Block Cart Bots with Checkout Origin Guard

Getting Stated with Checkout Origin Guard

by

Protecting Your WooCommerce Store

Failed orders, fake transactions, and bot-driven checkouts are more than just an annoyance, they waste your time, skew your analytics, and in some cases cost you money in refunds and fraud fees. Checkout Origin Guard is a lightweight plugin that adds an extra layer of protection to your WooCommerce checkout without slowing down your site or your real customers.

This guide will show you how to use Checkout Origin Guard and explain what each setting does.

Getting Started

  1. Install the plugin in your WordPress admin under Plugins → Add New.
  2. Once activated, go to WooCommerce → Checkout Origin Guard.
  3. You’ll see all protection modules on one page, prefilled with sensible defaults.
  4. Click Save All Changes to confirm, and you’re protected immediately.

Origin Guard Settings

These options harden the checkout process against automated scripts and “drive-by” bots.

  • Activate Origin Guard
    Turns the entire origin validation system on or off.
  • Minimum Dwell (seconds)
    Forces a short “think time” before checkout can be submitted. Bots usually rush; real customers take at least a few seconds. Default is 8 seconds.
  • Rate Limit per IP
    Caps how many checkout attempts a single IP can make within a time window. For example, 6 / 600 means 6 attempts every 600 seconds (10 minutes). If exceeded, new checkouts are blocked until the window resets.
  • Require Same-Host Referrer
    Ensures the checkout form was submitted from your own site. Many bots post directly to /?wc-ajax=checkout without ever visiting your pages.
  • Require JS Proof
    Adds a hidden JavaScript nonce field to the checkout form. Since most bots don’t execute JS, this weeds them out.

Company Name Guard

This module catches orders with suspicious or junk data in the Company field.

  • Activate Company Name Guard
    Enables validation on the company name field.
  • Minimum Company Length
    Rejects names that are too short (e.g., “x” or “-”).
  • Alpha Ratio Threshold (0–1)
    Measures how many letters are in the name compared to symbols or numbers. For example, a ratio of 0.5 means at least half of the characters must be letters. This blocks garbage like !!!###@@@.
  • Company Whitelist
    Add trusted company names here (one per line). Any order from a whitelisted company will always pass validation, even if it doesn’t meet the other rules.

Logs

Every time a checkout is blocked, Checkout Origin Guard records the details:

  • Timestamp
  • Rule that triggered the block
  • Message (e.g., “Failed dwell check” or “Bad referrer”)
  • Visitor IP

You can view the most recent 200 entries right on the settings page. If you want to clear them out, click Purge Logs.

Best Practices

  • Start with the defaults (8s dwell, 6/600 rate limit, referrer & JS proof enabled).
  • Watch the Logs for a day or two. If you see a lot of real customers being blocked, adjust dwell time or disable stricter rules.
  • Use the Company Name Guard if you see repeated spammy orders with junk company data.
  • Keep your whitelist current so your trusted customers never hit a false block.

Why Use Checkout Origin Guard?

Unlike generic anti-spam plugins, Checkout Origin Guard is built specifically for WooCommerce checkout. It’s lightweight, requires no external service, and defends against the real patterns bots use:

  • Empty or spoofed referrers
  • Scripted direct checkout posts
  • High-frequency requests
  • Garbage field data

With it in place, you’ll spend less time dealing with fake orders and more time focusing on real customers.

👉 Ready to protect your store?

Checkout Origin Guard logo
DOWNLOAD

Activate WC Origin Guard today, save your settings,
and let the plugin quietly handle the bots in the background.

Leave a Comment