Predax Fraud Guard for WooCommerce
| 开发者 | ipsentry |
|---|---|
| 更新时间 | 2026年6月14日 23:36 |
| PHP版本: | 7.4 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
详情介绍:
Predax Fraud Guard for WooCommerce is an opt-in checkout-screening tool. After you enter a Predax API key and choose a protection mode, the plugin sends the customer's IP to the Predax API during WooCommerce checkout so your store can decide whether to allow, tag, or block the order.
On a fresh install the plugin does nothing — no outbound requests are made until you complete setup and pick a protection mode. The default mode once configured is tag-only (no blocking), so you can see flagged orders in your dashboard before turning on anything that rejects a customer.
How It Works
- You install and activate the plugin. Nothing happens — the plugin stays dormant until you finish setup.
- You enter a Predax API key (free account available at predax.io).
- You pick a protection mode in Fraud Guard → Settings (or in the 3-step setup wizard). Choices: Tag + note, Block high risk, or Block critical only.
- On each WooCommerce checkout after that point, the plugin sends the customer's IP address to the Predax API, receives back a risk score and signal flags (is_vpn / is_proxy / is_tor / is_datacenter), and tags / holds / blocks the order according to your configuration. Results are cached for up to 5 minutes per IP.
- Risk 40–69 — tagged "Predax: Medium Risk" with an order note
- Risk 70–89 — tagged "Predax: High Risk" with an order note
- Risk 90–100 — tagged "Predax: Critical Risk" with an order note
- Checkout screening (after you enable a protection mode) — every order is checked against Predax IP threat intelligence
- VPN / Proxy / Tor / Datacenter flags — detect anonymised connections at checkout
- Risk score threshold blocking — optionally block checkouts above a configurable risk score
- Automatic order hold (opt-in) — move high-risk orders to On Hold for manual review instead of processing them
- Order velocity rules (opt-in) — flag or block customers placing too many orders in a short window
- Billing country vs IP mismatch (opt-in) — flag or block orders where billing country differs from detected IP country
- Disposable email detection (opt-in) — reject checkouts using throwaway email providers (30+ supported)
- Refund / chargeback feedback (opt-in) — when a tagged order is refunded or cancelled, add its IP to your local deny list, and/or report the outcome to the Community Threat Network (when that opt-in is enabled)
- Order meta logging — stores risk score, threat flags, and detected country on every order for WooCommerce reporting
- Events Log — a dashboard page showing blocked attempts and flagged orders
安装:
- Make sure WooCommerce is installed and activated.
- Upload the
predax-fraud-guard-for-woocommercefolder to/wp-content/plugins/. - Activate the plugin through the Plugins menu in WordPress.
- The Setup Wizard launches on first activation. Either click Connect with Predax for OAuth one-click connection, or enter your API key manually.
- Pick a protection preset (Recommended / Strict / Monitor Only). This is the step where you opt in — IP lookups begin after this point.
- Fine-tune individual rules at Fraud Guard → Settings any time.
屏幕截图:
常见问题:
Does the plugin phone home before I finish setup?
No. Before you enter an API key and save a protection mode, the plugin makes zero outbound requests to predax.io. Nothing happens silently on activation.
Will it block legitimate customers?
Only if you enable a blocking mode. Until you complete setup, the mode is Tag only (no blocking — orders just get tags and notes). In the setup wizard, the pre-selected Recommended preset enables blocking of high-risk checkouts (risk score 50+); choose Monitor Only instead if you don't want any blocking yet — each preset card lists exactly what it switches on.
What is the risk score?
A score from 0 to 100 representing how likely an IP is to be associated with fraud, anonymisation, or abuse. 0 = clean residential IP, 100 = known Tor exit or commercial VPN. The score combines VPN/proxy/Tor detection, datacenter identification, historical abuse signals, and geographic heuristics.
Does it work with Cloudflare?
Yes — enable Fraud Guard → Settings → Advanced → "Behind a proxy / CDN" (or the same toggle on the WooCommerce → Predax tab). With it on, the plugin reads the real customer IP from the CF-Connecting-IP / X-Forwarded-For headers instead of the Cloudflare edge IP. It is off by default: when your store connects directly to visitors, trusting those headers would let a customer spoof their IP to bypass fraud checks, so you only turn it on when a proxy/CDN really is in front of your site.
How do I test it without affecting real customers?
Fraud Guard → Settings → Developer tab → enter a Test IP Override. Every checkout is then evaluated as if it came from that IP. A red admin banner reminds you test mode is active. Clear the override before going live.
Use 185.220.101.1 (risk 85, Tor-adjacent) to exercise blocking paths, or 1.1.1.1 to verify pass-through.
What order metadata is stored?
On each tagged order the plugin stores:
_ipsentry_risk_score— numeric risk score (0–100)_ipsentry_ip— detected customer IP_ipsentry_country_code— detected IP country code_ipsentry_flags— comma-separated threat flag list
Does it work alongside the Predax Security plugin?
Yes. The plugins are independent but complementary — Security protects logins and registrations, Fraud Guard protects WooCommerce checkout. Both can share the same API key.
更新日志:
1.7.0
- Rebrand: IPSentry is now Predax. This is the first WordPress.org release of the WooCommerce plugin. The plugin name, admin menu, and links now use Predax (predax.io). Your existing settings, API key, and order data are preserved — internal option names are unchanged, so nothing needs reconfiguring.
- Admin menu moved to a lower position so it no longer sits among the core WordPress menu items.
