# Agency runbook — WooCommerce card testing in 48 hours

## Day 1 — morning (2 h)

1. **Client email:** "Does your store show these 5 card testing signs?" (attach checklist)
2. Install **WC API Rate Limiter by Volade** on staging
3. Export gateway logs (last 7 days) — look for payment decline bursts
4. Apply **Card testing shield** preset
5. Note ERP / middleware server IP for allowlist

## Day 1 — afternoon (3 h)

6. Fire 15 REST calls to `/wc/v3/orders` → confirm **HTTP 429**
7. Place a real test checkout order — must succeed
8. If headless: test product import — switch to **Agency** preset if false positives
9. Enable 429 log + pilot JSON export
10. Site Health → WARL check

## Day 2 — morning (2 h)

11. Production deploy (15 min window)
12. Allowlist agency + client office IPs
13. `wp warl status` — screenshot for client file
14. Set monitoring alert (uptime or host logs)

## Day 2 — afternoon (1 h)

15. Client debrief: signs detected / active measures
16. Gateway recommendations (3-D Secure, Stripe Radar rules)
17. Monthly 429 log review scheduled
18. Quote ongoing WooCommerce security maintenance if chargebacks active

## Handoff email script

> Hello,
>
> We audited {store}'s **WooCommerce REST API** exposure and deployed targeted rate limiting on sensitive routes (orders, customers, coupons).
> On staging: {X} requests blocked in tests, legitimate checkout validated.
> Next step: 7-day monitoring of the 429 log and threshold tuning if needed.
>
> JSON export attached — **Card testing** preset documented in your runbook.
