In this article we will see how to provide a very high level of protection to your WooCommerce store with the SaferCheckout plugin.
I will cover both the Free version (available on WordPress.org) and the Premium version (available on NinTechNet.com).
General Settings
Default message
This is the default message to display to blocked customers during the checkout process. It can display up to 300 characters:
Simulation mode
This is a very handy feature if you are testing or debugging SaferCheckout on a live/production site: In simulation mode, SaferChekout will filter your customer’s order but will not block it regardless of its risk score. I recommend to enable it for a while when you first install the plugin so that you can tweak its configuration without affecting your customers.
When enabling the Simulation mode, you can also temporarily enable WooCommerce Logger in the Advanced Settings page in order to log all events (actions, notices, warnings and errors) that occurred during the checkout process.
Import/Export Configuration
You can export and import your entire SaferChekout configuration with this option and share it among all your WooCommerce stores.
SaferChekout’s rule processing logic.
SaferChekout includes a powerful set of directives and rules that can be used to allow or restrict access to your WooCommerce checkout page, based on many criteria. Before we review them in detail, it is important to understand the rule processing order to make better use of SaferCheckout.
When a customer clicks on the Place Order button during the checkout process, the following actions are performed, in that specific order:
- Pre-filters: Actions taken before filtering the request.
- Whitelists & blacklists: Any match found in one of these lists will either accept or reject the order immediately.
- IP address whitelist.
- Email address whitelist.
- Customer whitelist.
- Order blacklist.
- IP address blacklist.
- Email address blacklist.
- Adress blacklist.
- Customer blacklist.
- Various filters: They rely mostly on user-configurable risk scores.
- Rate limiting rules (pro version).
- Location rules.
- Bot detection rules (pro version).
- IP address rules (pro version).
- Email address rules (pro version).
- Risk score verification: The order will be accepted or rejected depending on the sum of all risk scores.
Risk Score
Action & risk score
These options let you define the risk score range and the action to perform:
- Low and medium: The order will be marked accordingly but SaferCheckout will not block it and will let WooCommerce handle it.
- High: The checkout process will be blocked, i.e., customers won’t be able to place their order and to access your payment processor. SaferCheckout will execute whichever action you have selected in the list.
The risk score of each order can be viewed in the WooCommerce Orders page:
More details are available in the SaferCheckout metabox when you are viewing/editing an order:
If you need more details about each transaction, you can also temporarily enable WooCommerce Logger in the Advanced Settings page, in order to log all events (actions, notices, warnings and errors) that occurred during the checkout process.
Payment Methods
Enable SaferCheckout for the following payment methods
This option can be used to select which payment method should be filtered by SaferCheckout. Make sure to disable the methods that don’t need it (e.g., Cash on delivery etc).
If you added a new payment method to WooCommerce, it would be automatically appended to this list and enabled by default.
IP Address
This section deals with your customer IP address.
Retrieve IP address from
This option should be used if you are behind a reverse proxy (private/local IP), a load balancer or using a CDN (e.g., Clouflare), to tell SaferCheckout which IP address it should use. By default, it will rely on REMOTE_ADDR.
If you make change to your webserver, don’t forget to come back to this section and set it up accordingly. If you don’t, SaferCheckout will attempt to detect the correct IP.
Allow/Block the following IP addresses, CIDR or AS number
You can permanently allow or ban an IP address, a whole range of IP addresses or even an AS number (Autonomous System number). If an IP address matched that list, the order would be immediately accepted or rejected.
If you need to allow or block an entire entity (ISP, hosting company etc), consider using its AS number instead of IP ranges because it is much simpler and much faster.
Premium options
Reverse DNS lookup
This option will run a reverse DNS lookup on the customer IP address, then will run a forward DNS lookup on the returned domain name to make sure that it matches the IP address. You can also define the risk score to apply.
For instance, the reverse DNS lookup for IP address 198.143.164.252 returns wordpress.org:
$ host -t A 198.143.164.252 252.164.143.198.in-addr.arpa domain name pointer wordpress.org.
Then, a forward DNS lookup on the domain wordpress.org returns 198.143.164.252, which matches the original IP address:
$ host -t A wordpress.org wordpress.org has address 198.143.164.252
If the IP doesn’t have any rDNS at all, the check will be skipped.
Block the following rDNS
You can permanently block the reverse DNS (domain name) of an IP address, or any part of it. If an rDNS matched that list, the order would be immediately rejected.
Example:
218-173-1-18.dynamic-ip.hinet.net dynamic-ip.hinet.net tor-exit tor.node
This is a very handy option to easily block an entire domain or subdomain, TOR exit nodes etc.
DNSBL
A DNSBL (Domain Name System Blacklist) is a service that contains IP addresses identified as sending spam, hosting malicious content, hijacking IP space, or acting like a bulletproof hosting company. This option lets you configure which DNSBL you want to use to check your customer’s IP address as well as the risk score. Currently, SaferCheckout supports Spamhaus and Spamcop DNSBL.
When using Spamhaus, you may face the following error:
Error: Query via public/open resolver (code: 127.255.255.254).
