Velocity Guard for WooCommerce -- WordPress 插件

Velocity Guard for WooCommerce – Fraud Protection, Stop Fake Orders & Card Testing

开发者	junkoe
更新时间	2026年6月4日 05:45
PHP版本:	7.4 及以上
WordPress版本:	7.0
版权:	GPLv2 or later
版权网址:	版权信息

下载

0.1.0 0.2.0

详情介绍:

Stop card-testing fraud, fake orders, and checkout bots at your WooCommerce store. Is your store getting waves of failed orders, $1 stolen-card charges, and surprise payment-processor fees? That's a card-testing bot attack — and Velocity Guard stops it automatically. What is card-testing? Criminals buy lists of stolen card numbers and need to find which ones still work. They do it by running hundreds of small orders through real checkouts like yours. Every attempt can cost you a processing fee, and a flood of declines can get your Stripe or PayPal account flagged or frozen. It's automated — it can hammer your store overnight while you sleep. What Velocity Guard does: It watches how fast orders arrive from the same shopper, email, or device. A real customer places one order; an attack tool tries dozens in minutes. When Velocity Guard sees that burst, it quietly turns away the extra attempts before they reach your payment processor — the attacker gets nothing and you don't get billed. Genuine shoppers never notice; the limits sit well above normal buying behavior. Set it and forget it. Install, activate, done. The defaults are tuned to be invisible to real customers, and it runs entirely on your own site with no account to create. Under the hood, Velocity Guard tracks how many checkout attempts come from each identity (IP address, email address, session, or combination) inside a sliding time window. Once an identity crosses the configured threshold, further attempts are rejected before WooCommerce ever processes the order — including direct hits to the REST API that skip your normal checkout page. Repeated failed payments auto-blocklist the source for hours. Free version features

Sliding-window velocity rules per IP, email, session, or IP+email combination
Failed-payment auto-blocklist — configurable threshold and lockout duration
REST API endpoint coverage — protects /wc/v3/orders, /wc/store/v1/checkout, and /wc/store/checkout (the routes modern card-testing bots target directly)
Proxy-aware IP detection — Cloudflare, Akamai, Fastly, X-Forwarded-For, X-Real-IP, with explicit admin opt-in to prevent header spoofing on sites with no upstream proxy
Dashboard widget — blocked-attempt counts (24h / 7d / 30d) at a glance
Event log — every block decision with rule, source IP, and detail
Manual IP whitelist — exempt staff workstations and test cards (IPv4 + IPv6, validated)
HPOS-native — built on WooCommerce's High-Performance Order Storage from day one
Compatible with classic checkout and Cart/Checkout block

Velocity Guard Pro Pro upgrades available via the in-plugin Upgrade screen:

Behavioural device fingerprinting — canvas + audio + envelope fingerprint, cookie-stored. Catches attackers rotating IPs but keeping the same browser. The IP rule alone misses this; fingerprint does not.
Slack / Discord / email alerts — fires when blocks-per-window crosses your threshold. Per-channel rate limiting so a sustained attack doesn't spam your inbox.
Pattern library feed — rule packs sourced from active vulnerability research, applied before velocity counters. Catches obvious bot user agents (curl, headless browsers, scraping frameworks) on the first request.
14-day free trial, no credit card required.

安装:

Install via the WordPress plugin directory, or upload the velocity-guard-for-woocommerce folder to /wp-content/plugins/.
Activate Velocity Guard for WooCommerce through the Plugins menu.
Make sure WooCommerce is installed and active.
Go to WooCommerce → Velocity Guard to configure thresholds and review the event log.

The default velocity thresholds are tuned to be invisible to normal shoppers. You can adjust per-rule and add staff IPs to the whitelist.

屏幕截图:

升级注意事项:

0.2.0 Pro pattern library is now a signed, auto-updating rule pack. No action required. 0.1.0 Initial release.

常见问题:

Why is my WooCommerce store suddenly getting dozens of failed orders?

A burst of failed or declined orders in a short window — especially overnight, with tiny order totals or odd email addresses — is the signature of a card-testing bot. Attackers run stolen card numbers through your live checkout to find which ones still work. Velocity Guard detects the burst (many attempts from one IP, email, or session in minutes) and turns the extra attempts away before they reach your payment processor.

