Description
Stop fraudulent WooCommerce orders before they’re placed.
Card testers, stolen-card fraudsters, and serial chargeback abusers almost always hide behind VPNs, proxies, Tor, or datacenter IPs. Predax Fraud Guard screens the customer’s IP the moment they check out, scores its fraud risk from 0 to 100, and lets your store tag, hold, or block the order — before payment is taken and before a chargeback can happen.
Think of it as an order guard standing in front of your checkout. You stay in control of every decision: start in tag-only mode to see which orders would have been flagged, then turn on blocking for the risk levels you choose. Screening works with both the classic and block (Store API) checkout.
Fully opt-in: on a fresh install the plugin does nothing — no outbound requests are made until you enter a Predax API key and pick a protection mode. The default mode once configured is tag-only (no blocking), so you can review flagged orders in your dashboard before turning on anything that rejects a customer.
How It Works
- You install and activate the plugin. Nothing happens — the plugin stays dormant until you finish setup.
- You enter a Predax API key (free account available at predax.io).
- You pick a protection mode in Fraud Guard Settings (or in the 3-step setup wizard). Choices: Tag + note, Block high risk, or Block critical only.
- On each WooCommerce checkout after that point, the plugin sends the customer’s IP address to the Predax API, receives back a risk score and signal flags (is_vpn / is_proxy / is_tor / is_datacenter), and tags / holds / blocks the order according to your configuration. Results are cached for up to 5 minutes per IP.
You can revoke the API key or switch the mode back to “Tag only” at any time.
Risk Tagging
Orders that reach the tag threshold (default: risk score 40) are tagged based on band:
- Risk 40–69 — tagged “Predax: Medium Risk” with an order note
- Risk 70–89 — tagged “Predax: High Risk” with an order note
- Risk 90–100 — tagged “Predax: Critical Risk” with an order note
Features
- Checkout screening (after you enable a protection mode) — every order is checked against Predax IP threat intelligence
- VPN / Proxy / Tor / Datacenter flags — detect anonymised connections at checkout
- Risk score threshold blocking — optionally block checkouts above a configurable risk score
- Automatic order hold (opt-in) — move high-risk orders to On Hold for manual review instead of processing them
- Order velocity rules (opt-in) — flag or block customers placing too many orders in a short window
- Billing country vs IP mismatch (opt-in) — flag or block orders where billing country differs from detected IP country
- Disposable email detection (opt-in) — reject checkouts using throwaway email providers (30+ supported)
- Refund / chargeback feedback (opt-in) — when a tagged order is refunded or cancelled, add its IP to your local deny list, and/or report the outcome to the Community Threat Network (when that opt-in is enabled)
- Order meta logging — stores risk score, threat flags, and detected country on every order for WooCommerce reporting
- Events Log — a dashboard page showing blocked attempts and flagged orders
Defaults
All protection toggles default to off on a fresh install. The only thing the plugin writes to options on activation is a database version marker for the events-log table. You will need to explicitly enable any rule you want to apply.
Free Tier
Sign up at predax.io for a free API key. The free plan includes 5,000 IP checks per month with full VPN/proxy/Tor/datacenter detection and risk scoring — no credit card required.
More Power With Paid Plans
The free tier covers a small store comfortably (checkouts are only checked when they happen, and results are cached). Busier stores use up the included checks faster — paid plans raise the monthly limit from 5,000 up to 25,000–25,000,000 IP checks, with higher request rates and bulk lookups. The Fraud Guard settings page shows your live usage each month, so you can see exactly when it’s time to upgrade — same plugin, same settings, just a bigger allowance on your existing API key.
Third Party Services
This plugin connects to external services operated by Predax (https://predax.io) only after you have saved an API key: checkout screening additionally requires a protection mode to be enabled, and the admin-side account-usage lookup (described below) sends no visitor data at all. By activating this plugin and entering an API key you agree to the Predax Terms of Service and Privacy Policy.
You are responsible for ensuring your use of customer IP data at checkout complies with applicable privacy laws (including but not limited to GDPR, CCPA) and your own store’s privacy policy. This plugin does not assert PCI-DSS, GDPR, or CCPA compliance on your behalf.
Predax IP Intelligence API
Used to look up a risk score and classification signals for each checkout IP.
- Data sent: the customer’s IP address at checkout; the browser-reported IANA timezone string (when available on the classic checkout form — used for the timezone-mismatch signal); your custom scoring weights (only if Custom Scoring is enabled).
- What is NOT sent: no billing/shipping names, street addresses, phone numbers, emails, product details, prices, or payment data. The billing-country-mismatch rule compares your order’s billing country against the API’s IP-country result locally — billing details never leave your site.
