Beschrijving
Checkout Origin Guard
Beschrijving
Checkout Origin Guard protects your WooCommerce store from fake, fraudulent, or automated checkout attempts by identifying and blocking abusive origins before they clutter your order table or your logs.
The plugin runs client-origin heuristics, IP controls, and sequence analysis to detect non-human traffic and suspicious behavior at checkout. It adds Company Shield for business and email sanity checks and an optional AVS “U” signal handler for gateways that report “Address not checked / unavailable”.
All controls live on a single admin screen; you can adjust sensitivity, manage allowlists and blocklists, and review traffic logs in one place.
Three layers of protection
Bot Block (traffic level)
Detects and throttles abusive requests before they become orders:- Analyzes user agents, referrers, and known bot signatures
- Watches rapid-fire hits to checkout and wc-ajax endpoints
- Supports monitor, soft, and hard blocking modes
- Built-in allowlist for search engines, uptime monitors, and core WordPress services
Company Shield (checkout level)
Validates business identity and email quality at checkout:- Flags suspicious or synthetic business names
- Detects repeated syllables, odd vowel ratios, and gibberish patterns
- Identifies disposable email domains and role-based accounts (admin, info, sales, etc.)
- Can run in:
- Monitor; log and annotate orders
- Soft; create the order and automatically place it on hold or pending
- Hard; block checkout with a user-facing error message
Payment AVS signals (post-payment; optional)
For gateways that expose AVS results in order meta, Checkout Origin Guard can treat “AVS: U; unavailable / not checked” as a risk signal:- Does not change how your gateway authorizes or captures payments
- Can be configured to:
- Ignore the signal
- Add an order note only
- Add an order note and bump a risk-score meta field
- Put the order on hold for manual review
- Uses flexible pattern matching; can scan specific gateway meta keys or fall back to scanning all order meta for common “AVS: U” messages such as the PayPal string
- Off by default; you opt in and choose the behavior
Key Features
- 🛡️ Bot Block; Detects and blocks automated bots by analyzing user agents, referrers, and checkout behavior patterns.
- ⚡ Rapid Sequence Detection; Monitors frequency and timing between checkout attempts to identify scripted attacks and card testing activity.
- 🧠 Company Shield; Flags suspicious or AI-generated business names, email domains, and mixed-character spam entries at checkout.
- 🌎 Allowlist Controls; Preserve access for search engines, uptime monitors, and essential WordPress and WooCommerce services.
- 🔒 Hard / Soft / Monitor Modes; Choose between logging only, soft blocking, or full hard blocking.
- 🧾 AVS “U” Risk Signals (optional); Treat “Address not checked / unavailable” as a post-payment risk signal; add notes, increase risk score, or hold the order.
- 🗂️ Log Viewer; See activity including timestamps, IPs, user agents, paths, and detection outcomes.
- 🧩 One-Page Dashboard; Configure settings, review logs, and manage allow/deny lists from a single screen.
- 🚫 Manual Block / Unblock; Instantly remove or restore access for specific IPs with one click.
- 💾 CSV Export; Download checkout-origin activity logs for security review or record keeping.
Why Online Shops Need it
WooCommerce checkouts are frequent targets for:
- Card testing and BIN probing
- Fake business registrations and spam accounts
- Automated scripts hammering your checkout endpoints
Checkout Origin Guard focuses on checkout behavior and identity quality, not just generic firewall rules. It helps you:
- Reduce chargeback and fraud risk
- Keep your order list clean and reviewable
- Shorten the time spent cleaning up junk orders and bogus signups
The plugin works alongside any existing firewall, CDN, or WAF; it does not rely on external APIs or subscriptions. All data stays on your server.
Use Cases
- Prevent card testing or order spam
- Stop bots using nonsense or AI-generated company names
- Detect rapid repeat checkout attempts from the same IP
- Block suspicious POST requests that hit checkout endpoints
- Add an extra layer of review for orders where the gateway reports “AVS unavailable / not checked”
- Maintain cleaner order history and logs for real customers
Credits
Developed by Michael Winchester
For documentation and updates, visit https://michaelwinchester.com
Schermafbeeldingen
Main dashboard with unified settings and live log viewer 
Company Shield filters with business name and email heuristics 
Bot Block options and traffic allowlists
Installatie
- Upload the plugin folder to
/wp-content/plugins/checkout-origin-guard/ - Activate the plugin through the Plugins menu in WordPress.
