Title: Predax Fraud Guard for WooCommerce
Author: Predax
Published: <strong>June 14, 2026</strong>
Last modified: June 14, 2026

---

Search plugins

![](https://ps.w.org/predax-fraud-guard-for-woocommerce/assets/banner-772x250.png?
rev=3572045)

![](https://ps.w.org/predax-fraud-guard-for-woocommerce/assets/icon-256x256.png?
rev=3572045)

# Predax Fraud Guard for WooCommerce

 By [Predax](https://profiles.wordpress.org/ipsentry/)

[Download](https://downloads.wordpress.org/plugin/predax-fraud-guard-for-woocommerce.1.7.0.zip)

 * [Details](https://wordpress.org/plugins/predax-fraud-guard-for-woocommerce/#description)
 * [Reviews](https://wordpress.org/plugins/predax-fraud-guard-for-woocommerce/#reviews)
 *  [Installation](https://wordpress.org/plugins/predax-fraud-guard-for-woocommerce/#installation)
 * [Development](https://wordpress.org/plugins/predax-fraud-guard-for-woocommerce/#developers)

 [Support](https://wordpress.org/support/plugin/predax-fraud-guard-for-woocommerce/)

## Description

**Predax Fraud Guard for WooCommerce** is an opt-in checkout-screening tool. After
you enter a Predax API key and choose a protection mode, the plugin sends the customer’s
IP to the Predax API during WooCommerce checkout so your store can decide whether
to allow, tag, or block the order.

On a fresh install the plugin does nothing — no outbound requests are made until**
you** complete setup and pick a protection mode. The default mode once configured
is **tag-only** (no blocking), so you can see flagged orders in your dashboard before
turning on anything that rejects a customer.

#### How It Works

 1. **You install and activate the plugin.** Nothing happens — the plugin stays dormant
    until you finish setup.
 2. **You enter a Predax API key** (free account available at [predax.io](https://predax.io)).
 3. **You pick a protection mode** in Fraud Guard  Settings (or in the 3-step setup
    wizard). Choices: Tag + note, Block high risk, or Block critical only.
 4. **On each WooCommerce checkout after that point**, the plugin sends the customer’s
    IP address to the Predax API, receives back a risk score and signal flags (is_vpn/
    is_proxy / is_tor / is_datacenter), and tags / holds / blocks the order according
    to your configuration. Results are cached for up to 5 minutes per IP.

You can revoke the API key or switch the mode back to “Tag only” at any time.

#### Risk Tagging

Orders that reach the tag threshold (default: risk score 40) are tagged based on
band:

 * **Risk 40–69** — tagged “Predax: Medium Risk” with an order note
 * **Risk 70–89** — tagged “Predax: High Risk” with an order note
 * **Risk 90–100** — tagged “Predax: Critical Risk” with an order note

#### Features

 * **Checkout screening** (after you enable a protection mode) — every order is 
   checked against Predax IP threat intelligence
 * **VPN / Proxy / Tor / Datacenter flags** — detect anonymised connections at checkout
 * **Risk score threshold blocking** — optionally block checkouts above a configurable
   risk score
 * **Automatic order hold** (opt-in) — move high-risk orders to On Hold for manual
   review instead of processing them
 * **Order velocity rules** (opt-in) — flag or block customers placing too many 
   orders in a short window
 * **Billing country vs IP mismatch** (opt-in) — flag or block orders where billing
   country differs from detected IP country
 * **Disposable email detection** (opt-in) — reject checkouts using throwaway email
   providers (30+ supported)
 * **Refund / chargeback feedback** (opt-in) — when a tagged order is refunded or
   cancelled, add its IP to your local deny list, and/or report the outcome to the
   Community Threat Network (when that opt-in is enabled)
 * **Order meta logging** — stores risk score, threat flags, and detected country
   on every order for WooCommerce reporting
 * **Events Log** — a dashboard page showing blocked attempts and flagged orders

#### Defaults

All protection toggles default to **off** on a fresh install. The only thing the
plugin writes to options on activation is a database version marker for the events-
log table. You will need to explicitly enable any rule you want to apply.