- When: during WooCommerce checkout validation, and only while a protection mode is saved in settings.
- Caching: classification results are cached in the site’s transients for 5 minutes per IP, so repeat checkouts from the same IP do not generate duplicate API calls.
- Endpoint:
POST https://predax.io/api/v1/check/ip - Service URL: https://predax.io
- Terms of Service: https://predax.io/terms
- Privacy Policy: https://predax.io/privacy
Account Usage Lookup (admin pages only)
Used to show the “API usage this month” meter on the Fraud Guard settings page, and only when an API key is saved.
- Data sent: your Predax API key (as the authentication header). No customer or visitor data is sent.
- When: when an administrator views the Fraud Guard settings page. The result is cached for 1 hour, so at most one lookup per hour regardless of admin page views.
- Endpoint:
GET https://predax.io/api/v1/auth/usage - Service URL: https://predax.io
- Privacy Policy: https://predax.io/privacy
Predax Community Threat Network (opt-in, off by default)
The plugin can optionally send an anonymised telemetry signal — the IP address, its risk score and detection flags, its network (ASN) number and name, its country code, and the checkout outcome (allowed / monitored / blocked, or refund/chargeback feedback) — to the Predax Community Threat Network so all participating stores benefit from a shared feed. The Refund / Chargeback Feedback “Log” action reports through this same channel, so it requires this opt-in; its “Blacklist” action updates your local deny list regardless.
This feature is off by default. It is controlled by the ipsentry_woo_community_enabled option, which defaults to 'no', with a checkbox on the Advanced settings tab. The plugin will not send community-feedback telemetry unless you enable it. Customers’ personal data (names, emails, billing/shipping addresses, order contents) is never included in the telemetry payload.
- Endpoint:
POST https://predax.io/api/v1/telemetry/event - Service URL: https://predax.io
- Privacy Policy: https://predax.io/privacy
OAuth One-Click Connect (optional)
Only triggered when an administrator clicks the Connect with Predax button in the setup wizard. Your browser is redirected to predax.io to authorise the connection, which returns an API key to your site.
- Data sent: your WordPress site URL, site name, and a PKCE state/code-challenge pair. No customer data is involved.
- When: only during the click-to-connect OAuth flow.
- Endpoint:
POST https://predax.io/api/v1/oauth/token - Service URL: https://predax.io
- Privacy Policy: https://predax.io/privacy
Cookies set by this plugin
ipsentry_tz— set on WooCommerce checkout pages (only while an API key is configured) viaassets/js/ipsentry-woo-tz.js. Stores the customer’s browser-reported IANA timezone (string, max 64 chars). Used server-side for the optional timezone-mismatch fraud rule. Expires after 24 hours (max-age=86400),path=/,SameSite=Lax, and markedSecureon HTTPS stores. The plugin reads this cookie only at checkout-validation time.
The plugin does not set any advertising, analytics, or tracking cookies.
Screenshots






Installation
From your WordPress dashboard (recommended)
- Make sure WooCommerce is installed and activated.
- Go to Plugins → Add New Plugin in your WordPress admin.
- Search for “Predax Fraud Guard”.
- Click Install Now, then Activate.
- The Setup Wizard launches on first activation. Either click Connect with Predax for OAuth one-click connection, or enter your API key manually.
- Pick a protection preset (Recommended / Strict / Monitor Only). This is the step where you opt in — IP lookups begin after this point.
- Fine-tune individual rules at Fraud Guard Settings any time.
Manual installation
- Download the plugin ZIP from this page and upload it via Plugins → Add New Plugin → Upload Plugin (or extract the
predax-fraud-guard-for-woocommercefolder to/wp-content/plugins/). - Activate the plugin through the Plugins menu and follow the Setup Wizard.
FAQ
-
How is this different from other WooCommerce anti-fraud plugins?
-
Most anti-fraud plugins score orders using rules about the order itself — mismatched names, order size, email patterns. Predax Fraud Guard adds the signal those rules can’t see: live IP intelligence. It knows whether the customer is connecting through a VPN, proxy, Tor, or a datacenter server right now, backed by a continuously-updated commercial threat database — the same signal used to catch card testing and stolen-card fraud before payment is taken. It works well alongside rule-based fraud plugins and payment-processor screening such as Stripe Radar, and alongside security plugins like Wordfence (which protect your site, not your checkout).
-
Does the plugin phone home before I finish setup?
-
No. Before you enter an API key and save a protection mode, the plugin makes zero outbound requests to predax.io. Nothing happens silently on activation.
-
Will it block legitimate customers?
-
Only if you enable a blocking mode. Until you complete setup, the mode is Tag only (no blocking — orders just get tags and notes). In the setup wizard, the pre-selected Recommended preset enables blocking of high-risk checkouts (risk score 50+); choose Monitor Only instead if you don’t want any blocking yet — each preset card lists exactly what it switches on.