- Go to WooCommerce Checkout Origin Guard in the admin sidebar (or Tools Checkout Origin Guard if WooCommerce is not present).
- Configure your preferred mode:
- Monitor; log only, no blocking (recommended starting point)
- Soft Block; log and slow or defer traffic
- Hard Block; log and deny abusive access entirely
- Review logs, then fine-tune detection thresholds and allowlists before enabling Soft or Hard modes in production.
- Optional; enable AVS “U” handling under Payment AVS Signals, starting with “Add order note only” before switching to “Hold for review” on higher-risk stores.
FAQ
Does this plugin affect SEO bots or uptime monitors?
Only if you disable the built-in allowlist. Common search engines and known uptime agents (such as Googlebot, Bing, and UptimeRobot) are allowed by default. You can customize the allowlist if needed.
Will it block my own IP?
Your logged-in administrator sessions are never blocked by Bot Block. If you manually block your own address, you can unblock it from the plugin dashboard with one click.
Does it replace a firewall or security plugin?
No. Checkout Origin Guard complements existing firewall or security plugins. It focuses specifically on WooCommerce checkout behavior and identity quality, rather than broad HTTP filtering.
Does this change how my gateway processes payments?
No. Checkout Origin Guard does not interfere with your payment gateway’s authorization or capture logic. The optional AVS “U” feature runs after the gateway has responded and only:
- Adds order notes
- Adjusts a risk-score meta field
- Optionally changes the WooCommerce order status to “on-hold” for manual review
Your gateway interaction and funds flow remain unchanged.
What is AVS “U” and why should I care?
AVS (Address Verification Service) compares billing address details against card-issuer records. The code “U” usually means:
- Address not checked, or
- Service unavailable, or
- Acquirer had no response
On its own, AVS U does not prove fraud, but combined with other signals (suspicious company name, disposable email, rapid sequence from one IP) it can be a useful reason to slow down and review the order.
I do not know my gateway meta keys. Can I still use AVS detection?
Yes. The AVS settings include an optional Gateway Meta Keys list. If you know the exact meta keys your gateway uses to store AVS results, you can enter them for more precise scanning. If you leave the field blank, Checkout Origin Guard will scan all order meta values for common AVS U patterns, including PayPal-style messages such as:
AVS: U: Unavailable / Address not checked, or acquirer had no response. Service not available.
Can I export my logs?
Yes. All log data can be exported to CSV from the plugin dashboard for review, forensics, or integration with external tools.
Where is log data stored?
Logs are stored in a dedicated database table inside your existing WordPress database. They contain timestamps, IP addresses, user agents, paths, HTTP methods, and a decision flag. No external services are used; all data remains on your server. You can clear or truncate this table using your preferred database tools if you want to reset history.
Beoordelingen
Er zijn geen beoordelingen voor deze plugin.
Bijdragers & ontwikkelaars
“Checkout Origin Guard” is open source software. De volgende personen hebben bijgedragen aan deze plugin.
Bijdragers
Vertaal “Checkout Origin Guard” in je eigen taal.
Interesse in ontwikkeling?
Bekijk de code, haal de SVN repository op, of abonneer je op het ontwikkellog via RSS.
Changelog
1.7.1
- Added two high-signal checker heuristics: all-lowercase billing first+last name; and unknown checkout origin (no referrer and no UTM).
- When triggered, these flags can bump the order risk score meta for faster review and safer automation.
1.7
- Added optional AVS “U” handling as a post-payment risk signal; can add notes, bump a risk-score meta field, or hold orders for review.
- Refined Company Shield heuristics and help text for business and email validation.
- Minor performance and logging improvements in the checkout validation flow.
1.6
- Confirmed compatibility with WordPress 6.9.
- Updated code to align with upcoming WordPress coding and security guidelines.
1.5.3
- Improved IP hard block stability and unblock handling.
- Added real-time log refresh option.
- Enhanced Company Shield heuristics for email and business name detection.
- Unified all settings on one page with persistent values.
- Performance improvements and code cleanup.
1.5.2
- Added CSV export for logs.
- Added referrer and nonce validation checks.
- Expanded allowlist for common search engine bots.
1.5.1
- Fixed settings persistence and default value population.
- Added Populate Defaults button.
- UI refinements and improved table layout.
1.5.0
- Merged “Bad User Patterns” module into core.
- Added company/email heuristics and rate-limit detection.
- New single-page admin interface.