#### Free Tier

Sign up at [predax.io](https://predax.io) for a free API key. No credit card required.

### Third Party Services

This plugin connects to external services operated by Predax (https://predax.io)
only when you have explicitly enabled a protection mode. By activating this plugin
and entering an API key you agree to the [Predax Terms of Service](https://predax.io/terms)
and [Privacy Policy](https://predax.io/privacy).

You are responsible for ensuring your use of customer IP data at checkout complies
with applicable privacy laws (including but not limited to GDPR, CCPA) and your 
own store’s privacy policy. This plugin does not assert PCI-DSS, GDPR, or CCPA compliance
on your behalf.

#### Predax IP Intelligence API

Used to look up a risk score and classification signals for each checkout IP.

 * **Data sent:** the customer’s IP address at checkout; the browser-reported IANA
   timezone string (when available on the classic checkout form — used for the timezone-
   mismatch signal); your custom scoring weights (only if Custom Scoring is enabled).
 * **What is NOT sent:** no billing/shipping names, street addresses, phone numbers,
   emails, product details, prices, or payment data. The billing-country-mismatch
   rule compares your order’s billing country against the API’s IP-country result
   locally — billing details never leave your site.
 * **When:** during WooCommerce checkout validation, and only while a protection
   mode is saved in settings.
 * **Caching:** classification results are cached in the site’s transients for 5
   minutes per IP, so repeat checkouts from the same IP do not generate duplicate
   API calls.
 * **Endpoint:** `POST https://predax.io/api/v1/check/ip`
 * **Service URL:** https://predax.io
 * **Terms of Service:** https://predax.io/terms
 * **Privacy Policy:** https://predax.io/privacy

#### Predax Community Threat Network (opt-in, off by default)

The plugin can **optionally** send an anonymised telemetry signal — the IP address,
its risk score and detection flags, its network (ASN) number and name, its country
code, and the checkout outcome (allowed / monitored / blocked, or refund/chargeback
feedback) — to the Predax Community Threat Network so all participating stores benefit
from a shared feed. The Refund / Chargeback Feedback “Log” action reports through
this same channel, so it requires this opt-in; its “Blacklist” action updates your
local deny list regardless.

This feature is **off by default**. It is controlled by the `ipsentry_woo_community_enabled`
option, which defaults to `'no'`, with a checkbox on the Advanced settings tab. 
The plugin will not send community-feedback telemetry unless you enable it. Customers’
personal data (names, emails, billing/shipping addresses, order contents) is never
included in the telemetry payload.

 * **Endpoint:** `POST https://predax.io/api/v1/telemetry/event`
 * **Service URL:** https://predax.io
 * **Privacy Policy:** https://predax.io/privacy

#### OAuth One-Click Connect (optional)

Only triggered when an administrator clicks the **Connect with Predax** button in
the setup wizard. Your browser is redirected to predax.io to authorise the connection,
which returns an API key to your site.

 * **Data sent:** your WordPress site URL, site name, and a PKCE state/code-challenge
   pair. No customer data is involved.
 * **When:** only during the click-to-connect OAuth flow.
 * **Endpoint:** `POST https://predax.io/api/v1/oauth/token`
 * **Service URL:** https://predax.io
 * **Privacy Policy:** https://predax.io/privacy

#### Cookies set by this plugin

 * **`ipsentry_tz`** — set on WooCommerce checkout pages (only while an API key 
   is configured) via `assets/js/ipsentry-woo-tz.js`. Stores the customer’s browser-
   reported IANA timezone (string, max 64 chars). Used server-side for the optional
   timezone-mismatch fraud rule. Expires after 24 hours (`max-age=86400`), `path
   =/`, `SameSite=Lax`, and marked `Secure` on HTTPS stores. The plugin reads this
   cookie only at checkout-validation time.

The plugin does not set any advertising, analytics, or tracking cookies.

