Shop Defender

Overview

Shop Defender is a fraud prevention plugin for WooCommerce that protects your store from fraudulent orders, fake accounts, and suspicious transactions. It combines customizable blocking rules with intelligent risk scoring to automatically block, hold, or flag potentially fraudulent orders — all processed locally on your server with no external API dependencies.

Requirements:

WordPress 5.8 or higher
WooCommerce 7.0 or higher
PHP 7.4 or higher

Installation

↑ Back to top

Download the plugin ZIP file from your WooCommerce.com account.
In your WordPress admin, go to Plugins > Add New > Upload Plugin.
Select the ZIP file and click Install Now.
Click Activate Plugin.
Navigate to WooCommerce > Settings > Advanced > Shop Defender to configure the plugin.

Note: WooCommerce must be installed and activated before activating Shop Defender.

Getting Started

↑ Back to top

After activation, navigate to WooCommerce > Settings > Advanced > Shop Defender. The settings interface is organized into sections:

Enable Shop Defender — Toggle the plugin on to start protecting your store.
Configure Risk Thresholds — Set the score thresholds that determine when orders are blocked, held, or flagged.
Adjust Signal Weights — Fine-tune how much each risk signal contributes to the overall score.
Create Rules (Optional) — Add custom rules to block known bad actors or suspicious patterns.
Monitor Logs — Review the audit trail and refine your configuration over time.

The plugin starts protecting your checkout immediately after being enabled, using the default risk scoring settings. No rules are required — the heuristic risk engine works out of the box.

Rule-Based Blocking

↑ Back to top

Rules allow you to create custom filters to block, hold, or flag orders based on specific criteria.

Rule Types

↑ Back to top

Type	Description	Example
Email	Match against the customer’s email address	`fraud@example.com`
Domain	Match against the email domain	`disposable-mail.com`
Phone	Match against the billing phone number (auto-normalized)	`+15551234567`
IP	Match against the customer’s IP address	`192.168.1.100`
Country	Match against billing or shipping country (ISO code)	`XX`
Name	Match against customer first/last name	`John Doe`
Address	Match against billing or shipping address fields	`PO Box`

Matching Modes

↑ Back to top

Mode	Description	Example Pattern
Exact	Case-insensitive exact match	`fraud@example.com`
Contains	Substring match anywhere in the value	`disposable`
Wildcard	Supports `*` (any characters) and `?` (single character)	`@tempmail.`
Regex	Full regular expression matching	`^test\d+@`

Rule Actions

↑ Back to top

Action	Behavior
Block	Prevents the order at checkout. Payment is never processed. The customer sees your customizable error message.
Hold	Allows the order but automatically sets its status to “on-hold” for manual review. An admin note is added.
Flag	Allows the order to complete normally but adds a warning note and risk score for admin attention.

Rule Expiration

↑ Back to top

Rules can have an optional expiration date. Expired rules are automatically ignored during evaluation. This is useful for temporary blocks on specific addresses, IPs, or patterns.

How Rules Are Evaluated

↑ Back to top

When a customer reaches checkout, Shop Defender evaluates all active, non-expired rules against the order data. If any rule matches:

Block rules are checked first — if matched, checkout is prevented immediately.
Hold rules are checked next — if matched, the order is placed on hold after creation.
Flag rules are checked last — if matched, a warning note is added to the order.

If no rules match, the heuristic risk scoring engine takes over.

Risk Scoring

↑ Back to top

Shop Defender includes an automatic risk scoring engine that evaluates every order against six configurable signals.

Risk Signals

↑ Back to top

Signal	Default Weight	Description
Disposable Email	+30 points	Detects emails from known disposable/temporary email services. Bundled list of 5,000+ domains.
Failed IP	+20 points	Flags IPs that have been associated with blocked orders in the past. Configurable count threshold and lookback period.
Country Mismatch	+15 points	Detects when the billing country and shipping country are different.
Address Keywords	+10 points	Matches suspicious keywords in address fields (e.g., “PO Box”, “P.O. Box”). Keyword list is configurable.
New Account	+10 points	Flags orders from recently created accounts. Configurable age threshold (default: 7 days).
High-Value Order	+15 points	Flags orders above a configurable total amount (default: $300).

