I’m excited to share three things today: a new name, an update on the WordPress Plugin Repository submission, and a roundup of recent improvements.
Why the name change: WC Origin Guard → Checkout Origin Guard
The plugin started life as WC Origin Guard; it now ships as Checkout Origin Guard. The new name says exactly what it does: protect the checkout with lightweight, behavior-based security and practical fraud controls. The scope is the same; the label is clearer for store owners and aligns better with the repository slug and text domain.
Compatibility: Existing installs migrate automatically. Settings keys are preserved; the admin UI remains familiar. If you previously ran WC Origin Guard, you do not need to reconfigure everything.
WordPress Plugin Repository: status and compliance
I’ve submitted Checkout Origin Guard for inclusion in the official repository and am working through final review. To prepare for listing, I tightened compliance across the board. Once the listing is live, you’ll be able to install and update directly from your dashboard. I’ll share the link on michaelwinchester.com as soon as it’s published.
What’s new in the latest builds
The last few cycles focused on reliability, clarity, and the tools you asked for:
- Company Shield upgrades:
- Name heuristics with small dictionaries to flag nonsense or AI-ish “company” strings.
- Email and domain checks: disposable domains, unlikely TLDs, and mismatch signals.
- Tunable scoring with clear reasons in the log.
- BotBlock engine refinements:
- Dwell-time and rate-limit checks with a smarter cooldown.
- Rapid sequence detector for botty re-posts on
/?wc-ajax=checkout. - Search engine and uptime monitor allowances you can toggle.
- Actionable logs:
- Block/Unblock IP links directly on each row; instant effect.
- CSV export for audit trails; simple filters for dates, path, and decision.
- Clear reason codes:
missing_nonce,empty_referrer,referrer_not_allowed,rate_exceeded, and more.
- Settings that actually stick:
- Everything consolidated to a single page; no more state lost between tabs.
- A Populate Defaults button that now preloads sensible, safe options.
- Mode selector: Monitor, Soft Block, or Hard Block; easy to flip while you observe traffic.
- Checkout flow protections:
- Honeypot timestamp, session and nonce validation, optional hold-instead-of-block behavior.
- Optional auto-cancel window for obviously bogus orders; runs via WP-Cron.
Upgrade notes
- Minimums: WordPress 6.0+, WooCommerce current stable, PHP 7.4+ recommended.
- Text domain: If you customized translations, switch to
checkout-origin-guard. - One-page settings: Your previous values are migrated; review defaults once after upgrade.
- Logs UI: You’ll see new reason codes; that’s expected with the enhanced detectors.
What’s next
- A Review Mode that logs and scores but never blocks; perfect for first-week observation.
- Optional email notifications for spikes or rapid sequences.
- More granular allow/deny lists: path-level, CIDR helpers, and saved presets.
- A lightweight Pro add-on for deeper reporting and per-product rules; still keeping the core fast.
Even with multiple layers of defense, some suspicious traffic can still slip through. Bots evolve constantly — mimicking human dwell times, spoofing headers, or routing through clean IP space — and legitimate users sometimes behave unpredictably (VPNs, autofill extensions, or privacy browsers can all look like automation). My goal with Checkout Origin Guard isn’t to promise perfection; it’s to filter out the obvious junk and give store owners visibility into the grey area in between. That’s why the plugin logs every decision, shows the reasoning, and lets you fine-tune the balance between blocking and monitoring instead of relying on a single, rigid rule set.
If you have feedback or sample logs you want me to examine, send them my way; real traffic patterns help me tune the defaults for everyone.
Thanks for following along and for supporting independent plugin development.
— Michael Winchester
POTAR • michaelwinchester.com