It occurs if you are using a public DNS server; this is to protect Spamhaus’ infrastructure from abuse by large-volume queriers. If that error happens, you can create a free Spamhaus account to get a private key that can be used by SaferCheckout:
1. Go to Spamhaus sign up page.
2. Create a free account.
3. Log in to your account at portal.spamhaus.com.
4. Click on the Products > Data Query Service menu.
5. Copy your 26-character DQS Key as shown below:
6. Open your WordPress wp-config.php configuration script and add the following line of code:
const SAFERCHECKOUT_SPAMHAUS_KEY = 'DQS_KEY_HERE';
Replace DQS_KEY_HERE with your own key.
7. Log in to WordPress, go to WooCommerce > Settings > SaferCheckout > IP Address, and verify that SaferCheckout detected your key:
Email Address
This section deals with your customer email address.
Allow/Block the following email addresses
You can permanently allow/block an email address or any part of it. If an address matched that list, the order would be immediately accepted or rejected.
Example:
[email protected] foo @hotmail.com hotmail
Premium options
Username
This is a great feature: SaferCheckout will connect to the SMTP server of the email address to verify whether the user exists or not. Although it may not always work, it is very efficient to detect fake email addresses.
Domain name
This option lets you verify if the email address of your customer has a proper MX (mail exchanger) record. MX records are used to specify the mail server responsible for receiving emails on behalf of a domain. Without it, an email address can’t receive messages.
Because RFC 5321 § 5.1. states that if a domain has no MX records, delivery must be attempted directly to the host pointed to by the domain’s A/AAAA records, you can select whether the domain must have an MX record (default), or either an MX or A/AAAA record.
Email domain must be older than
This is another unique and great feature of SaferCheckout: some bad actors register domain names and immediately use them to create new email addresses in order to bypass blacklists and filters. If this option is enabled, SaferCheckout will check when the domain name associated with the email address was registered, and will increase the order’s risk score if it is younger than your selected choice.
The risk score will be applied too if the domain is invalid.
Location
Block the following countries & territories
You can select which country or territory you want to block and whether it should apply to the customer’s IP, billing and/or shipping address.
Location matching
You can use those two options to ensure that the country of origin of the customer’s IP address matches the billing country, or that the billing country matches the shipping country. Otherwise, the corresponding risk score will be applied.
Block the following shipping/billing addresses
You can permanently block an address or any part of it. If an address matched that list, the order would be immediately rejected. The filtering applies to the following checkout fields: street, apartment, postal/zip code, state, city and phone number.
Example:
Street: 123 Main Street or Main Street or Main Street
ZIP/post code: 10024
City: Los Angeles or Angel
State: California
Phone: 01632960345 or 016329
This option doesn’t apply to the country. If you want to filter a country, use the above Block the following countries & territories option instead.
Customer
Repeat or recurring customers
This option allows you to immediately accept repeat or recurring customers based on their previous completed orders (wc-completed). It can apply to authenticated and unauthenticated customers.
If a customer is not authenticated, SaferCheckout will search the database by their email address.
Block the following name (first/last, company)
You can permanently block a name (first and last name of a customer, or a company name) or any part of it. If a string matched that list, the order would be immediately rejected.
Example:
John Doe Doe Acme Limited
Premium options
Bots and user agents
If enabled, this option will attempt to detect bots, scanners and various malicious scripts accessing the checkout page. You can configure the risk score to apply in case of a positive detection.
SaferCheckout can verify the browser’s signature in order to detect some bad actors and their suspicious behavior. You can configure the risk score to apply in case of a positive detection.
Order
Order value limits
This is the minimum and maximum amount that the shoppers need to spend to checkout successfully, otherwise the order will be rejected.
Order quantity limits
This is the minimum and maximum purchase quantity required for a product across all variations in a single order. If the quantity is outside that range, the order will be rejected.
Premium options
Rate limiting
This option allows you to block velocity attacks, also known as carding attacks. Any user reaching the defined threshold will be banned from placing an order for a certain amount of time. Velocity checks can apply to the user IP address, email address, phone number, customer ID and/or first & last name.
Users temporarily banned by the Rate Limiting option can be unblocked immediately by clicking the “Empty cache now!” button in the “Advanced Settings” section.
Advanced Settings
Hook priority
SaferCheckout hooks into WooCommerce checkout process in order to filter it. You can use this option to change that hook priority. Lower numbers correspond with earlier execution.
WooCommerce Logger
WooCommerce features a logging system accessible via WooCommerce > Status > Logs, which records errors among other pertinent information. SaferCheckout can use it to record warnings, errors or even all events that occurred during the checkout process. By default, only errors and warnings are logged.
Premium options
Cache
For faster processing, SaferCheckout (Pro version) uses caching. This option lets you clear its cache.
There’s no need to clear the cache, unless you have some errors or you just performed some tests and want to clear them from the cache immediately. SaferCheckout’s garbage collector will handle that for you and will clear the cached data after a certain amount of time.
Users temporarily banned by the Rate Limiting option will be unblocked if the cache is cleared.