## Screenshots

[⌊WooCommerce Settings — Predax tab with API key, risk threshold, and fraud rules⌉⌊
WooCommerce Settings — Predax tab with API key, risk threshold, and fraud rules⌉[

WooCommerce Settings — Predax tab with API key, risk threshold, and fraud rules

[⌊Order detail — Predax risk score, flags, and country shown in order meta⌉⌊Order
detail — Predax risk score, flags, and country shown in order meta⌉[

Order detail — Predax risk score, flags, and country shown in order meta

[⌊Order list — Predax risk tags visible in the WooCommerce orders table⌉⌊Order list—
Predax risk tags visible in the WooCommerce orders table⌉[

Order list — Predax risk tags visible in the WooCommerce orders table

[⌊Velocity rules — configure order frequency limits per customer email and IP⌉⌊Velocity
rules — configure order frequency limits per customer email and IP⌉[

Velocity rules — configure order frequency limits per customer email and IP

[⌊Billing mismatch — flag or block orders where billing country doesn't match IP
country⌉⌊Billing mismatch — flag or block orders where billing country doesn't match
IP country⌉[

Billing mismatch — flag or block orders where billing country doesn’t match IP country

## Installation

 1. Make sure WooCommerce is installed and activated.
 2. Upload the `predax-fraud-guard-for-woocommerce` folder to `/wp-content/plugins/`.
 3. Activate the plugin through the **Plugins** menu in WordPress.
 4. The Setup Wizard launches on first activation. Either click **Connect with Predax**
    for OAuth one-click connection, or enter your API key manually.
 5. Pick a protection preset (Recommended / Strict / Monitor Only). This is the step
    where you opt in — IP lookups begin after this point.
 6. Fine-tune individual rules at **Fraud Guard  Settings** any time.

## FAQ

### Does the plugin phone home before I finish setup?

No. Before you enter an API key and save a protection mode, the plugin makes zero
outbound requests to predax.io. Nothing happens silently on activation.

### Will it block legitimate customers?

Only if you enable a blocking mode. Until you complete setup, the mode is **Tag 
only** (no blocking — orders just get tags and notes). In the setup wizard, the 
pre-selected **Recommended** preset enables blocking of high-risk checkouts (risk
score 50+); choose **Monitor Only** instead if you don’t want any blocking yet —
each preset card lists exactly what it switches on.

### What is the risk score?

A score from 0 to 100 representing how likely an IP is to be associated with fraud,
anonymisation, or abuse. 0 = clean residential IP, 100 = known Tor exit or commercial
VPN. The score combines VPN/proxy/Tor detection, datacenter identification, historical
abuse signals, and geographic heuristics.

### Does it work with Cloudflare?

Yes — enable **Fraud Guard  Settings  Advanced  “Behind a proxy / CDN”** (or the
same toggle on the WooCommerce  Predax tab). With it on, the plugin reads the real
customer IP from the `CF-Connecting-IP` / `X-Forwarded-For` headers instead of the
Cloudflare edge IP. It is **off by default**: when your store connects directly 
to visitors, trusting those headers would let a customer spoof their IP to bypass
fraud checks, so you only turn it on when a proxy/CDN really is in front of your
site.

### How do I test it without affecting real customers?

Fraud Guard  Settings  Developer tab  enter a Test IP Override. Every checkout is
then evaluated as if it came from that IP. A red admin banner reminds you test mode
is active. Clear the override before going live.

Use `185.220.101.1` (risk 85, Tor-adjacent) to exercise blocking paths, or `1.1.1.1`
to verify pass-through.

### What order metadata is stored?

On each tagged order the plugin stores:

 * `_ipsentry_risk_score` — numeric risk score (0–100)
 * `_ipsentry_ip` — detected customer IP
 * `_ipsentry_country_code` — detected IP country code
 * `_ipsentry_flags` — comma-separated threat flag list

### Does it work alongside the Predax Security plugin?

Yes. The plugins are independent but complementary — Security protects logins and
registrations, Fraud Guard protects WooCommerce checkout. Both can share the same
API key.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“Predax Fraud Guard for WooCommerce” is open source software. The following people
have contributed to this plugin.

