Creating WooCommerce Checkout Rate Limiting

3 minute read, 2 if you're quick

If you have read another one of my posts about Stop Fake Spam WooCommerce Orders you will know how important it is to secure your Woocommerce - in fact any website platform - checkout page from bots testing their stolen credit cards.
That's right, one of the most common ways for thieves to test if their stolen credit cards are still active is to try and buy something from a website, like yours. Times the amount of cards they have by 1000s and they have a big job on their hands.
That is why they use a bot to crawl the web finding unsecured sites to test the cards on (once they know the card works they will use it for a bigger purchase most likely elsewhere) so they know which cards are still active and not cancelled by the owner.

As mentioned above my other post has some great suggestions on securing your site for fake orders and is well worth a read as I have provided the code to use on your own site, which is what I will be doing here too.

Creating a rate limiting by IP address simply means if someone is trying a credit card on your checkout page with the same IP address more than 10 times in 1 minute then display a message or better still send them to another page - which is what I do.
You can decide how many tries in how many seconds, you will see in the code where to change.
Speaking of code let's get to it.

Below is a function to add to your WordPress functions.php file that will check the IP address of every order. I have added the JavaScript in the same function for ease here but you can move that to another separate file or on the checkout file.

function check_checkout_rate_limit() {
    jQuery(document).ready(function($) {
	// Disable the "Place Order" button after submission
	$('form.checkout').on('submit', function() {
	    $('form.checkout').find('button[type="submit"]').prop('disabled', true);
    // Get the current user's IP address
    $user_ip = $_SERVER['REMOTE_ADDR'];

    // Set the rate limit values
    $rate_limit = 10; // Maximum number of requests allowed within the time frame (e.g., 10 requests)
    $time_frame = 60; // Time frame in seconds (e.g., 60 seconds)

    // Generate a unique key for the user's IP address and the current page
    $rate_limit_key = 'rate_limit_' . $user_ip . '_checkout';

    // Get the current request count for the user
    $request_count = get_transient($rate_limit_key);

    // Check if the rate limit has been reached
    if ($request_count >= $rate_limit) {

	// User has exceeded the rate limit, redirect to a landing page

    // Increment the request count by 1

    //Store the updated request count with an expiration time equal to the time frame
    set_transient($rate_limit_key, $request_count, $time_frame);
add_action('woocommerce_before_checkout_form', 'check_checkout_rate_limit');

Don't forget to change the landing page path and your limits. If you want to share on social media feel free, the more people know the better for everyone.
If you have any questions connect with me on social media, links are below.