Risk Thresholds

↑ Back to top

The total risk score (0–100) determines the action taken:

Score Range	Action
70 or above (default)	Order is blocked at checkout
40–69 (default)	Order is placed on hold for review
1–39	Order is flagged with a warning note
0	Order is allowed with no action

Both thresholds (block and hold) are fully configurable in the settings.

Customizing Signals

↑ Back to top

All signal weights can be adjusted from 0 to 100. Setting a weight to 0 effectively disables that signal. Additional configuration options include:

High-value order threshold — The dollar amount above which the high-value signal triggers (default: $300).
Failed IP count — How many blocked orders from an IP before it triggers (default: 3).
Failed IP lookback — How many days to look back for blocked orders (default: 30).
New account days — How recently an account must have been created to trigger (default: 7 days).
Address keywords — A comma-separated list of keywords to match against address fields.

Decision Flow

↑ Back to top

For each order, Shop Defender follows this process:

Evaluate rules — Check all active rules against order data. If a block rule matches, stop immediately.
Calculate risk score — Run all six risk signals and sum their weights.
Apply thresholds — Compare the total score against your block and hold thresholds.
Take action — Block, hold, flag, or allow the order.
Log the result — Record the full decision with context, score, and trigger details.

Checkout Protection

↑ Back to top

Shop Defender validates orders at multiple stages to catch fraud as early as possible.

Classic Checkout

↑ Back to top

For the traditional WooCommerce checkout, validation runs during woocommerce_after_checkout_validation — before payment is processed. If an order is blocked, the customer sees your error message and no payment transaction occurs.

WooCommerce Blocks Checkout

↑ Back to top

For the newer Blocks-based checkout, Shop Defender uses an early interception point via rest_authentication_errors to block orders before they are even created. This is the most secure approach as it prevents even draft order creation for blocked customers.

For hold and flag actions on the Blocks checkout, processing occurs after the order is created via woocommerce_store_api_checkout_order_processed.

Post-Payment Assessment

↑ Back to top

As a fallback safety net, Shop Defender also evaluates orders after payment via woocommerce_payment_complete. This catches edge cases like COD (Cash on Delivery) or free orders and ensures every order is assessed.

Duplicate Prevention

↑ Back to top

Shop Defender includes built-in duplicate processing prevention. Each checkout request is tracked to ensure orders are only evaluated once, even when multiple hooks fire during the same request.

Draft Order Cleanup

↑ Back to top

When an order is blocked during the Blocks checkout, any draft order that was created is automatically deleted to keep your database clean.

Order Risk Assessment

↑ Back to top

Every order that passes through Shop Defender receives a detailed risk assessment stored as order metadata.

Order Metadata

↑ Back to top

Meta Key	Description
`_sd_risk_score`	Numeric risk score (0–100)
`_sd_action_taken`	Action performed: blocked, held, flagged, or allowed
`_sd_risk_details`	JSON array of individual risk factors and their details
`_sd_trigger_details`	Details about which rule or heuristic triggered the action

Risk Assessment Metabox

↑ Back to top

On every order page, a dedicated metabox displays the risk assessment:

Color-coded badge — Red (blocked), orange (on hold), amber (flagged), or green (low risk)
Risk score — Numeric score with a visual progress bar
Risk factors — A list of every signal that contributed to the score, with icons and explanations

The metabox appears in both the HPOS order editor and the classic post-based order editor.

Orders List Column

↑ Back to top

You can optionally enable a Fraud Risk column in the WooCommerce orders list. This column shows:

Risk level badge (color-coded)
Risk score
Risk level icon

Enable or disable this column from the Shop Defender settings under Show risk column on orders list.

Logs & Audit Trail

↑ Back to top

Shop Defender logs every fraud check to a dedicated database table.