- Compliance: the OAuth-callback exit page now registers and prints its CSS/JS through the WordPress script API (wp_register_style/wp_register_script + wp_print_styles/wp_print_scripts) instead of hand-written tags. The WooCommerce settings save and checkout timezone read run inside WooCommerce's own nonce-verified flows and carry inline justifications for the static analyser.
- Compatibility: declared WooCommerce High-Performance Order Storage (HPOS) compatibility.
- Fix: the order-velocity time window now uses a timestamp-based date query (the previous datetime-string form could be misread by WooCommerce and count orders outside the window).
- Hardening: checkout error notices are HTML-escaped before being added; the settings-import upload is capped at 512 KB with bounded JSON depth; the API base URL accepts http/https only; the timezone cookie is marked Secure on HTTPS stores; the Store API block path gained an explicit return after blocking.
- Clarity: Refund / Chargeback Feedback labels and docs now state that "Log" reports go through the Community Threat Network opt-in; the readme documents exact API endpoints and the full telemetry data list.
- New: IP allow-list (never block trusted IPs) and a managed deny-list, both supporting single IPs and CIDR ranges (IPv4 + IPv6), editable from the settings page and the WooCommerce → Predax tab.
- New: the Community Threat Network opt-in is now a settings toggle (still off by default) instead of import/export only.
- New: Events Log retention setting (default 90 days; 0 = keep forever) with automatic daily cleanup, plus a 7-day/all-time stats summary, CSV export, and a Clear Log button.
- New: "Behind a proxy / CDN" setting (off by default). Enable it when your store is behind Cloudflare, a CDN, or a reverse proxy so the real customer IP is read from forwarded headers; when off, only the direct connection IP is used, so the customer IP cannot be spoofed to bypass fraud checks.
- Security: the Events Log CSV export now neutralises spreadsheet formula-injection — a billing email such as "=...@example.com" can no longer execute as a formula when the export is opened in Excel/Sheets.
- Fix: the "Flag for review" action on the velocity, disposable-email, and billing-country-mismatch rules now reliably tags the order, adds the order note, and writes the Events Log entry (previously these markers could be dropped on processed orders).
- Fix: a critically-risky IP (risk score 90+) is now always blocked while a blocking mode is active, even when its VPN/proxy category is set to Monitor.
- Fix: the WooCommerce → Predax settings tab now saves correctly (removed an invalid nested import form; import is now on the Fraud Guard → Developer page).
- Hardening: /0 (match-all) entries are rejected in the IP allow/deny lists, and uninstall now cleans every site on a multisite network.
- No change to the opt-in model — the plugin still makes zero outbound requests until you enter an API key and save a protection mode.
- Compliance: community-feedback telemetry is now explicitly opt-in (off by default) behind a new
ipsentry_woo_community_enabledoption. Existing installs stop sending telemetry until they flip this on. - Compliance: all phoning-home defaults flipped to off —
block_proxy,block_tor, andmonitor_vpndefault to'no'on fresh installs. - Compliance: removed the self-hosted plugin updater class per WP.org Guideline 8.
- Compliance: extracted every inline
<script>/<style>block to enqueued asset files. OAuth-callback exit page now references an external CSS/JS pair. - Compliance: Privacy Policy content hook (
wp_add_privacy_policy_content) so admins can pull suggested text from Tools → Privacy. - Compliance: Setup-wizard privacy-disclosure boxes added above OAuth button, manual API-key field, and preset-picker cards.
- Compliance: nonce-before-cap order fixed on every admin-post and AJAX handler.
- Compliance: input sanitisation tightened on every
$_GET/$_POST/$_FILESread; imported settings values now validated per option type. - Compliance: Test-mode admin notice now scoped to Predax pages only (not global).
- Added:
uninstall.phpdrops the events-log table and deletes everyipsentry_woo_*option on plugin deletion. - Added:
Domain Path: /languagesheader + minimal .pot translation template. - Added:
.distignoreexcluding dev artefacts from the WP.org zip. - No behaviour change for existing installs other than the community-feedback gate — core IP checking still works as before.
- Improved: OAuth connect popup now auto-closes reliably after authorization.
- Improved: Per-user OAuth transients prevent conflicts on multi-admin sites.
- New: Setup Wizard — guided 3-step setup on first activation with fraud protection presets (Recommended, Strict, Monitor Only).
- New: One-Click Connect — click "Connect with Predax" in the setup wizard to link your store via OAuth. No API key to copy or paste.
- New: "Run Setup Wizard" link in Developer tab to re-run the wizard at any time.
- New: Events Log admin page (Predax → Events Log) — two tabs showing blocked checkout attempts and flagged/held orders with IP, risk score, flags, reason, and order links.
- New: Predax risk column on WooCommerce → Orders list — shows colour-coded score badge and top threat flag.
- Improvement: Orders now store a combined
_ipsentry_flagsmeta key for quick flag lookup.
- New: Dedicated settings page under Predax → Fraud Guard in the WordPress admin left nav — same tabbed UI as the Security plugin.
- New: Settings import/export — back up your configuration or copy it between sites.
- New: Support Email field — if set, checkout block error messages include a "Contact us at…" line.
- Fix: VPN/proxy customers set to Monitor mode were incorrectly blocked by the risk threshold.
- New: Automatic order hold, order velocity rules, billing country vs IP mismatch, disposable email detection, refund/chargeback feedback, test IP override.
- New: Off/Monitor/Block radio groups for VPN, proxy, and Tor.
- New: Custom risk scoring weights — adjust per-signal contribution to the final risk score.
- New: Country-based blocking at checkout. Whitelist support. API timeout handling.
- New: Configurable risk threshold. Order meta. Detailed order notes.
- Initial release. Tag-only fraud screening at checkout. VPN / proxy / Tor / datacenter detection.