Toply SkimShield

The Problem

Imagine a hacker silently adds a piece of JavaScript code to your WooCommerce checkout page. Every time a customer types in their credit card number, that hidden code copies it and sends it to the hacker — without you or your customer ever knowing. This type of attack is called checkout skimming, and it is one of the most common ways online stores get compromised.

Toply SkimShield protects you by watching your checkout page and alerting you the moment anything changes.

How It Works

Step 1 — Takes a snapshot
When you run the first scan, the plugin looks at every JavaScript file loaded on your checkout page and saves a unique fingerprint (a hash) for each one. This becomes your approved baseline — the “normal” state of your checkout.

Step 2 — Watches for changes
Every time someone visits your checkout page, the plugin silently compares the live scripts against that saved baseline. If everything matches, nothing happens. If a new script appears or an existing one has been modified, the plugin raises an alert immediately.

Step 3 — Notifies you by email
The moment a suspicious change is detected, you receive an email with details: which script changed, what it looked like before, what it looks like now, and a direct link to review it in your dashboard.

Step 4 — You decide what is legitimate
In the admin dashboard you see a list of all scripts found on your checkout page. You approve the ones you recognise (WooCommerce, Stripe, PayPal, Google Analytics, etc.) and block anything that looks suspicious. The plugin remembers your decisions.

Step 5 — Optionally block unauthorised scripts entirely (CSP)
Once you have approved all your legitimate scripts, you can turn on the Content Security Policy feature. This tells the browser: “do not run any script on the checkout page that is not on the approved list.” Even if a hacker manages to inject a script, the browser will refuse to execute it.

Think of It Like a Security Camera for Your Checkout

The first scan registers who is allowed in. Every visit after that checks: is there anyone new? If yes — alarm. No technical knowledge required to use it.

Features

• Script monitoring — detects new or modified scripts on every checkout page load
• Instant email alerts — notified the moment something changes, via the standard WordPress email system
• Script whitelist — approve or block scripts with one click from the admin dashboard
• Content Security Policy — automatically generates a CSP header based on your approved scripts; start in Report-Only mode to avoid breaking checkout, then switch to Enforce when ready
• PCI-DSS compliance report — generates a printable report covering requirements 6.4.3 and 12.10, ready to show to your payment processor or auditor
• No external dependencies — everything runs on your own server, no API keys, no third-party services, no data sent anywhere

Who Needs This

• Any WooCommerce store that accepts card payments
• Store owners who want to know immediately if their checkout page is tampered with
• Agencies managing WooCommerce stores on behalf of clients
• Stores that need to demonstrate PCI-DSS compliance

How to Test This Plugin

Prerequisites: WooCommerce must be active with at least one published product and a functioning checkout page (your shop must have a /checkout/ page set up by WooCommerce).

Step-by-step test procedure:

1. Install and activate the plugin. Navigate to SkimShield in the admin sidebar.

2. Run a manual scan — on the Dashboard tab, click the Scan Now button. The plugin fetches the WooCommerce checkout page and extracts every script tag (both external <script src="…"> and inline <script>…</script>).

3. View detected scripts — click the Script Whitelist tab. You will see a table listing all scripts found on the checkout page, each with its handle, source URL (or inline snippet), type (enqueued/inline), SHA-256 hash, and status (Pending).

4. Approve scripts — click the Approve button next to each legitimate script. The status changes to “Approved”.

5. Verify real-time monitoring — visit your store’s checkout page as a normal visitor (front-end). The plugin hooks into wp_enqueue_scripts at priority PHP_INT_MAX and records every script loaded. New scripts trigger an entry in the Incidents log.

6. Check the Incidents tab — any scripts detected for the first time generate an incident with severity “High”. A hash change (simulating a tampering event) generates a “Critical” incident.

7. Test email alerts — make sure the Alert Email address in Settings is a deliverable inbox. Visit the checkout page with a browser. If any new script is detected, an HTML email is sent immediately via wp_mail().

8. Enable CSP (optional) — go to Settings, enable “CSP Header”, leave “Report-Only Mode” checked, and save. Visit the checkout page. The Content-Security-Policy-Report-Only HTTP header will now be present (verify with browser DevTools → Network → checkout request headers).

9. Generate a compliance report — click the PCI-DSS Report tab and review the auto-generated report covering requirements 6.4.3 and 12.10.

Expected results after running Scan Now:
– The Script Whitelist tab shows all scripts that are on the checkout page
– Each row shows the script handle, source, type (enqueued or inline), a truncated SHA-256 hash, and status
– Approve/Block/Remove action buttons are functional
– The Dashboard shows the count of Approved, Pending, and Blocked scripts

External services

This plugin does not connect to any external service for its core functionality. All script monitoring and hashing is performed locally on your server.

The auto-generated Content Security Policy (CSP) template includes default frame-src origins for common payment gateways (https://www.paypal.com, https://js.stripe.com, https://fonts.gstatic.com). These are included only as a default starting point to prevent checkout from breaking when you first enable the CSP feature. No data is transmitted by this plugin to those domains — the browser uses the CSP header to decide which external resources to load, independently of this plugin.

If your store does not use PayPal or Stripe, you can remove those origins via the Custom CSP Directives field in Settings.