Log Record Fields

↑ Back to top

Field	Description
Context	Where the check occurred: checkout or order
Action	What happened: blocked, held, flagged, or allowed
Trigger Type	What triggered the action: rule or heuristic
Rule ID	The specific rule that matched (if rule-triggered)
Risk Score	The calculated risk score
Email	Customer email address
IP	Customer IP address
Order ID	Associated WooCommerce order ID
Metadata	Full JSON context including all order details
Timestamp	When the check occurred

Filtering Logs

↑ Back to top

Use any combination of filters to find specific entries:

Context — Filter by checkout or order context
Action — Filter by blocked, held, flagged, or allowed
Email — Search by customer email
IP — Search by customer IP address
Order ID — Find logs for a specific order

Log Retention

↑ Back to top

Logs are automatically pruned by a daily WP-Cron task. The retention period is configurable (default: 90 days, range: 1–365 days). You can also manually delete specific log entries or prune logs older than a given number of days.

WooCommerce Analytics Integration

↑ Back to top

Shop Defender adds a dedicated Security Logs report to the WooCommerce Analytics dashboard.

Accessing the Report

↑ Back to top

Navigate to WooCommerce > Analytics > Security Logs to view the report.

Report Features

↑ Back to top

Date range filtering — Use the standard WooCommerce date picker to analyze logs over any period
Sorting — Sort by ID, date, score, context, or action
Filtering — Filter by context or action type
Pagination — Browse large datasets with page controls

Settings

↑ Back to top

The Shop Defender settings page is located at WooCommerce > Settings > Advanced > Shop Defender.

General Settings

↑ Back to top

Setting	Default	Description
Enable Shop Defender	No	Master toggle to enable/disable all fraud protection
Debug Mode	No	Log detailed information to the WooCommerce debug log
Show Risk Column	No	Display a fraud risk column on the WooCommerce orders list
Log Retention	90 days	How many days to keep fraud check logs (1–365)
Access Capability	manage_woocommerce	The minimum WordPress capability required to manage Shop Defender
Remove Data on Uninstall	No	Delete all plugin data (tables, options, order metadata) when the plugin is uninstalled

Risk Settings

↑ Back to top

Setting	Default	Description
Block Threshold	70	Minimum risk score to block an order at checkout
Hold Threshold	40	Minimum risk score to place an order on hold
Disposable Email Weight	30	Points added when a disposable email is detected
Failed IP Weight	20	Points added when the IP has previous blocked orders
Country Mismatch Weight	15	Points added when billing and shipping countries differ
Address Keyword Weight	10	Points added when suspicious keywords are found in addresses
New Account Weight	10	Points added when the customer account is recently created
High-Value Order Weight	15	Points added when the order total exceeds the threshold
High-Value Threshold	300	Order total above which the high-value signal triggers
Failed IP Count	3	Number of blocked orders from an IP before it is flagged
Failed IP Lookback Days	30	Number of days to look back for blocked orders from an IP
New Account Days	7	Number of days since account creation to consider it “new”
Address Keywords	po box, p.o. box, p.o box, pobox	Comma-separated list of suspicious address keywords

Message Settings

↑ Back to top

Setting	Default	Description
Block Message	“We’re unable to process your order at this time. Please contact support.”	The error message shown to customers when an order is blocked
Hold Note	“Order placed on hold for manual review by Shop Defender.”	The note added to orders placed on hold

Privacy & GDPR

↑ Back to top

Shop Defender includes built-in privacy and GDPR compliance features.

Data Collected

↑ Back to top

The plugin stores the following data from orders for fraud detection purposes:

Email address
IP address
Phone number
Billing and shipping names and addresses
Billing and shipping country
Order total and items
Account creation date
Payment and shipping methods

Data Processing

↑ Back to top

All data is processed locally on your server. No data is sent to external services, APIs, or third parties.

Privacy Policy Integration

↑ Back to top

Shop Defender automatically adds a suggested privacy policy section to Settings > Privacy in WordPress. This text explains what data is collected, why it is used, how long it is retained, and how customers can exercise their data rights.