My payment processor (Stripe / PayPal / Authorize.net) flagged, paused, or put my account "under review" — could card testing be the cause?

Very often, yes. A flood of declined authorizations spikes your decline ratio and chargeback risk, which is exactly what gets a Stripe or PayPal account flagged or frozen. Stopping the attempts at the door keeps your decline ratio clean. Velocity Guard rejects the abnormal burst before WooCommerce ever hands the attempt to your gateway, so the declines never hit your processor stats.

What are these random $1 (or small) charges and declines showing up on my store?

Those are card-testing probes. Criminals use a small amount because it's less likely to trip a bank's fraud alert, and they only need to know whether the charge succeeds. Every probe can still cost you an authorization/processing fee even when it's declined. Velocity Guard blocks the repeated attempts so you stop paying fees on fraud traffic.

I'm getting charged processor fees for orders that never completed — how do I stop it?

Each checkout attempt that reaches your gateway can incur a fee, declined or not — so an automated attack racks up fees fast. Because Velocity Guard rejects the abnormal burst before the request reaches your payment processor, the attacker's attempts never generate billable gateway calls.

Does this require an external API or service?

No. Velocity Guard runs entirely on your WordPress server. The free version has no external dependencies.

Will this block legitimate customers?

The default thresholds (5 orders per IP per 10 minutes, 3 per email per hour, 3 failed payments before auto-blocklist) are tuned to be invisible to normal shoppers. Every block is logged with rule + source so you can audit and tune per-rule from the settings page. Whitelist your staff IPs to bypass entirely.

Does it work with WooCommerce Blocks / Cart-Checkout Blocks?

Yes. Velocity Guard protects both the classic checkout (woocommerce_checkout_process hook) and the Cart/Checkout block Store API (woocommerce_store_api_checkout_order_processed and rest_pre_dispatch for direct REST hits).

I run my site behind Cloudflare / Sucuri / Akamai — will per-IP velocity still work?

Yes, but you need to tell the plugin which header carries the real client IP. Go to WooCommerce → Velocity Guard → Reverse proxy / CDN and select your provider (Cloudflare uses CF-Connecting-IP, Akamai uses True-Client-IP, etc.). Default is REMOTE_ADDR which is the safe choice when no proxy is in front of your site.

Is this HPOS-compatible?

Yes, built HPOS-native from day one. No legacy meta-table queries.

Do I need WooCommerce installed?

Yes. The plugin won't activate without WooCommerce 8.0+ active.

What's the difference between the free version and Pro?

The free version stops bots that don't load your page (curl, scripts, direct API hits without a session cookie) and rate-limits per identity (IP / email / session). Pro adds device fingerprinting (catches attackers that rotate IPs but keep the same browser), real-time alerts, and an updatable pattern library sourced from active vulnerability research.

Does the plugin store any sensitive data?

Velocity Guard stores: timestamps of checkout attempts, source IPs, billing emails, session identifiers, and block reasons. It does NOT store card numbers, CVCs, or any PCI-sensitive data.

更新日志:

0.2.0

Pro: the pattern library is now an automatically updated, cryptographically signed rule pack, refreshed as new attack patterns are identified. Updates are verified before use; if an update ever fails, the previously loaded rules stay active and checkout is never interrupted.
Pro: added a "Pattern library feed" status panel with a manual update control.
Pro: added datacenter / hosting-range matching to the pattern rule engine.
Hardened pattern matching against pathological (ReDoS) expressions.

0.1.0

Initial public release.
Sliding-window velocity rules per IP, email, session, and IP+email combination.
Failed-payment auto-blocklist with configurable threshold and duration.
REST API guard for /wc/v3/orders, /wc/store/v1/checkout, /wc/store/checkout.
HPOS-native data layer; declared compatible via FeaturesUtil::declare_compatibility.
Proxy-aware client IP detection for Cloudflare, Akamai, Fastly, X-Forwarded-For, X-Real-IP.
IP whitelist with IPv4/IPv6 format validation.
Custom event log table with dashboard widget and admin event browser.
Pro tier (Freemius-managed): behavioural device fingerprinting, Slack/Discord/email alerts, pattern library rule packs.