{"id":312371,"date":"2026-05-16T03:41:21","date_gmt":"2026-05-16T03:41:21","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/velocity-guard-for-woocommerce\/"},"modified":"2026-05-16T05:31:40","modified_gmt":"2026-05-16T05:31:40","slug":"velocity-guard-for-woocommerce","status":"publish","type":"plugin","link":"https:\/\/ug.wordpress.org\/plugins\/velocity-guard-for-woocommerce\/","author":23498569,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"0.2.0","stable_tag":"0.2.0","tested":"6.9.4","requires":"6.4","requires_php":"7.4","requires_plugins":null,"header_name":"Velocity Guard for WooCommerce","header_author":"Junkoe","header_description":"Block card-testing attacks, fraud orders, and coupon abuse with velocity rules at the WooCommerce checkout. HPOS-native.","assets_banners_color":"737983","last_updated":"2026-05-16 05:31:40","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/wordpress.org\/plugins\/velocity-guard-for-woocommerce\/","header_author_uri":"","rating":0,"author_block_rating":0,"active_installs":0,"downloads":37,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"0.1.0":{"tag":"0.1.0","author":"junkoe","date":"2026-05-16 03:40:56"},"0.2.0":{"tag":"0.2.0","author":"junkoe","date":"2026-05-16 05:31:40"}},"upgrade_notice":{"0.2.0":"<p>Pro pattern library is now a signed, auto-updating rule pack. No action required.<\/p>","0.1.0":"<p>Initial release.<\/p>"},"ratings":[],"assets_icons":{"icon-256x256.png":{"filename":"icon-256x256.png","revision":3533528,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3533528,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["0.1.0","0.2.0"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3533528,"resolution":"1","location":"assets","locale":"","width":1200,"height":540},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3533528,"resolution":"2","location":"assets","locale":"","width":486,"height":179},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3533528,"resolution":"3","location":"assets","locale":"","width":1200,"height":900},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3533528,"resolution":"4","location":"assets","locale":"","width":1200,"height":900},"screenshot-5.png":{"filename":"screenshot-5.png","revision":3533528,"resolution":"5","location":"assets","locale":"","width":1200,"height":900}},"screenshots":{"1":"Settings page \u2014 velocity rule thresholds, failed-payment blocklist, IP whitelist, REST API protection toggle.","2":"Dashboard widget \u2014 blocked attempt counts at a glance (24h \/ 7d \/ 30d).","3":"Event log \u2014 recent block events with rule name, source IP, and detail.","4":"Pro settings panel \u2014 per-feature settings (visible to Pro users).","5":"Recent events showing pattern-library rule matches blocking curl-style bot user agents."},"jetpack_post_was_ever_published":false},"plugin_section":[262246],"plugin_tags":[262525,12891,171765,600,286],"plugin_category":[45,54],"plugin_contributors":[263125],"plugin_business_model":[],"class_list":["post-312371","plugin","type-plugin","status-publish","hentry","plugin_section-dashboard-widgets","plugin_tags-card-testing","plugin_tags-fraud","plugin_tags-rate-limit","plugin_tags-security","plugin_tags-woocommerce","plugin_category-ecommerce","plugin_category-security-and-spam-protection","plugin_contributors-junkoe","plugin_committers-junkoe"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/velocity-guard-for-woocommerce\/assets\/icon-256x256.png?rev=3533528","icon_2x":"https:\/\/ps.w.org\/velocity-guard-for-woocommerce\/assets\/icon-256x256.png?rev=3533528","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/velocity-guard-for-woocommerce\/assets\/screenshot-1.png?rev=3533528","caption":"Settings page \u2014 velocity rule thresholds, failed-payment blocklist, IP whitelist, REST API protection toggle."},{"src":"https:\/\/ps.w.org\/velocity-guard-for-woocommerce\/assets\/screenshot-2.png?rev=3533528","caption":"Dashboard widget \u2014 blocked attempt counts at a glance (24h \/ 7d \/ 30d)."},{"src":"https:\/\/ps.w.org\/velocity-guard-for-woocommerce\/assets\/screenshot-3.png?rev=3533528","caption":"Event log \u2014 recent block events with rule name, source IP, and detail."},{"src":"https:\/\/ps.w.org\/velocity-guard-for-woocommerce\/assets\/screenshot-4.png?rev=3533528","caption":"Pro settings panel \u2014 per-feature settings (visible to Pro users)."},{"src":"https:\/\/ps.w.org\/velocity-guard-for-woocommerce\/assets\/screenshot-5.png?rev=3533528","caption":"Recent events showing pattern-library rule matches blocking curl-style bot user agents."}],"raw_content":"<!--section=description-->\n<p><strong>Is your store getting waves of failed orders and surprise payment-processor fees?<\/strong> That's almost always a card-testing attack \u2014 and Velocity Guard stops it automatically.