PPSH

Checkout Rate Limiter for WooCommerce

by

admin
in ,

Published: July 2025
Author: Dan Slade (PPSH)
Plugin Page: View on WordPress.org (add actual URL after submission)

What It Does

If you’ve ever experienced fake orders flooding your WooCommerce store, you’re not alone. This plugin was built to solve exactly that.

WooCommerce Checkout Rate Limiter is a lightweight, no-setup plugin that silently watches for excessive checkout attempts from a single IP address. If an IP tries to complete checkout more than 10 times per hour, it gets blocked – and logged for later review.

No config. No bloat. Just practical protection.

Why I Built It

A client site running Wordfence (free version) was being bombarded with hundreds of fake WooCommerce orders – all from the same IP address. Wordfence could block the IP manually, but there was no automatic way to detect excessive order attempts per IP.

That’s where this plugin comes in.

Rather than trying to act like a full firewall, this plugin focuses on one specific pattern of abuse and blocks it cleanly.

How It Works

  • Hooks into the WooCommerce checkout process
  • Tracks the number of attempts per IP using WordPress transients
  • If the count exceeds 10 in one hour:
    • Displays a 429 Too Many Requests error to the user
    • Logs the IP address and timestamp to a file:
      wp-content/uploads/blocked-checkout-ips.txt

You can then copy these IPs into Wordfence’s block list (or your server firewall) as needed.

File Logging

Example entry in the log file:

123.45.67.89    2025-07-03 11:42:10

This gives you a running list of abusive IPs without relying on external services or complex dashboards.

Who It’s For

  • Site owners using Wordfence Free
  • Anyone running WooCommerce and seeing bot-based fake orders
  • Developers who want a simple foundation to expand upon

Features at a Glance

FeatureIncluded
Blocks excessive checkout usage
Logs IPs to a file
Easy to install (no settings)
WordPress.org compatible
Fully open source (GPLv2+)

Download and Installation

You can install the plugin directly from the WordPress admin area (once approved on wp.org), or manually:

  1. Upload the ZIP to /wp-content/plugins/
  2. Activate the plugin
  3. That’s it. It starts working immediately.

Looking Ahead

This is the first public release, but I may expand it over time to:

  • Add admin UI to view blocked IPs
  • Send email alerts when a block occurs
  • Offer automatic Wordfence integration (via API or CLI)

If you use it and find it helpful, let me know!

About the Developer

I’m Dan Slade, founder of PPSH, a UK-based web developer focused on bespoke WordPress and PHP systems. This plugin is one of many tools I’ve built to solve real-world problems for real clients.

Need something custom? Get in touch.