Velocity Guard for WooCommerce

Is your store getting waves of failed orders and surprise payment-processor fees? That’s almost always a card-testing attack — and Velocity Guard stops it automatically.

What is card-testing? Criminals buy lists of stolen card numbers and need to find which ones still work. They do it by running hundreds of small orders through real checkouts like yours. Every attempt can cost you a processing fee, and a flood of declines can get your Stripe or PayPal account flagged or frozen. It’s automated — it can hammer your store overnight while you sleep.

What Velocity Guard does: It watches how fast orders arrive from the same shopper, email, or device. A real customer places one order; an attack tool tries dozens in minutes. When Velocity Guard sees that burst, it quietly turns away the extra attempts before they reach your payment processor — the attacker gets nothing and you don’t get billed. Genuine shoppers never notice; the limits sit well above normal buying behavior.

Set it and forget it. Install, activate, done. The defaults are tuned to be invisible to real customers, and it runs entirely on your own site with no account to create.

Under the hood, Velocity Guard tracks how many checkout attempts come from each identity (IP address, email address, session, or combination) inside a sliding time window. Once an identity crosses the configured threshold, further attempts are rejected before WooCommerce ever processes the order — including direct hits to the REST API that skip your normal checkout page. Repeated failed payments auto-blocklist the source for hours.

Free version features

• Sliding-window velocity rules per IP, email, session, or IP+email combination
• Failed-payment auto-blocklist — configurable threshold and lockout duration
• REST API endpoint coverage — protects /wc/v3/orders, /wc/store/v1/checkout, and /wc/store/checkout (the routes modern card-testing bots target directly)
• Proxy-aware IP detection — Cloudflare, Akamai, Fastly, X-Forwarded-For, X-Real-IP, with explicit admin opt-in to prevent header spoofing on sites with no upstream proxy
• Dashboard widget — blocked-attempt counts (24h / 7d / 30d) at a glance
• Event log — every block decision with rule, source IP, and detail
• Manual IP whitelist — exempt staff workstations and test cards (IPv4 + IPv6, validated)
• HPOS-native — built on WooCommerce’s High-Performance Order Storage from day one
• Compatible with classic checkout and Cart/Checkout block

Velocity Guard Pro

Pro upgrades available via the in-plugin Upgrade screen:

• Behavioural device fingerprinting — canvas + audio + envelope fingerprint, cookie-stored. Catches attackers rotating IPs but keeping the same browser. The IP rule alone misses this; fingerprint does not.
• Slack / Discord / email alerts — fires when blocks-per-window crosses your threshold. Per-channel rate limiting so a sustained attack doesn’t spam your inbox.
• Pattern library feed — rule packs sourced from active vulnerability research, applied before velocity counters. Catches obvious bot user agents (curl, headless browsers, scraping frameworks) on the first request.
• 14-day free trial, no credit card required.