<\/p>\n\n<p><strong>What is card-testing?<\/strong> Criminals buy lists of stolen card numbers and need to find which ones still work. They do it by running hundreds of small orders through real checkouts like yours. Every attempt can cost you a processing fee, and a flood of declines can get your Stripe or PayPal account flagged or frozen. It's automated \u2014 it can hammer your store overnight while you sleep.<\/p>\n\n<p><strong>What Velocity Guard does:<\/strong> It watches how fast orders arrive from the same shopper, email, or device. A real customer places one order; an attack tool tries dozens in minutes. When Velocity Guard sees that burst, it quietly turns away the extra attempts before they reach your payment processor \u2014 the attacker gets nothing and you don't get billed. Genuine shoppers never notice; the limits sit well above normal buying behavior.<\/p>\n\n<p><strong>Set it and forget it.<\/strong> Install, activate, done. The defaults are tuned to be invisible to real customers, and it runs entirely on your own site with no account to create.<\/p>\n\n<p>Under the hood, Velocity Guard tracks how many checkout attempts come from each identity (IP address, email address, session, or combination) inside a sliding time window. Once an identity crosses the configured threshold, further attempts are rejected before WooCommerce ever processes the order \u2014 including direct hits to the REST API that skip your normal checkout page. Repeated failed payments auto-blocklist the source for hours.<\/p>\n\n<h4>Free version features<\/h4>\n\n<ul>\n<li><strong>Sliding-window velocity rules<\/strong> per IP, email, session, or IP+email combination<\/li>\n<li><strong>Failed-payment auto-blocklist<\/strong> \u2014 configurable threshold and lockout duration<\/li>\n<li><strong>REST API endpoint coverage<\/strong> \u2014 protects <code>\/wc\/v3\/orders<\/code>, <code>\/wc\/store\/v1\/checkout<\/code>, and <code>\/wc\/store\/checkout<\/code> (the routes modern card-testing bots target directly)<\/li>\n<li><strong>Proxy-aware IP detection<\/strong> \u2014 Cloudflare, Akamai, Fastly, X-Forwarded-For, X-Real-IP, with explicit admin opt-in to prevent header spoofing on sites with no upstream proxy<\/li>\n<li><strong>Dashboard widget<\/strong> \u2014 blocked-attempt counts (24h \/ 7d \/ 30d) at a glance<\/li>\n<li><strong>Event log<\/strong> \u2014 every block decision with rule, source IP, and detail<\/li>\n<li><strong>Manual IP whitelist<\/strong> \u2014 exempt staff workstations and test cards (IPv4 + IPv6, validated)<\/li>\n<li><strong>HPOS-native<\/strong> \u2014 built on WooCommerce's High-Performance Order Storage from day one<\/li>\n<li><strong>Compatible with classic checkout and Cart\/Checkout block<\/strong><\/li>\n<\/ul>\n\n<h4>Velocity Guard Pro<\/h4>\n\n<p>Pro upgrades available via the in-plugin Upgrade screen:<\/p>\n\n<ul>\n<li><strong>Behavioural device fingerprinting<\/strong> \u2014 canvas + audio + envelope fingerprint, cookie-stored. Catches attackers rotating IPs but keeping the same browser. The IP rule alone misses this; fingerprint does not.<\/li>\n<li><strong>Slack \/ Discord \/ email alerts<\/strong> \u2014 fires when blocks-per-window crosses your threshold. Per-channel rate limiting so a sustained attack doesn't spam your inbox.<\/li>\n<li><strong>Pattern library feed<\/strong> \u2014 rule packs sourced from active vulnerability research, applied before velocity counters. Catches obvious bot user agents (curl, headless browsers, scraping frameworks) on the first request.<\/li>\n<li><strong>14-day free trial, no credit card required.<\/strong><\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li>Install via the WordPress plugin directory, or upload the <code>velocity-guard-for-woocommerce<\/code> folder to <code>\/wp-content\/plugins\/<\/code>.<\/li>\n<li>Activate <strong>Velocity Guard for WooCommerce<\/strong> through the <strong>Plugins<\/strong> menu.<\/li>\n<li>Make sure WooCommerce is installed and active.<\/li>\n<li>Go to <strong>WooCommerce \u2192 Velocity Guard<\/strong> to configure thresholds and review the event log.<\/li>\n<\/ol>\n\n<p>The default velocity thresholds are tuned to be invisible to normal shoppers. You can adjust per-rule and add staff IPs to the whitelist.<\/p>\n\n<!--section=faq-->\n<dl>\n<dt id=\"does%20this%20require%20an%20external%20api%20or%20service%3F\"><h3>Does this require an external API or service?<\/h3><\/dt>\n<dd><p>No. Velocity Guard runs entirely on your WordPress server. The free version has no external dependencies.<\/p><\/dd>\n<dt id=\"will%20this%20block%20legitimate%20customers%3F\"><h3>Will this block legitimate customers?