Description
The Problem
Imagine a hacker silently adds a piece of JavaScript code to your WooCommerce checkout page. Every time a customer types in their credit card number, that hidden code copies it and sends it to the hacker — without you or your customer ever knowing. This type of attack is called checkout skimming, and it is one of the most common ways online stores get compromised.
Toply SkimShield protects you by watching your checkout page and alerting you the moment anything changes.
How It Works
Step 1 — Takes a snapshot
When you run the first scan, the plugin looks at every JavaScript file loaded on your checkout page and saves a unique fingerprint (a hash) for each one. This becomes your approved baseline — the “normal” state of your checkout.
Step 2 — Watches for changes
Every time someone visits your checkout page, the plugin silently compares the live scripts against that saved baseline. If everything matches, nothing happens. If a new script appears or an existing one has been modified, the plugin raises an alert immediately.
Step 3 — Notifies you by email
The moment a suspicious change is detected, you receive an email with details: which script changed, what it looked like before, what it looks like now, and a direct link to review it in your dashboard.
Step 4 — You decide what is legitimate
In the admin dashboard you see a list of all scripts found on your checkout page. You approve the ones you recognise (WooCommerce, Stripe, PayPal, Google Analytics, etc.) and block anything that looks suspicious. The plugin remembers your decisions.
Step 5 — Optionally block unauthorised scripts entirely (CSP)
Once you have approved all your legitimate scripts, you can turn on the Content Security Policy feature. This tells the browser: “do not run any script on the checkout page that is not on the approved list.” Even if a hacker manages to inject a script, the browser will refuse to execute it.
Think of It Like a Security Camera for Your Checkout
The first scan registers who is allowed in. Every visit after that checks: is there anyone new? If yes — alarm. No technical knowledge required to use it.
Features
- Script monitoring — detects new or modified scripts on every checkout page load
- Instant email alerts — notified the moment something changes, via the standard WordPress email system
- Script whitelist — approve or block scripts with one click from the admin dashboard
- Content Security Policy — automatically generates a CSP header based on your approved scripts; start in Report-Only mode to avoid breaking checkout, then switch to Enforce when ready
- PCI-DSS compliance report — generates a printable report covering requirements 6.4.3 and 12.10, ready to show to your payment processor or auditor
- No external dependencies — everything runs on your own server, no API keys, no third-party services, no data sent anywhere
Who Needs This
- Any WooCommerce store that accepts card payments
- Store owners who want to know immediately if their checkout page is tampered with
- Agencies managing WooCommerce stores on behalf of clients
- Stores that need to demonstrate PCI-DSS compliance
How to Test This Plugin
Prerequisites: WooCommerce must be active with at least one published product and a functioning checkout page (your shop must have a /checkout/ page set up by WooCommerce).
Step-by-step test procedure:
-
Install and activate the plugin. Navigate to SkimShield in the admin sidebar.
-
Run a manual scan — on the Dashboard tab, click the Scan Now button. The plugin fetches the WooCommerce checkout page and extracts every script tag (both external
<script src="…">and inline<script>…</script>). -
View detected scripts — click the Script Whitelist tab. You will see a table listing all scripts found on the checkout page, each with its handle, source URL (or inline snippet), type (enqueued/inline), SHA-256 hash, and status (Pending).
-
Approve scripts — click the Approve button next to each legitimate script. The status changes to “Approved”.
-
Verify real-time monitoring — visit your store’s checkout page as a normal visitor (front-end). The plugin hooks into
wp_enqueue_scriptsat priorityPHP_INT_MAXand records every script loaded. New scripts trigger an entry in the Incidents log. -
Check the Incidents tab — any scripts detected for the first time generate an incident with severity “High”. A hash change (simulating a tampering event) generates a “Critical” incident.
-
Test email alerts — make sure the Alert Email address in Settings is a deliverable inbox. Visit the checkout page with a browser. If any new script is detected, an HTML email is sent immediately via
wp_mail(). -
Enable CSP (optional) — go to Settings, enable “CSP Header”, leave “Report-Only Mode” checked, and save. Visit the checkout page. The
Content-Security-Policy-Report-OnlyHTTP header will now be present (verify with browser DevTools Network checkout request headers). -
Generate a compliance report — click the PCI-DSS Report tab and review the auto-generated report covering requirements 6.4.3 and 12.10.
