Fix: full script path now visible in whitelist and incidents tables.<\/p>","1.0.3":"
Fix: incidents badge now excludes resolved incidents.<\/p>","1.0.2":"
Adds bulk resolve and bulk approve actions for faster incident management.<\/p>","1.0.1":"
Bug fix: Incidents tab now correctly displays all recorded security incidents.<\/p>","1.0.0":"
Initial release.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3555435,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3555435,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3555435,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3555435,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"Dashboard \u2014 overview of protection status, recent incidents, and CSP policy","2":"Script Whitelist \u2014 all checkout scripts with one-click approve\/block actions","3":"Incidents log \u2014 full history of detected anomalies with severity levels","4":"PCI-DSS Compliance Report \u2014 printable compliance report for auditors","5":"Settings \u2014 configure monitoring, alerts, and CSP behavior"}},"plugin_section":[],"plugin_tags":[3148,265161,265160,600,286],"plugin_category":[45,54],"plugin_contributors":[259546],"plugin_business_model":[],"class_list":["post-309518","plugin","type-plugin","status-publish","hentry","plugin_tags-checkout","plugin_tags-pci-dss","plugin_tags-script-monitoring","plugin_tags-security","plugin_tags-woocommerce","plugin_category-ecommerce","plugin_category-security-and-spam-protection","plugin_contributors-toply","plugin_committers-toply"],"banners":{"banner":"https:\/\/ps.w.org\/toply-skimshield\/assets\/banner-772x250.png?rev=3555435","banner_2x":"https:\/\/ps.w.org\/toply-skimshield\/assets\/banner-1544x500.png?rev=3555435","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/toply-skimshield\/assets\/icon-128x128.png?rev=3555435","icon_2x":"https:\/\/ps.w.org\/toply-skimshield\/assets\/icon-256x256.png?rev=3555435","generated":false},"screenshots":[],"raw_content":"\n
Imagine a hacker silently adds a piece of JavaScript code to your WooCommerce checkout page. Every time a customer types in their credit card number, that hidden code copies it and sends it to the hacker \u2014 without you or your customer ever knowing. This type of attack is called checkout skimming<\/strong>, and it is one of the most common ways online stores get compromised.<\/p>\n\n Toply SkimShield protects you by watching your checkout page and alerting you the moment anything changes.<\/p>\n\n Step 1 \u2014 Takes a snapshot<\/strong>\nWhen you run the first scan, the plugin looks at every JavaScript file loaded on your checkout page and saves a unique fingerprint (a hash) for each one. This becomes your approved baseline \u2014 the \"normal\" state of your checkout.<\/p>\n\n Step 2 \u2014 Watches for changes<\/strong>\nEvery time someone visits your checkout page, the plugin silently compares the live scripts against that saved baseline. If everything matches, nothing happens. If a new script appears or an existing one has been modified, the plugin raises an alert immediately.<\/p>\n\n Step 3 \u2014 Notifies you by email<\/strong>\nThe moment a suspicious change is detected, you receive an email with details: which script changed, what it looked like before, what it looks like now, and a direct link to review it in your dashboard.<\/p>\n\n Step 4 \u2014 You decide what is legitimate<\/strong>\nIn the admin dashboard you see a list of all scripts found on your checkout page. You approve the ones you recognise (WooCommerce, Stripe, PayPal, Google Analytics, etc.) and block anything that looks suspicious. The plugin remembers your decisions.<\/p>\n\n Step 5 \u2014 Optionally block unauthorised scripts entirely (CSP)<\/strong>\nOnce you have approved all your legitimate scripts, you can turn on the Content Security Policy feature. This tells the browser: \"do not run any script on the checkout page that is not on the approved list.\" Even if a hacker manages to inject a script, the browser will refuse to execute it.<\/p>\n\n The first scan registers who is allowed in. Every visit after that checks: is there anyone new? If yes \u2014 alarm. No technical knowledge required to use it.<\/p>\n\n Prerequisites:<\/strong> WooCommerce must be active with at least one published product and a functioning checkout page (your shop must have a Step-by-step test procedure:<\/strong><\/p>\n\n Install and activate<\/strong> the plugin. Navigate to SkimShield<\/strong> in the admin sidebar.<\/p><\/li>\n Run a manual scan<\/strong> \u2014 on the Dashboard tab, click the Scan Now<\/strong> button. The plugin fetches the WooCommerce checkout page and extracts every script tag (both external View detected scripts<\/strong> \u2014 click the Script Whitelist<\/strong> tab. You will see a table listing all scripts found on the checkout page, each with its handle, source URL (or inline snippet), type (enqueued\/inline), SHA-256 hash, and status (Pending).<\/p><\/li>\n Approve scripts<\/strong> \u2014 click the Approve<\/strong> button next to each legitimate script. The status changes to \"Approved\".