Data Retention

↑ Back to top

Fraud check logs are automatically deleted based on your configured retention period (default: 90 days). A daily WP-Cron task handles this cleanup.

Clean Uninstall

↑ Back to top

When the Remove Data on Uninstall setting is enabled and you delete the plugin, all data is removed:

Custom database tables (rules and logs)
Plugin options and settings
Order metadata (risk scores, action taken, risk details)
Scheduled cron events

If “Remove Data on Uninstall” is disabled (default), deleting the plugin preserves all data for potential reinstallation.

REST API

↑ Back to top

Shop Defender provides a full REST API for programmatic access. All endpoints are under the shop-defender/v1 namespace and require the capability configured in settings (default: manage_woocommerce).

Authentication

↑ Back to top

All requests must be authenticated with a user who has the required capability. Use standard WordPress REST API authentication methods (cookie with nonce, application passwords, or OAuth).

Settings Endpoints

↑ Back to top

Method	Endpoint	Description
`GET`	`/wp-json/shop-defender/v1/settings`	Get current plugin settings
`POST`	`/wp-json/shop-defender/v1/settings`	Update plugin settings

Rules Endpoints

↑ Back to top

Method	Endpoint	Description
`GET`	`/wp-json/shop-defender/v1/rules`	List all rules
`GET`	`/wp-json/shop-defender/v1/rules/{id}`	Get a single rule
`POST`	`/wp-json/shop-defender/v1/rules`	Create a new rule
`PUT`	`/wp-json/shop-defender/v1/rules/{id}`	Update a rule
`DELETE`	`/wp-json/shop-defender/v1/rules/{id}`	Delete a rule

Rule Object:

{
  "id": 1,
  "type": "email",
  "operator": "block",
  "match_type": "exact",
  "pattern": "fraud@example.com",
  "expires_at": "2026-12-31 23:59:59",
  "created_at": "2026-01-15 10:30:00",
  "created_by": 1
}

Rule Parameters:

Parameter	Type	Required	Description
`type`	string	Yes	email, domain, phone, ip, country, name, or address
`operator`	string	Yes	block, hold, or flag
`match_type`	string	Yes	exact, contains, wildcard, or regex
`pattern`	string	Yes	The pattern to match against
`expires_at`	string	No	Expiration date in YYYY-MM-DD HH:MM:SS format

Risk Settings Endpoints

↑ Back to top

Method	Endpoint	Description
`GET`	`/wp-json/shop-defender/v1/risk-settings`	Get risk configuration
`POST`	`/wp-json/shop-defender/v1/risk-settings`	Update risk weights and thresholds

Logs Endpoints

↑ Back to top

Method	Endpoint	Description
`GET`	`/wp-json/shop-defender/v1/logs`	Get log records with filtering
`DELETE`	`/wp-json/shop-defender/v1/logs`	Delete log records

GET Parameters:

Parameter	Type	Description
`context`	string	Filter by context (checkout, order)
`action`	string	Filter by action (blocked, held, flagged, allowed)
`email`	string	Filter by customer email
`ip`	string	Filter by customer IP
`order_id`	number	Filter by order ID
`limit`	number	Records per page
`offset`	number	Records to skip

DELETE Parameters:

Parameter	Type	Description
`days`	number	Delete logs older than this many days
`ids`	array	Delete specific log entries by ID

Analytics Endpoint

↑ Back to top

Method	Endpoint	Description
`GET`	`/wp-json/wc-analytics/reports/fraud-logs`	Get fraud logs for WooCommerce Analytics

Parameters:

Parameter	Type	Description
`after`	string	Start date (ISO 8601)
`before`	string	End date (ISO 8601)
`page`	number	Page number
`per_page`	number	Records per page
`orderby`	string	Sort field (id, created_at, score, context, action)
`order`	string	Sort direction (asc, desc)
`context`	string	Filter by context
`action`	string	Filter by action

Developer Hooks

↑ Back to top

Shop Defender provides several hooks for developers to extend its functionality.