Contributors

 *   [ Predax ](https://profiles.wordpress.org/ipsentry/)

[Translate “Predax Fraud Guard for WooCommerce” into your language.](https://translate.wordpress.org/projects/wp-plugins/predax-fraud-guard-for-woocommerce)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/predax-fraud-guard-for-woocommerce/),
check out the [SVN repository](https://plugins.svn.wordpress.org/predax-fraud-guard-for-woocommerce/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/predax-fraud-guard-for-woocommerce/)
by [RSS](https://plugins.trac.wordpress.org/log/predax-fraud-guard-for-woocommerce/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.7.0

 * Rebrand: IPSentry is now **Predax**. This is the first WordPress.org release 
   of the WooCommerce plugin. The plugin name, admin menu, and links now use Predax(
   predax.io). Your existing settings, API key, and order data are preserved — internal
   option names are unchanged, so nothing needs reconfiguring.
 * Admin menu moved to a lower position so it no longer sits among the core WordPress
   menu items.
 * Compliance: the OAuth-callback exit page now registers and prints its CSS/JS 
   through the WordPress script API (wp_register_style/wp_register_script + wp_print_styles/
   wp_print_scripts) instead of hand-written tags. The WooCommerce settings save
   and checkout timezone read run inside WooCommerce’s own nonce-verified flows 
   and carry inline justifications for the static analyser.
 * Compatibility: declared WooCommerce High-Performance Order Storage (HPOS) compatibility.
 * Fix: the order-velocity time window now uses a timestamp-based date query (the
   previous datetime-string form could be misread by WooCommerce and count orders
   outside the window).
 * Hardening: checkout error notices are HTML-escaped before being added; the settings-
   import upload is capped at 512 KB with bounded JSON depth; the API base URL accepts
   http/https only; the timezone cookie is marked Secure on HTTPS stores; the Store
   API block path gained an explicit return after blocking.
 * Clarity: Refund / Chargeback Feedback labels and docs now state that “Log” reports
   go through the Community Threat Network opt-in; the readme documents exact API
   endpoints and the full telemetry data list.
 * New: IP allow-list (never block trusted IPs) and a managed deny-list, both supporting
   single IPs and CIDR ranges (IPv4 + IPv6), editable from the settings page and
   the WooCommerce  Predax tab.
 * New: the Community Threat Network opt-in is now a settings toggle (still off 
   by default) instead of import/export only.
 * New: Events Log retention setting (default 90 days; 0 = keep forever) with automatic
   daily cleanup, plus a 7-day/all-time stats summary, CSV export, and a Clear Log
   button.
 * New: “Behind a proxy / CDN” setting (off by default). Enable it when your store
   is behind Cloudflare, a CDN, or a reverse proxy so the real customer IP is read
   from forwarded headers; when off, only the direct connection IP is used, so the
   customer IP cannot be spoofed to bypass fraud checks.
 * Security: the Events Log CSV export now neutralises spreadsheet formula-injection—
   a billing email such as “=…@example.com” can no longer execute as a formula when
   the export is opened in Excel/Sheets.
 * Fix: the “Flag for review” action on the velocity, disposable-email, and billing-
   country-mismatch rules now reliably tags the order, adds the order note, and 
   writes the Events Log entry (previously these markers could be dropped on processed
   orders).
 * Fix: a critically-risky IP (risk score 90+) is now always blocked while a blocking
   mode is active, even when its VPN/proxy category is set to Monitor.
 * Fix: the WooCommerce  Predax settings tab now saves correctly (removed an invalid
   nested import form; import is now on the Fraud Guard  Developer page).
 * Hardening: /0 (match-all) entries are rejected in the IP allow/deny lists, and
   uninstall now cleans every site on a multisite network.
 * No change to the opt-in model — the plugin still makes zero outbound requests
   until you enter an API key and save a protection mode.