<\/p><\/li>\n Verify real-time monitoring<\/strong> \u2014 visit your store's checkout page as a normal visitor (front-end). The plugin hooks into Check the Incidents tab<\/strong> \u2014 any scripts detected for the first time generate an incident with severity \"High\". A hash change (simulating a tampering event) generates a \"Critical\" incident.<\/p><\/li>\n Test email alerts<\/strong> \u2014 make sure the Alert Email address in Settings<\/strong> is a deliverable inbox. Visit the checkout page with a browser. If any new script is detected, an HTML email is sent immediately via Enable CSP (optional)<\/strong> \u2014 go to Settings<\/strong>, enable \"CSP Header\", leave \"Report-Only Mode\" checked, and save. Visit the checkout page. The Generate a compliance report<\/strong> \u2014 click the PCI-DSS Report<\/strong> tab and review the auto-generated report covering requirements 6.4.3 and 12.10.<\/p><\/li>\n<\/ol>\n\n Expected results after running Scan Now:<\/strong>\n- The Script Whitelist tab shows all scripts that are on the checkout page\n- Each row shows the script handle, source, type (enqueued or inline), a truncated SHA-256 hash, and status\n- Approve\/Block\/Remove action buttons are functional\n- The Dashboard shows the count of Approved, Pending, and Blocked scripts<\/p>\n\n This plugin does not<\/strong> connect to any external service for its core functionality. All script monitoring and hashing is performed locally on your server.<\/p>\n\n The auto-generated Content Security Policy (CSP) template includes default If your store does not use PayPal or Stripe, you can remove those origins via the Custom CSP Directives field in Settings.<\/p>\n\n\n No. The monitoring is passive \u2014 it reads scripts, doesn't modify them. The CSP feature starts in Report-Only mode by default (scripts are not blocked, only logged), giving you time to whitelist all legitimate scripts before enforcing.<\/p><\/dd>\n No. The plugin runs entirely on your WordPress server. No API keys, no external services.<\/p><\/dd>\n The plugin detects the hash change and alerts you. You simply review the change (which you would expect after a plugin update), confirm it is legitimate, and approve the new hash. The system learns your updated baseline.<\/p><\/dd>\n Yes. The scheduled scan (hourly by default) fetches the checkout page HTML and extracts both external script sources and inline script content, hashing each one.<\/p><\/dd>\n Via wp_mail() \u2014 the standard WordPress email system. No SMTP configuration is required beyond what your WordPress installation already has.<\/p><\/dd>\n Yes. The plugin monitors all scripts on the checkout page regardless of which payment gateway you use. Popular payment gateway scripts (Stripe.js, PayPal SDK) will be detected on first scan and added to the whitelist for your approval.<\/p><\/dd>\n The manual scan fetches the checkout page via You can verify loopback connectivity from Tools \u2192 Site Health \u2192 Info \u2192 WordPress Constants<\/strong> \u2014 How It Works<\/h4>\n\n
Think of It Like a Security Camera for Your Checkout<\/h4>\n\n
Features<\/h4>\n\n
\n
Who Needs This<\/h4>\n\n
\n
How to Test This Plugin<\/h3>\n\n
\/checkout\/<\/code> page set up by WooCommerce).<\/p>\n\n\n
<script src=\"\u2026\"><\/code> and inline <script>\u2026<\/script><\/code>).<\/p><\/li>\nwp_enqueue_scripts<\/code> at priority PHP_INT_MAX<\/code> and records every script loaded. New scripts trigger an entry in the Incidents log.<\/p><\/li>\nwp_mail()<\/code>.<\/p><\/li>\nContent-Security-Policy-Report-Only<\/code> HTTP header will now be present (verify with browser DevTools \u2192 Network \u2192 checkout request headers).<\/p><\/li>\nExternal services<\/h3>\n\n
frame-src<\/code> origins for common payment gateways (https:\/\/www.paypal.com<\/code>, https:\/\/js.stripe.com<\/code>, https:\/\/fonts.gstatic.com<\/code>). These are included only as a default starting point to prevent checkout from breaking when you first enable the CSP feature. No data is transmitted by this plugin to those domains \u2014 the browser uses the CSP header to decide which external resources to load, independently of this plugin.<\/p>\n\n\n
toply-skimshield<\/code> folder to the \/wp-content\/plugins\/<\/code> directory, or install directly through the WordPress plugin screen<\/li>\n\n
Will this break my checkout?<\/h3><\/dt>\n
Does it require any API key or external account?<\/h3><\/dt>\n
What happens when a legitimate plugin update changes a script?<\/h3><\/dt>\n
Does it support inline scripts?<\/h3><\/dt>\n
How does it send alerts?<\/h3><\/dt>\n
Is it compatible with Stripe, PayPal, and other gateways?<\/h3><\/dt>\n
Nothing appears in the Script Whitelist after scanning \u2014 why?<\/h3><\/dt>\n
wp_remote_get()<\/code>. Make sure:\n- WooCommerce is active and a \/checkout\/<\/code> page exists\n- The checkout page is publicly accessible (not behind a password or maintenance mode)\n- Your server can make outgoing HTTP requests to itself (loopback connections are enabled)<\/p>\n\nWP_HTTP_BLOCK_EXTERNAL<\/code> should not be set to true<\/code>.<\/p><\/dd>\n\n<\/dl>\n\n\n1.0.4<\/h4>\n\n
\n
1.0.3<\/h4>\n\n
\n
1.0.2<\/h4>\n\n
\n
1.0.1<\/h4>\n\n
\n
1.0.0<\/h4>\n\n
\n