Expected results after running Scan Now:
– The Script Whitelist tab shows all scripts that are on the checkout page
– Each row shows the script handle, source, type (enqueued or inline), a truncated SHA-256 hash, and status
– Approve/Block/Remove action buttons are functional
– The Dashboard shows the count of Approved, Pending, and Blocked scripts
External services
This plugin does not connect to any external service for its core functionality. All script monitoring and hashing is performed locally on your server.
The auto-generated Content Security Policy (CSP) template includes default frame-src origins for common payment gateways (https://www.paypal.com, https://js.stripe.com, https://fonts.gstatic.com). These are included only as a default starting point to prevent checkout from breaking when you first enable the CSP feature. No data is transmitted by this plugin to those domains — the browser uses the CSP header to decide which external resources to load, independently of this plugin.
If your store does not use PayPal or Stripe, you can remove those origins via the Custom CSP Directives field in Settings.
Installation
- Upload the
toply-skimshieldfolder to the/wp-content/plugins/directory, or install directly through the WordPress plugin screen - Activate the plugin through the ‘Plugins’ screen in WordPress
- Navigate to SkimShield in the WordPress admin sidebar menu
- Click Scan Now on the Dashboard tab to detect and register all current checkout scripts
- Go to the Script Whitelist tab — review the detected scripts and click Approve on each one you recognise
- Optionally enable CSP in Settings starting with Report-Only mode, then switch to Enforce after 48 hours
FAQ
-
Will this break my checkout?
-
No. The monitoring is passive — it reads scripts, doesn’t modify them. The CSP feature starts in Report-Only mode by default (scripts are not blocked, only logged), giving you time to whitelist all legitimate scripts before enforcing.
-
Does it require any API key or external account?
-
No. The plugin runs entirely on your WordPress server. No API keys, no external services.
-
What happens when a legitimate plugin update changes a script?
-
The plugin detects the hash change and alerts you. You simply review the change (which you would expect after a plugin update), confirm it is legitimate, and approve the new hash. The system learns your updated baseline.
-
Does it support inline scripts?
-
Yes. The scheduled scan (hourly by default) fetches the checkout page HTML and extracts both external script sources and inline script content, hashing each one.
-
How does it send alerts?
-
Via wp_mail() — the standard WordPress email system. No SMTP configuration is required beyond what your WordPress installation already has.
-
Is it compatible with Stripe, PayPal, and other gateways?
-
Yes. The plugin monitors all scripts on the checkout page regardless of which payment gateway you use. Popular payment gateway scripts (Stripe.js, PayPal SDK) will be detected on first scan and added to the whitelist for your approval.
-
Nothing appears in the Script Whitelist after scanning — why?
-
The manual scan fetches the checkout page via
wp_remote_get(). Make sure:
– WooCommerce is active and a/checkout/page exists
– The checkout page is publicly accessible (not behind a password or maintenance mode)
– Your server can make outgoing HTTP requests to itself (loopback connections are enabled)You can verify loopback connectivity from Tools Site Health Info WordPress Constants —
WP_HTTP_BLOCK_EXTERNALshould not be set totrue.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Toply SkimShield” is open source software. The following people have contributed to this plugin.
Contributors
Translate “Toply SkimShield” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.0.4
- Fix: Script source column now wraps to show the full path instead of truncating with ellipsis
1.0.3
- Fix: Incidents badge and security alert now show only unresolved incidents (previously counted resolved incidents too)
1.0.2
- Add: Bulk “Resolve Selected” with checkboxes on the Incidents tab
- Add: “Resolve All” button to resolve all open incidents at once
- Add: Bulk “Approve Selected” with checkboxes on the Script Whitelist tab
- Add: “Approve All Pending” button to approve all pending scripts at once
1.0.1
- Fix: Incidents tab showed “No incidents recorded” even when incidents existed (variable name mismatch in admin controller)
1.0.0
- Initial release
- Script hash monitoring via WordPress hooks and scheduled scans
- Content Security Policy header generation and management
- Script whitelist with approve/block/delete actions
- Instant email alerts via wp_mail()
- PCI-DSS v4.0 compliance report (requirements 6.4.3, 12.10)
- Incident log with severity levels and resolution tracking