#### 1.6.2

 * Compliance: community-feedback telemetry is now explicitly opt-in (off by default)
   behind a new `ipsentry_woo_community_enabled` option. Existing installs stop 
   sending telemetry until they flip this on.
 * Compliance: all phoning-home defaults flipped to off — `block_proxy`, `block_tor`,
   and `monitor_vpn` default to `'no'` on fresh installs.
 * Compliance: removed the self-hosted plugin updater class per WP.org Guideline
   8.
 * Compliance: extracted every inline `<script>` / `<style>` block to enqueued asset
   files. OAuth-callback exit page now references an external CSS/JS pair.
 * Compliance: Privacy Policy content hook (`wp_add_privacy_policy_content`) so 
   admins can pull suggested text from Tools  Privacy.
 * Compliance: Setup-wizard privacy-disclosure boxes added above OAuth button, manual
   API-key field, and preset-picker cards.
 * Compliance: nonce-before-cap order fixed on every admin-post and AJAX handler.
 * Compliance: input sanitisation tightened on every `$_GET` / `$_POST` / `$_FILES`
   read; imported settings values now validated per option type.
 * Compliance: Test-mode admin notice now scoped to Predax pages only (not global).
 * Added: `uninstall.php` drops the events-log table and deletes every `ipsentry_woo_*`
   option on plugin deletion.
 * Added: `Domain Path: /languages` header + minimal .pot translation template.
 * Added: `.distignore` excluding dev artefacts from the WP.org zip.
 * No behaviour change for existing installs other than the community-feedback gate—
   core IP checking still works as before.

#### 1.6.1

 * Improved: OAuth connect popup now auto-closes reliably after authorization.
 * Improved: Per-user OAuth transients prevent conflicts on multi-admin sites.

#### 1.6.0

 * New: Setup Wizard — guided 3-step setup on first activation with fraud protection
   presets (Recommended, Strict, Monitor Only).
 * New: One-Click Connect — click “Connect with Predax” in the setup wizard to link
   your store via OAuth. No API key to copy or paste.
 * New: “Run Setup Wizard” link in Developer tab to re-run the wizard at any time.

#### 1.5.0

 * New: Events Log admin page (Predax  Events Log) — two tabs showing blocked checkout
   attempts and flagged/held orders with IP, risk score, flags, reason, and order
   links.
 * New: Predax risk column on WooCommerce  Orders list — shows colour-coded score
   badge and top threat flag.
 * Improvement: Orders now store a combined `_ipsentry_flags` meta key for quick
   flag lookup.

#### 1.4.3

 * New: Dedicated settings page under Predax  Fraud Guard in the WordPress admin
   left nav — same tabbed UI as the Security plugin.

#### 1.4.2

 * New: Settings import/export — back up your configuration or copy it between sites.
 * New: Support Email field — if set, checkout block error messages include a “Contact
   us at…” line.

#### 1.4.1

 * Fix: VPN/proxy customers set to Monitor mode were incorrectly blocked by the 
   risk threshold.

#### 1.4.0

 * New: Automatic order hold, order velocity rules, billing country vs IP mismatch,
   disposable email detection, refund/chargeback feedback, test IP override.

#### 1.3.0

 * New: Off/Monitor/Block radio groups for VPN, proxy, and Tor.
 * New: Custom risk scoring weights — adjust per-signal contribution to the final
   risk score.

#### 1.2.0

 * New: Country-based blocking at checkout. Whitelist support. API timeout handling.

#### 1.1.0

 * New: Configurable risk threshold. Order meta. Detailed order notes.

#### 1.0.0

 * Initial release. Tag-only fraud screening at checkout. VPN / proxy / Tor / datacenter
   detection.

## Meta

 *  Version **1.7.0**
 *  Last updated **13 hours ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 5.8 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.4 or higher **
 * Tags
 * [checkout security](https://wordpress.org/plugins/tags/checkout-security/)[fraud prevention](https://wordpress.org/plugins/tags/fraud-prevention/)
   [woocommerce](https://wordpress.org/plugins/tags/woocommerce/)
 *  [Advanced View](https://wordpress.org/plugins/predax-fraud-guard-for-woocommerce/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/predax-fraud-guard-for-woocommerce/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/predax-fraud-guard-for-woocommerce/reviews/)

## Contributors

 *   [ Predax ](https://profiles.wordpress.org/ipsentry/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/predax-fraud-guard-for-woocommerce/)