Actions

↑ Back to top

// Fired when an order is blocked
do_action( 'shopdefender/blocked', $context, $decision );

// Fired when an order is placed on hold
do_action( 'shopdefender/held', $context, $decision );

// Fired when an order is flagged
do_action( 'shopdefender/flagged', $context, $decision );

Parameters:

$context (array) — The full order context including email, IP, address, order data, etc.
$decision (object) — The decision object with action, score, trigger type, and details.

Filters

↑ Back to top

// Modify the final fraud decision before it is applied
$decision = apply_filters( 'shopdefender/decision', $decision, $context );

// Add, remove, or modify risk signals before scoring
$signals = apply_filters( 'shop_defender_risk_signals', $signals, $context );

// Customize the list of disposable email domains
$domains = apply_filters( 'shop_defender_disposable_domains', $domains );

Example: Add a Custom Risk Signal

add_filter( 'shop_defender_risk_signals', function( $signals, $context ) {
    // Flag orders using free email providers
    $free_domains = [ 'gmail.com', 'yahoo.com', 'hotmail.com' ];
    $email_domain = substr( $context['email'], strpos( $context['email'], '@' ) + 1 );

    if ( in_array( $email_domain, $free_domains, true ) ) {
        $signals[] = [
            'key'    => 'free_email',
            'score'  => 5,
            'detail' => 'Free email provider detected',
        ];
    }

    return $signals;
}, 10, 2 );

Example: Override a Decision

add_filter( 'shopdefender/decision', function( $decision, $context ) {
    // Always allow orders from VIP customers
    $user = get_user_by( 'email', $context['email'] );
    if ( $user && in_array( 'vip_customer', $user->roles, true ) ) {
        $decision->action = 'allow';
        $decision->score  = 0;
    }

    return $decision;
}, 10, 2 );

Compatibility

↑ Back to top

WooCommerce HPOS

↑ Back to top

Shop Defender is fully compatible with WooCommerce High-Performance Order Storage (HPOS / Custom Order Tables). Order metadata, the risk metabox, and the orders list column all work with both HPOS and the legacy post-based order system.

WooCommerce Checkout

↑ Back to top

Full support for both the classic WooCommerce checkout and the WooCommerce Blocks checkout. The plugin uses different hook strategies for each to ensure the earliest possible interception of fraudulent orders.

Multisite

↑ Back to top

Shop Defender is multisite compatible with per-site isolation. Each site in a multisite network has its own independent rules, logs, and settings.

WordPress & WooCommerce Versions

↑ Back to top

WordPress: 5.8 and above (tested up to 6.9.1)
WooCommerce: 7.0 and above (tested up to 10.5.1)
PHP: 7.4 and above

Themes

↑ Back to top

Shop Defender is an admin-only plugin with no frontend output. It is compatible with any WordPress or WooCommerce theme.

Frequently Asked Questions

↑ Back to top

What happens when an order is blocked?

↑ Back to top

The checkout is prevented and no payment is processed. The customer sees your customizable error message. If using the Blocks checkout, any draft order that was created is automatically deleted. The block attempt is fully logged for your review.

What is the difference between Hold and Flag?

↑ Back to top

Hold automatically changes the order status to “on-hold” and adds a detailed note for admin review. The order exists but will not proceed to fulfillment until you manually approve it.

Flag allows the order to complete normally (including payment processing and fulfillment). A warning note and risk score are added to the order for your information when reviewing or fulfilling.

The daily log pruning cron event is removed.
All rules, logs, and settings are preserved for reactivation.
Fraud protection is disabled immediately.

When you delete the plugin (with “Remove Data on Uninstall” enabled):

The rules and logs database tables are dropped.
All plugin options and settings are removed.
All order metadata (risk scores, action taken, risk details) is removed from both HPOS and classic orders.
Scheduled cron events are cleared.

If “Remove Data on Uninstall” is disabled (default), deleting the plugin preserves all data for potential reinstallation.

Related Products

Offer add-ons like gift wrapping, special messages or other special options for your products.

Add shipment tracking information to your orders.