Checkout Origin Guard

Checkout Origin Guard protects your WooCommerce store from fake, fraudulent, or automated checkout attempts by identifying and blocking abusive origins before they clutter your order table or your logs.

The plugin runs client-origin heuristics, IP controls, and sequence analysis to detect non-human traffic and suspicious behavior at checkout. It adds Company Shield for business and email sanity checks and an optional AVS “U” signal handler for gateways that report “Address not checked / unavailable”.

All controls live on a single admin screen; you can adjust sensitivity, manage allowlists and blocklists, and review traffic logs in one place.

Three layers of protection

1. Bot Block (traffic level)
   Detects and throttles abusive requests before they become orders:

   • Analyzes user agents, referrers, and known bot signatures
   • Watches rapid-fire hits to checkout and wc-ajax endpoints
   • Supports monitor, soft, and hard blocking modes
   • Built-in allowlist for search engines, uptime monitors, and core WordPress services

2. Company Shield (checkout level)
   Validates business identity and email quality at checkout:

   • Flags suspicious or synthetic business names
   • Detects repeated syllables, odd vowel ratios, and gibberish patterns
   • Identifies disposable email domains and role-based accounts (admin, info, sales, etc.)
   • Can run in:
     • Monitor; log and annotate orders
     • Soft; create the order and automatically place it on hold or pending
     • Hard; block checkout with a user-facing error message

3. Payment AVS signals (post-payment; optional)
   For gateways that expose AVS results in order meta, Checkout Origin Guard can treat “AVS: U; unavailable / not checked” as a risk signal:

   • Does not change how your gateway authorizes or captures payments
   • Can be configured to:
     • Ignore the signal
     • Add an order note only
     • Add an order note and bump a risk-score meta field
     • Put the order on hold for manual review
   • Uses flexible pattern matching; can scan specific gateway meta keys or fall back to scanning all order meta for common “AVS: U” messages such as the PayPal string
   • Off by default; you opt in and choose the behavior

Key Features

• 🛡️ Bot Block; Detects and blocks automated bots by analyzing user agents, referrers, and checkout behavior patterns.
• ⚡ Rapid Sequence Detection; Monitors frequency and timing between checkout attempts to identify scripted attacks and card testing activity.
• 🧠 Company Shield; Flags suspicious or AI-generated business names, email domains, and mixed-character spam entries at checkout.
• 🌎 Allowlist Controls; Preserve access for search engines, uptime monitors, and essential WordPress and WooCommerce services.
• 🔒 Hard / Soft / Monitor Modes; Choose between logging only, soft blocking, or full hard blocking.
• 🧾 AVS “U” Risk Signals (optional); Treat “Address not checked / unavailable” as a post-payment risk signal; add notes, increase risk score, or hold the order.
• 🗂️ Log Viewer; See activity including timestamps, IPs, user agents, paths, and detection outcomes.
• 🧩 One-Page Dashboard; Configure settings, review logs, and manage allow/deny lists from a single screen.
• 🚫 Manual Block / Unblock; Instantly remove or restore access for specific IPs with one click.
• 💾 CSV Export; Download checkout-origin activity logs for security review or record keeping.

Why Online Shops Need it

WooCommerce checkouts are frequent targets for:

• Card testing and BIN probing
• Fake business registrations and spam accounts
• Automated scripts hammering your checkout endpoints

Checkout Origin Guard focuses on checkout behavior and identity quality, not just generic firewall rules. It helps you:

• Reduce chargeback and fraud risk
• Keep your order list clean and reviewable
• Shorten the time spent cleaning up junk orders and bogus signups

The plugin works alongside any existing firewall, CDN, or WAF; it does not rely on external APIs or subscriptions. All data stays on your server.

Use Cases

• Prevent card testing or order spam
• Stop bots using nonsense or AI-generated company names
• Detect rapid repeat checkout attempts from the same IP
• Block suspicious POST requests that hit checkout endpoints
• Add an extra layer of review for orders where the gateway reports “AVS unavailable / not checked”
• Maintain cleaner order history and logs for real customers

Credits

Developed by Michael Winchester
For documentation and updates, visit https://michaelwinchester.com