WC API Rate Limiter by Volade
Stop card testing on the WooCommerce REST API.
WC API Rate Limiter by Volade applies quotas on REST + Store API checkout — fingerprint, 5 presets, blocked-request log and free JSON export. No external WAF required.

5 presets, anti-rotating-IP fingerprint, Store API sync and 429 log — no account.
5
Presets
30
Req/min (card testing)
JSON
Export free
429
Response standard
En bref
WooCommerce stores expose a powerful REST API — and card-testing bots exploit it. No WordPress plugin cleanly rate-limits `/wc/v3/orders` or `/customers` without an external WAF. WC API Rate Limiter by Volade applies per-IP sliding-window quotas, four presets (card testing, standard, agency, API keys), a 429 log and free JSON export. IP allowlist, per-route rules and CSV with a connected Volade account; multisite rollup and WP-CLI on V+.
Screenshots
Full-page real admin UI — presets, diagnostics and detailed settings.

Why the WooCommerce API is a target
Card testing, catalog scraping, accidental headless load — no native WooCommerce limits.
The problem: open API, zero quota
WooCommerce exposes orders and customers over REST — bots abuse it.
Card testing, customer enumeration, catalog scraping: your host sees thousands of POSTs on `/wc/v3/orders` before chargeback alerts.
- WooCommerce core: REST auth, but no built-in rate limiting
- Cloud WAF: perimeter-effective, often blind to per-route WC nuance
- Custom mu-plugins: fragile, unmaintained, no usable log
- Disabling REST: breaks headless, mobile apps and legit integrations
- Generic security plugins: do not target `/wc/v3/` with e-commerce presets
The WC API Rate Limiter answer
WooCommerce-native REST quotas — lightweight, logged, agency-ready.
A Volade plugin that limits per IP and sliding window, logs 429s and ships four business presets — no account for essentials.
- Card testing preset: REST + Store API checkout, hybrid fingerprint, WC native sync
- Card testing MAX: 15 req/min POST-only, pure fingerprint, connected auto-ban
- Scopes: card shield, sensitive, Store API, all WC, orders or customers
- Block log with IP, route, method and count/limit ratio
- Free JSON export — CSV and IP allowlist with Volade account
- X-RateLimit-Remaining headers for headless integrations
- wp warl status | export | clear — Site Health and WP-CLI
5 presets, zero guesswork
Card testing, Card testing MAX, standard, agency or API keys — REST + Store API.
Card testing shield
REST + Store API, hybrid fingerprint, WooCommerce sync — first line of defense.
RecommendedCard testing MAX
15 req/min POST-only, pure fingerprint, auto-ban — active rotating-IP attacks.
UrgentWooCommerce standard
120 req/min on all `/wc/` routes — solid production default.
Live storeAgency multi-store
300 req/min with logging — staging imports without false positives.
AgencyAPI keys only
500 req/min authenticated, anonymous capped at 60.
Headless4 protection scopes
From sensitive checkout to all `/wc/` — choose what bots can hit.
Orders, customers, coupons, payment gateways — card testing target.
Full `/wc/` prefix — broad catalog and settings protection.
Only `/wc/v3/orders` — checkout and order creation.
Only `/wc/v3/customers` — enumeration and account creation.
Start with wc_sensitive in production — widen only if integrations require it.
Real scenarios
What merchants see after enabling.
B2C card testing
Before: 200 POST/min on orders from 3 IPs — chargebacks 48h later
After: 429 at 30 req/min, IPs logged, JSON export to host
Fewer chargebacks
Agency headless + Woo
Before: Staging overloads prod via unthrottled API sync
After: Agency preset 300/min + office IP allowlist
Stable sync
Dokan marketplace
Before: Vendor scraping via customers API
After: Customers scope + 7-day log
Data protected
The API protection WooCommerce never shipped
Native REST quotas inside WordPress — not a cloud WAF, not fragile mu-plugin code.
Per-IP quotas
Configurable sliding window — WordPress transients, no Redis required.
4 presets
Card testing, standard, agency, API keys — one click in admin.
429 log
IP, route, method, user agent and count/limit — exportable.
JSON export
Free incident report — CSV and filters with Volade account.
IP allowlist
Office, staging, ERP partner — bypass without disabling the plugin.
Site Health
Direct test in Tools → Site Health — blocked/allowed 24h.
WP-CLI
warl status, export, clear — agency scripts and CI.
Volade SDK
Discover, XP, V+ premium — same charter as other Volade extensions.
Pair with your host WAF — WARL targets WooCommerce REST routes from inside WordPress.
Honest comparison
WARL vs cloud WAF vs bare REST vs custom code.
| Feature | WARL | Cloud WAF | WC REST only | Custom code |
|---|---|---|---|---|
| Limites sur /wc/v3/orders | ~ | ~ | ||
| Presets card testing | ~ | |||
| Journal blockings exploitable | ~ | ~ | ||
| Export JSON sans compte | ||||
| Allowlist IP par route | ~ | |||
| Store API checkout sync | ~ | ~ | ~ | |
| Fingerprint (rotating IP) | ~ | ~ | ||
| Temporary IP auto-ban | ~ | ~ | ||
| Sans infra externe | ||||
| Cost | Free | $$$ | Free | Temps dev |
WARL complements a WAF — it knows WooCommerce routes and card testing presets.
Three tiers, one plugin
Limits, presets and JSON free without account. Volade account and V+ for allowlist, routes and multisite.
No account
- 4 presets
- Core limits
- 100-entry log
- JSON export
- Site Health
Volade account
- IP allowlist
- Per-route rules
- CSV export
- X-RateLimit headers
- 1,000-entry log
V+ Premium
- 10,000-entry log
- WP-CLI bulk
- Multisite rollup
- Premium on full roadmap
- Priority support
WP-CLI and multisite to audit blocks across every store in the network.
WP-CLI
Automate status and exports over SSH — agency-friendly.
wp warl status wp warl export --file=blocked.json wp warl clear --yes
Multisite
V+ centralizes block visibility across every site in the network.
- Network dashboard (V+)
- Consolidated export
- Synced presets
- API load alerts
Download
Install the ZIP, apply Card testing shield — first protection in under two minutes.
ZIP with embedded Volade SDK — enable under Volade → API Rate Limiter (or WooCommerce → API Rate Limiter).
- 1Plugins → Add New → Upload → select ZIP → Activate
- 2Volade → API Rate Limiter (or WooCommerce → API Rate Limiter)
- 3Apply Card testing shield → watch the log → export JSON if needed
First limit active in under 2 minutes
FAQ
WAF, WooCommerce REST, card testing, Volade account and V+.
No — WARL is WooCommerce-native. Keep your WAF; add WARL for `/wc/` routes and business logging.
Free vs V+ Premium
The extension works without an account. V+ unlocks premium on this extension and the full catalog.
| Feature | Free | V+ |
|---|---|---|
| 4 presets & core rate limits | ||
| Blocked-request log & JSON export | ||
| Site Health & WC REST scopes | ||
| Per-route rules & IP allowlist | ||
| CSV export & X-RateLimit headers | ||
| WP-CLI bulk & multisite rollup |
Reviews, discussions & updates
Share your experience with WC API Rate Limiter by Volade and follow the latest releases.
Protect your WooCommerce API
Download WC API Rate Limiter by Volade v1.0.0 — Card testing preset in one click, no signup.
Download v1.0.0