-
What is the risk score?
-
A score from 0 to 100 representing how likely an IP is to be associated with fraud, anonymisation, or abuse. 0 = clean residential IP, 100 = known Tor exit or commercial VPN. The score combines VPN/proxy/Tor detection, datacenter identification, historical abuse signals, and geographic heuristics.
-
Does it work with Cloudflare?
-
Yes — enable Fraud Guard Settings Advanced “Behind a proxy / CDN” (or the same toggle on the WooCommerce Predax tab). With it on, the plugin reads the real customer IP from the
CF-Connecting-IP/X-Forwarded-Forheaders instead of the Cloudflare edge IP. It is off by default: when your store connects directly to visitors, trusting those headers would let a customer spoof their IP to bypass fraud checks, so you only turn it on when a proxy/CDN really is in front of your site. -
How do I test it without affecting real customers?
-
Fraud Guard Settings Developer tab enter a Test IP Override. Every checkout is then evaluated as if it came from that IP. A red admin banner reminds you test mode is active. Clear the override before going live.
Use
185.220.101.1(risk 85, Tor-adjacent) to exercise blocking paths, or1.1.1.1to verify pass-through. -
What order metadata is stored?
-
On each tagged order the plugin stores:
_ipsentry_risk_score— numeric risk score (0–100)_ipsentry_ip— detected customer IP_ipsentry_country_code— detected IP country code_ipsentry_flags— comma-separated threat flag list
-
Does it work alongside the Predax Security plugin?
-
Yes. The plugins are independent but complementary — Security protects logins and registrations, Fraud Guard protects WooCommerce checkout. Both can share the same API key.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Predax Fraud Guard for WooCommerce” is open source software. The following people have contributed to this plugin.
ContributorsTranslate “Predax Fraud Guard for WooCommerce” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.7.1
- New: live API usage meter on the Fraud Guard settings page — shows your monthly IP-check usage against your plan’s quota (fetched hourly), with an upgrade link when you’re above 80%.
- New: quota notice — if your plan’s monthly IP checks run out (checkout screening pauses and orders are allowed through until the quota resets), the plugin now tells you on its admin pages instead of failing silently. Dismissible per month.
- New: API circuit-breaker — if the Predax API becomes slow or unreachable, checkouts now fail open instantly after a few consecutive failures instead of each waiting on the timeout, and the settings page shows an “API degraded” indicator. The API request timeout was lowered from 8s to 3.5s, so even a first failure delays a checkout far less.
- Privacy: customer emails in the Events Log are now masked before storage (“bi***@example.com”). Enough to recognise a repeat customer; the linked order still holds the full email. Existing rows are untouched and age out via the log retention setting.
- Performance: the IP allow/deny list options no longer autoload on every page request (the deny list can grow via the chargeback auto-append). A one-time migration updates existing installs.
- Docs: installation instructions rewritten for installing from the WordPress.org plugin directory; added a section on free vs paid plan limits.
1.7.0
- Rebrand: IPSentry is now Predax. This is the first WordPress.org release of the WooCommerce plugin. The plugin name, admin menu, and links now use Predax (predax.io). Your existing settings, API key, and order data are preserved — internal option names are unchanged, so nothing needs reconfiguring.
- Admin menu moved to a lower position so it no longer sits among the core WordPress menu items.
- Compliance: the OAuth-callback exit page now registers and prints its CSS/JS through the WordPress script API (wp_register_style/wp_register_script + wp_print_styles/wp_print_scripts) instead of hand-written tags. The WooCommerce settings save and checkout timezone read run inside WooCommerce’s own nonce-verified flows and carry inline justifications for the static analyser.
- Compatibility: declared WooCommerce High-Performance Order Storage (HPOS) compatibility.
- Fix: the order-velocity time window now uses a timestamp-based date query (the previous datetime-string form could be misread by WooCommerce and count orders outside the window).
- Hardening: checkout error notices are HTML-escaped before being added; the settings-import upload is capped at 512 KB with bounded JSON depth; the API base URL accepts http/https only; the timezone cookie is marked Secure on HTTPS stores; the Store API block path gained an explicit return after blocking.
- Clarity: Refund / Chargeback Feedback labels and docs now state that “Log” reports go through the Community Threat Network opt-in; the readme documents exact API endpoints and the full telemetry data list.
- New: IP allow-list (never block trusted IPs) and a managed deny-list, both supporting single IPs and CIDR ranges (IPv4 + IPv6), editable from the settings page and the WooCommerce Predax tab.
- New: the Community Threat Network opt-in is now a settings toggle (still off by default) instead of import/export only.
