Title: Toply SkimShield
Author: TonioWeb
Published: May 31, 2026
Last modified: May 31, 2026
---
Search plugins
# Toply SkimShield
By [TonioWeb](https://profiles.wordpress.org/toply/)
[Download](https://downloads.wordpress.org/plugin/toply-skimshield.1.0.4.zip)
* [Details](https://wordpress.org/plugins/toply-skimshield/#description)
* [Reviews](https://wordpress.org/plugins/toply-skimshield/#reviews)
* [Installation](https://wordpress.org/plugins/toply-skimshield/#installation)
* [Development](https://wordpress.org/plugins/toply-skimshield/#developers)
[Support](https://wordpress.org/support/plugin/toply-skimshield/)
## Description
#### The Problem
Imagine a hacker silently adds a piece of JavaScript code to your WooCommerce checkout
page. Every time a customer types in their credit card number, that hidden code
copies it and sends it to the hacker — without you or your customer ever knowing.
This type of attack is called **checkout skimming**, and it is one of the most common
ways online stores get compromised.
Toply SkimShield protects you by watching your checkout page and alerting you the
moment anything changes.
#### How It Works
**Step 1 — Takes a snapshot**
When you run the first scan, the plugin looks at
every JavaScript file loaded on your checkout page and saves a unique fingerprint(
a hash) for each one. This becomes your approved baseline — the “normal” state of
your checkout.
**Step 2 — Watches for changes**
Every time someone visits your checkout page,
the plugin silently compares the live scripts against that saved baseline. If everything
matches, nothing happens. If a new script appears or an existing one has been modified,
the plugin raises an alert immediately.
**Step 3 — Notifies you by email**
The moment a suspicious change is detected,
you receive an email with details: which script changed, what it looked like before,
what it looks like now, and a direct link to review it in your dashboard.
**Step 4 — You decide what is legitimate**
In the admin dashboard you see a list
of all scripts found on your checkout page. You approve the ones you recognise (
WooCommerce, Stripe, PayPal, Google Analytics, etc.) and block anything that looks
suspicious. The plugin remembers your decisions.
**Step 5 — Optionally block unauthorised scripts entirely (CSP)**
Once you have
approved all your legitimate scripts, you can turn on the Content Security Policy
feature. This tells the browser: “do not run any script on the checkout page that
is not on the approved list.” Even if a hacker manages to inject a script, the browser
will refuse to execute it.
#### Think of It Like a Security Camera for Your Checkout
The first scan registers who is allowed in. Every visit after that checks: is there
anyone new? If yes — alarm. No technical knowledge required to use it.
#### Features
* **Script monitoring** — detects new or modified scripts on every checkout page
load
* **Instant email alerts** — notified the moment something changes, via the standard
WordPress email system
* **Script whitelist** — approve or block scripts with one click from the admin
dashboard
* **Content Security Policy** — automatically generates a CSP header based on your
approved scripts; start in Report-Only mode to avoid breaking checkout, then
switch to Enforce when ready
* **PCI-DSS compliance report** — generates a printable report covering requirements
6.4.3 and 12.10, ready to show to your payment processor or auditor
* **No external dependencies** — everything runs on your own server, no API keys,
no third-party services, no data sent anywhere
#### Who Needs This
* Any WooCommerce store that accepts card payments
* Store owners who want to know immediately if their checkout page is tampered
with
* Agencies managing WooCommerce stores on behalf of clients
* Stores that need to demonstrate PCI-DSS compliance
### How to Test This Plugin
**Prerequisites:** WooCommerce must be active with at least one published product
and a functioning checkout page (your shop must have a `/checkout/` page set up
by WooCommerce).
**Step-by-step test procedure:**
1. **Install and activate** the plugin. Navigate to **SkimShield** in the admin sidebar.
2. **Run a manual scan** — on the Dashboard tab, click the **Scan Now** button. The
plugin fetches the WooCommerce checkout page and extracts every script tag (both
external ``).
3. **View detected scripts** — click the **Script Whitelist** tab. You will see a
table listing all scripts found on the checkout page, each with its handle, source
URL (or inline snippet), type (enqueued/inline), SHA-256 hash, and status (Pending).
4. **Approve scripts** — click the **Approve** button next to each legitimate script.
The status changes to “Approved”.
5. **Verify real-time monitoring** — visit your store’s checkout page as a normal
visitor (front-end). The plugin hooks into `wp_enqueue_scripts` at priority `PHP_INT_MAX`
and records every script loaded. New scripts trigger an entry in the Incidents
log.
6. **Check the Incidents tab** — any scripts detected for the first time generate
an incident with severity “High”. A hash change (simulating a tampering event)
generates a “Critical” incident.
7. **Test email alerts** — make sure the Alert Email address in **Settings** is a
deliverable inbox. Visit the checkout page with a browser. If any new script is
detected, an HTML email is sent immediately via `wp_mail()`.
8. **Enable CSP (optional)** — go to **Settings**, enable “CSP Header”, leave “Report-
Only Mode” checked, and save. Visit the checkout page. The `Content-Security-Policy-
Report-Only` HTTP header will now be present (verify with browser DevTools Network
checkout request headers).
9. **Generate a compliance report** — click the **PCI-DSS Report** tab and review
the auto-generated report covering requirements 6.4.3 and 12.10.
**Expected results after running Scan Now:**
– The Script Whitelist tab shows all
scripts that are on the checkout page – Each row shows the script handle, source,
type (enqueued or inline), a truncated SHA-256 hash, and status – Approve/Block/
Remove action buttons are functional – The Dashboard shows the count of Approved,
Pending, and Blocked scripts
### External services
This plugin does **not** connect to any external service for its core functionality.
