Fraud Prevention: How to limit orders in WooCommerce by IP

After dealing with a bout of credit card fraud, in which a malicious 'customer' attempts several hundred purchases with various credit cards, we created this simple script to limit the amount of orders per IP address.

Credit Card Fraud is a serious problem. One issue many online stores face is Credit Card 'scanning' in which a malicious user attempts to make a bunch of purchases with a list of stolen credit card numbers. Their goal is to 'test' each card number to see if it will work, and they have no qualms about using YOUR store to do it.

Now there are plugins out there that can do this sort of thing, but it’s such an easy thing to DIY, I figured I share my strategy. For ease of use you may copy/paste these snippets into your functions.php file, or copy and paste this code into your own plugin.

In the code below you may want to customize two items:

  1. The Time period in which to count orders – by default this script uses 24 hours, or 86400 seconds.
  2. The limit you’d like to cap out at – by default this limit is 5 orders per IP for the time period defined above.
add_action('woocommerce_checkout_process', function () {
    $limit = 5;

    $recentOrdersForIP = wc_get_orders(array(
        'date_created'        => '>=' . (time() - 86400), // 1 day in seconds. Edit as you require.
        'customer_ip_address' => WC_Geolocation::get_ip_address(),
        'paginate'            => true  // adds a total field to the results

    if($recentOrdersForIP->total >  $limit ) {
        wc_add_notice('Sorry, there have been too many orders placed in a short period of time. Please return later.', 'error');

}, 10, 0);