- New: Events Log retention setting (default 90 days; 0 = keep forever) with automatic daily cleanup, plus a 7-day/all-time stats summary, CSV export, and a Clear Log button.
- New: “Behind a proxy / CDN” setting (off by default). Enable it when your store is behind Cloudflare, a CDN, or a reverse proxy so the real customer IP is read from forwarded headers; when off, only the direct connection IP is used, so the customer IP cannot be spoofed to bypass fraud checks.
- Security: the Events Log CSV export now neutralises spreadsheet formula-injection — a billing email such as “=…@example.com” can no longer execute as a formula when the export is opened in Excel/Sheets.
- Fix: the “Flag for review” action on the velocity, disposable-email, and billing-country-mismatch rules now reliably tags the order, adds the order note, and writes the Events Log entry (previously these markers could be dropped on processed orders).
- Fix: a critically-risky IP (risk score 90+) is now always blocked while a blocking mode is active, even when its VPN/proxy category is set to Monitor.
- Fix: the WooCommerce Predax settings tab now saves correctly (removed an invalid nested import form; import is now on the Fraud Guard Developer page).
- Hardening: /0 (match-all) entries are rejected in the IP allow/deny lists, and uninstall now cleans every site on a multisite network.
- No change to the opt-in model — the plugin still makes zero outbound requests until you enter an API key and save a protection mode.
1.6.2
- Compliance: community-feedback telemetry is now explicitly opt-in (off by default) behind a new
ipsentry_woo_community_enabledoption. Existing installs stop sending telemetry until they flip this on. - Compliance: all phoning-home defaults flipped to off —
block_proxy,block_tor, andmonitor_vpndefault to'no'on fresh installs. - Compliance: removed the self-hosted plugin updater class per WP.org Guideline 8.
- Compliance: extracted every inline
<script>/<style>block to enqueued asset files. OAuth-callback exit page now references an external CSS/JS pair. - Compliance: Privacy Policy content hook (
wp_add_privacy_policy_content) so admins can pull suggested text from Tools Privacy. - Compliance: Setup-wizard privacy-disclosure boxes added above OAuth button, manual API-key field, and preset-picker cards.
- Compliance: nonce-before-cap order fixed on every admin-post and AJAX handler.
- Compliance: input sanitisation tightened on every
$_GET/$_POST/$_FILESread; imported settings values now validated per option type. - Compliance: Test-mode admin notice now scoped to Predax pages only (not global).
- Added:
uninstall.phpdrops the events-log table and deletes everyipsentry_woo_*option on plugin deletion. - Added:
Domain Path: /languagesheader + minimal .pot translation template. - Added:
.distignoreexcluding dev artefacts from the WP.org zip. - No behaviour change for existing installs other than the community-feedback gate — core IP checking still works as before.
1.6.1
- Improved: OAuth connect popup now auto-closes reliably after authorization.
- Improved: Per-user OAuth transients prevent conflicts on multi-admin sites.
1.6.0
- New: Setup Wizard — guided 3-step setup on first activation with fraud protection presets (Recommended, Strict, Monitor Only).
- New: One-Click Connect — click “Connect with Predax” in the setup wizard to link your store via OAuth. No API key to copy or paste.
- New: “Run Setup Wizard” link in Developer tab to re-run the wizard at any time.
1.5.0
- New: Events Log admin page (Predax Events Log) — two tabs showing blocked checkout attempts and flagged/held orders with IP, risk score, flags, reason, and order links.
- New: Predax risk column on WooCommerce Orders list — shows colour-coded score badge and top threat flag.
- Improvement: Orders now store a combined
_ipsentry_flagsmeta key for quick flag lookup.
1.4.3
- New: Dedicated settings page under Predax Fraud Guard in the WordPress admin left nav — same tabbed UI as the Security plugin.
1.4.2
- New: Settings import/export — back up your configuration or copy it between sites.
- New: Support Email field — if set, checkout block error messages include a “Contact us at…” line.
1.4.1
- Fix: VPN/proxy customers set to Monitor mode were incorrectly blocked by the risk threshold.
1.4.0
- New: Automatic order hold, order velocity rules, billing country vs IP mismatch, disposable email detection, refund/chargeback feedback, test IP override.
1.3.0
- New: Off/Monitor/Block radio groups for VPN, proxy, and Tor.
- New: Custom risk scoring weights — adjust per-signal contribution to the final risk score.
1.2.0
- New: Country-based blocking at checkout. Whitelist support. API timeout handling.
1.1.0
- New: Configurable risk threshold. Order meta. Detailed order notes.
1.0.0
- Initial release. Tag-only fraud screening at checkout. VPN / proxy / Tor / datacenter detection.