All script monitoring and hashing is performed locally on your server.
The auto-generated Content Security Policy (CSP) template includes default `frame-
src` origins for common payment gateways (`https://www.paypal.com`, `https://js.
stripe.com`, `https://fonts.gstatic.com`). These are included only as a default
starting point to prevent checkout from breaking when you first enable the CSP feature.
No data is transmitted by this plugin to those domains — the browser uses the CSP
header to decide which external resources to load, independently of this plugin.
If your store does not use PayPal or Stripe, you can remove those origins via the
Custom CSP Directives field in Settings.
## Installation
1. Upload the `toply-skimshield` folder to the `/wp-content/plugins/` directory, or
install directly through the WordPress plugin screen
2. Activate the plugin through the ‘Plugins’ screen in WordPress
3. Navigate to **SkimShield** in the WordPress admin sidebar menu
4. Click **Scan Now** on the Dashboard tab to detect and register all current checkout
scripts
5. Go to the **Script Whitelist** tab — review the detected scripts and click **Approve**
on each one you recognise
6. Optionally enable CSP in **Settings** starting with Report-Only mode, then switch
to Enforce after 48 hours
## FAQ
### Will this break my checkout?
No. The monitoring is passive — it reads scripts, doesn’t modify them. The CSP feature
starts in Report-Only mode by default (scripts are not blocked, only logged), giving
you time to whitelist all legitimate scripts before enforcing.
### Does it require any API key or external account?
No. The plugin runs entirely on your WordPress server. No API keys, no external
services.
### What happens when a legitimate plugin update changes a script?
The plugin detects the hash change and alerts you. You simply review the change (
which you would expect after a plugin update), confirm it is legitimate, and approve
the new hash. The system learns your updated baseline.
### Does it support inline scripts?
Yes. The scheduled scan (hourly by default) fetches the checkout page HTML and extracts
both external script sources and inline script content, hashing each one.
### How does it send alerts?
Via wp_mail() — the standard WordPress email system. No SMTP configuration is required
beyond what your WordPress installation already has.
### Is it compatible with Stripe, PayPal, and other gateways?
Yes. The plugin monitors all scripts on the checkout page regardless of which payment
gateway you use. Popular payment gateway scripts (Stripe.js, PayPal SDK) will be
detected on first scan and added to the whitelist for your approval.
### Nothing appears in the Script Whitelist after scanning — why?
The manual scan fetches the checkout page via `wp_remote_get()`. Make sure:
– WooCommerce
is active and a `/checkout/` page exists – The checkout page is publicly accessible(
not behind a password or maintenance mode) – Your server can make outgoing HTTP
requests to itself (loopback connections are enabled)
You can verify loopback connectivity from **Tools Site Health Info WordPress
Constants** — `WP_HTTP_BLOCK_EXTERNAL` should not be set to `true`.
## Reviews
There are no reviews for this plugin.
## Contributors & Developers
“Toply SkimShield” is open source software. The following people have contributed
to this plugin.
Contributors
* [ TonioWeb ](https://profiles.wordpress.org/toply/)
[Translate “Toply SkimShield” into your language.](https://translate.wordpress.org/projects/wp-plugins/toply-skimshield)
### Interested in development?
[Browse the code](https://plugins.trac.wordpress.org/browser/toply-skimshield/),
check out the [SVN repository](https://plugins.svn.wordpress.org/toply-skimshield/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/toply-skimshield/)
by [RSS](https://plugins.trac.wordpress.org/log/toply-skimshield/?limit=100&mode=stop_on_copy&format=rss).
## Changelog
#### 1.0.4
* Fix: Script source column now wraps to show the full path instead of truncating
with ellipsis
#### 1.0.3
* Fix: Incidents badge and security alert now show only unresolved incidents (previously
counted resolved incidents too)
#### 1.0.2
* Add: Bulk “Resolve Selected” with checkboxes on the Incidents tab
* Add: “Resolve All” button to resolve all open incidents at once
* Add: Bulk “Approve Selected” with checkboxes on the Script Whitelist tab
* Add: “Approve All Pending” button to approve all pending scripts at once
#### 1.0.1
* Fix: Incidents tab showed “No incidents recorded” even when incidents existed(
variable name mismatch in admin controller)
#### 1.0.0
* Initial release
* Script hash monitoring via WordPress hooks and scheduled scans
* Content Security Policy header generation and management
* Script whitelist with approve/block/delete actions
* Instant email alerts via wp_mail()
* PCI-DSS v4.0 compliance report (requirements 6.4.3, 12.10)
* Incident log with severity levels and resolution tracking
## Meta
* Version **1.0.4**
* Last updated **1 day ago**
* Active installations **Fewer than 10**
* WordPress version ** 5.8 or higher **
* Tested up to **7.0**
* PHP version ** 7.4 or higher **
* Tags
* [checkout](https://wordpress.org/plugins/tags/checkout/)[security](https://wordpress.org/plugins/tags/security/)
[woocommerce](https://wordpress.org/plugins/tags/woocommerce/)
* [Advanced View](https://wordpress.org/plugins/toply-skimshield/advanced/)
## Ratings
No reviews have been submitted yet.
[Your review](https://wordpress.org/support/plugin/toply-skimshield/reviews/#new-post)
[See all reviews](https://wordpress.org/support/plugin/toply-skimshield/reviews/)
## Contributors
* [ TonioWeb ](https://profiles.wordpress.org/toply/)
## Support
Got something to say? Need help?
[View support forum](https://wordpress.org/support/plugin/toply-skimshield/)