<\/h3><\/dt>\n<dd><p>The default thresholds (5 orders per IP per 10 minutes, 3 per email per hour, 3 failed payments before auto-blocklist) are tuned to be invisible to normal shoppers. Every block is logged with rule + source so you can audit and tune per-rule from the settings page. Whitelist your staff IPs to bypass entirely.<\/p><\/dd>\n<dt id=\"does%20it%20work%20with%20woocommerce%20blocks%20%2F%20cart-checkout%20blocks%3F\"><h3>Does it work with WooCommerce Blocks \/ Cart-Checkout Blocks?<\/h3><\/dt>\n<dd><p>Yes. Velocity Guard protects both the classic checkout (<code>woocommerce_checkout_process<\/code> hook) and the Cart\/Checkout block Store API (<code>woocommerce_store_api_checkout_order_processed<\/code> and <code>rest_pre_dispatch<\/code> for direct REST hits).<\/p><\/dd>\n<dt id=\"i%20run%20my%20site%20behind%20cloudflare%20%2F%20sucuri%20%2F%20akamai%20%E2%80%94%20will%20per-ip%20velocity%20still%20work%3F\"><h3>I run my site behind Cloudflare \/ Sucuri \/ Akamai \u2014 will per-IP velocity still work?<\/h3><\/dt>\n<dd><p>Yes, but you need to tell the plugin which header carries the real client IP. Go to <strong>WooCommerce \u2192 Velocity Guard \u2192 Reverse proxy \/ CDN<\/strong> and select your provider (Cloudflare uses <code>CF-Connecting-IP<\/code>, Akamai uses <code>True-Client-IP<\/code>, etc.). Default is <code>REMOTE_ADDR<\/code> which is the safe choice when no proxy is in front of your site.<\/p><\/dd>\n<dt id=\"is%20this%20hpos-compatible%3F\"><h3>Is this HPOS-compatible?<\/h3><\/dt>\n<dd><p>Yes, built HPOS-native from day one. No legacy meta-table queries.<\/p><\/dd>\n<dt id=\"do%20i%20need%20woocommerce%20installed%3F\"><h3>Do I need WooCommerce installed?<\/h3><\/dt>\n<dd><p>Yes. The plugin won't activate without WooCommerce 8.0+ active.<\/p><\/dd>\n<dt id=\"what%27s%20the%20difference%20between%20the%20free%20version%20and%20pro%3F\"><h3>What's the difference between the free version and Pro?<\/h3><\/dt>\n<dd><p>The free version stops bots that don't load your page (curl, scripts, direct API hits without a session cookie) and rate-limits per identity (IP \/ email \/ session). Pro adds device fingerprinting (catches attackers that rotate IPs but keep the same browser), real-time alerts, and an updatable pattern library sourced from active vulnerability research.<\/p><\/dd>\n<dt id=\"does%20the%20plugin%20store%20any%20sensitive%20data%3F\"><h3>Does the plugin store any sensitive data?<\/h3><\/dt>\n<dd><p>Velocity Guard stores: timestamps of checkout attempts, source IPs, billing emails, session identifiers, and block reasons. It does NOT store card numbers, CVCs, or any PCI-sensitive data.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>0.2.0<\/h4>\n\n<ul>\n<li>Pro: the pattern library is now an automatically updated, cryptographically signed rule pack (daily). Updates are verified before use; if an update ever fails, the previously loaded rules stay active and checkout is never interrupted.<\/li>\n<li>Pro: added a \"Pattern library feed\" status panel with a manual update control.<\/li>\n<li>Pro: added datacenter \/ hosting-range matching to the pattern rule engine.<\/li>\n<li>Hardened pattern matching against pathological (ReDoS) expressions.<\/li>\n<\/ul>\n\n<h4>0.1.0<\/h4>\n\n<ul>\n<li>Initial public release.<\/li>\n<li>Sliding-window velocity rules per IP, email, session, and IP+email combination.<\/li>\n<li>Failed-payment auto-blocklist with configurable threshold and duration.<\/li>\n<li>REST API guard for <code>\/wc\/v3\/orders<\/code>, <code>\/wc\/store\/v1\/checkout<\/code>, <code>\/wc\/store\/checkout<\/code>.<\/li>\n<li>HPOS-native data layer; declared compatible via <code>FeaturesUtil::declare_compatibility<\/code>.<\/li>\n<li>Proxy-aware client IP detection for Cloudflare, Akamai, Fastly, X-Forwarded-For, X-Real-IP.<\/li>\n<li>IP whitelist with IPv4\/IPv6 format validation.<\/li>\n<li>Custom event log table with dashboard widget and admin event browser.<\/li>\n<li>Pro tier (Freemius-managed): behavioural device fingerprinting, Slack\/Discord\/email alerts, pattern library rule packs.<\/li>\n<\/ul>","raw_excerpt":"Getting waves of fake orders and surprise payment fees? Velocity Guard automatically blocks card-testing fraud at your WooCommerce checkout.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/312371","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=312371"}],"author":[{"embeddable":true,"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/junkoe"}],"wp:attachment":[{"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=312371"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=312371"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=312371"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=312371"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=312371"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=312371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}