours. Every attempt can cost you a processing fee, and a flood of declines can get your Stripe or PayPal account flagged or frozen. It’s automated — it can hammer your store overnight while you sleep.

What Velocity Guard does: It watches how fast orders arrive from the same shopper, email, or device. A real customer places one order; an attack tool tries dozens in minutes. When Velocity Guard sees that burst, it quietly turns away the extra attempts before they reach your payment processor — the attacker gets nothing and you don’t get billed. Genuine shoppers never notice; the limits sit well above normal buying behavior.

Set it and forget it. Install, activate, done. The defaults are tuned to be invisible to real customers, and it runs entirely on your own site with no account to create.

Under the hood, Velocity Guard tracks how many checkout attempts come from each identity (IP address, email address, session, or combination) inside a sliding time window. Once an identity crosses the configured threshold, further attempts are rejected before WooCommerce ever processes the order — including direct hits to the REST API that skip your normal checkout page. Repeated failed payments auto-blocklist the source for hours.

Free version features

  • Sliding-window velocity rules per IP, email, session, or IP+email combination
  • Failed-payment auto-blocklist — configurable threshold and lockout duration
  • REST API endpoint coverage — protects /wc/v3/orders, /wc/store/v1/checkout, and /wc/store/checkout (the routes modern card-testing bots target directly)
  • Proxy-aware IP detection — Cloudflare, Akamai, Fastly, X-Forwarded-For, X-Real-IP, with explicit admin opt-in to prevent header spoofing on sites with no upstream proxy
  • Dashboard widget — blocked-attempt counts (24h / 7d / 30d) at a glance
  • Event log — every block decision with rule, source IP, and detail
  • Manual IP whitelist — exempt staff workstations and test cards (IPv4 + IPv6, validated)
  • HPOS-native — built on WooCommerce’s High-Performance Order Storage from day one
  • Compatible with classic checkout and Cart/Checkout block

Velocity Guard Pro

Pro upgrades available via the in-plugin Upgrade screen:

  • Behavioural device fingerprinting — canvas + audio + envelope fingerprint, cookie-stored. Catches attackers rotating IPs but keeping the same browser. The IP rule alone misses this; fingerprint does not.
  • Slack / Discord / email alerts — fires when blocks-per-window crosses your threshold. Per-channel rate limiting so a sustained attack doesn’t spam your inbox.
  • Pattern library feed — rule packs sourced from active vulnerability research, applied before velocity counters. Catches obvious bot user agents (curl, headless browsers, scraping frameworks) on the first request.
  • 14-day free trial, no credit card required.

Képernyőmentések

  • Settings page — velocity rule thresholds, failed-payment blocklist, IP whitelist, REST API protection toggle.
  • Dashboard widget — blocked attempt counts at a glance (24h / 7d / 30d).
  • Event log — recent block events with rule name, source IP, and detail.
  • Pro settings panel — per-feature settings (visible to Pro users).
  • Recent events showing pattern-library rule matches blocking curl-style bot user agents.

Telepítés

  1. Install via the WordPress plugin directory, or upload the velocity-guard-for-woocommerce folder to /wp-content/plugins/.
  2. Activate Velocity Guard for WooCommerce through the Plugins menu.
  3. Make sure WooCommerce is installed and active.
  4. Go to WooCommerce Velocity Guard to configure thresholds and review the event log.

The default velocity thresholds are tuned to be invisible to normal shoppers. You can adjust per-rule and add staff IPs to the whitelist.

GYIK

Does this require an external API or service?

No. Velocity Guard runs entirely on your WordPress server. The free version has no external dependencies.

Will this block legitimate customers?

The default thresholds (5 orders per IP per 10 minutes, 3 per email per hour, 3 failed payments before auto-blocklist) are tuned to be invisible to normal shoppers. Every block is logged with rule + source so you can audit and tune per-rule from the settings page. Whitelist your staff IPs to bypass entirely.

Does it work with WooCommerce Blocks / Cart-Checkout Blocks?

Yes. Velocity Guard protects both the classic checkout (woocommerce_checkout_process hook) and the Cart/Checkout block Store API (woocommerce_store_api_checkout_order_processed and rest_pre_dispatch for direct REST hits).

I run my site behind Cloudflare / Sucuri / Akamai — will per-IP velocity still work?

Yes, but you need to tell the plugin which header carries the real client IP. Go to WooCommerce Velocity Guard Reverse proxy / CDN and select your provider (Cloudflare uses CF-Connecting-IP, Akamai uses True-Client-IP, etc.). Default is REMOTE_ADDR which is the safe choice when no proxy is in front of your site.

Is this HPOS-compatible?

Yes, built HPOS-native from day one. No legacy meta-table queries.

Do I need WooCommerce installed?

Yes. The plugin won’t activate without WooCommerce 8.0+ active.

What’s the difference between the free version and Pro?

The free version stops bots that don’t load your page (curl, scripts, direct API hits without a session cookie) and rate-limits per identity (IP / email / session). Pro adds device fingerprinting (catches attackers that rotate IPs but keep the same browser), real-time alerts, and an updatable pattern library sourced from active vulnerability research.

Does the plugin store any sensitive data?

Velocity Guard stores: timestamps of checkout attempts, source IPs, billing emails, session identifiers, and block reasons. It does NOT store card numbers, CVCs, or any PCI-sensitive data.

Vélemények

Nincsenek értékelések erről a bővítményről.

Közreműködők és fejlesztők

“Velocity Guard for WooCommerce” egy nyílt forráskódú szoftver. A bővítményhez a következő személyek járultak hozzá:

Közreműködők

“Velocity Guard for WooCommerce” fordítása a saját nyelvünkre.

Érdekeltek vagyunk a fejlesztésben?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Változási napló

0.2.0

  • Pro: the pattern library is now an automatically updated, cryptographically signed rule pack (daily). Updates are verified before use; if an update ever fails, the previously loaded rules stay active and checkout is never interrupted.
  • Pro: added a „Pattern library feed” status panel with a manual update control.
  • Pro: added datacenter / hosting-range matching to the pattern rule engine.
  • Hardened pattern matching against pathological (ReDoS) expressions.

0.1.0

  • Initial public release.
  • Sliding-window velocity rules per IP, email, session, and IP+email combination.
  • Failed-payment auto-blocklist with configurable threshold and duration.
  • REST API guard for /wc/v3/orders, /wc/store/v1/checkout, /wc/store/checkout.
  • HPOS-native data layer; declared compatible via FeaturesUtil::declare_compatibility.
  • Proxy-aware client IP detection for Cloudflare, Akamai, Fastly, X-Forwarded-For, X-Real-IP.
  • IP whitelist with IPv4/IPv6 format validation.
  • Custom event log table with dashboard widget and admin event browser.
  • Pro tier (Freemius-managed): behavioural device fingerprinting, Slack/Discord/email alerts, pattern library rule packs.

Meta

Vélemények

No reviews have been submitted yet.

Your review

See all reviews

Közreműködők

Támogatás

Vélemény? Segítségkérés?

Támogatói fórum megtekintése