Catalog
Security · WooCommerce

WC API Rate Limiter by Volade

Stop card testing on the WooCommerce REST API.

WC API Rate Limiter by Volade applies quotas on REST + Store API checkout — fingerprint, 5 presets, blocked-request log and free JSON export. No external WAF required.

v1.0.0WordPress 6.0+PHP 7.4+No account required
Not rated yet0 views0 downloads
Download v1.0.0Escaneo de VirusTotal…See features
WC API Rate Limiter by Volade
Captura 1 — WC API Rate Limiter by Volade

5 presets, anti-rotating-IP fingerprint, Store API sync and 429 log — no account.

5

Presets

30

Req/min (card testing)

JSON

Export free

429

Response standard

En bref

WooCommerce stores expose a powerful REST API — and card-testing bots exploit it. No WordPress plugin cleanly rate-limits `/wc/v3/orders` or `/customers` without an external WAF. WC API Rate Limiter by Volade applies per-IP sliding-window quotas, four presets (card testing, standard, agency, API keys), a 429 log and free JSON export. IP allowlist, per-route rules and CSV with a connected Volade account; multisite rollup and WP-CLI on V+.

Capturas de pantalla

Interfaz de administración real a página completa — ajustes preestablecidos, diagnósticos y configuraciones detalladas.

Captura 1 — WC API Rate Limiter by Volade

Why the WooCommerce API is a target

Card testing, catalog scraping, accidental headless load — no native WooCommerce limits.

The problem: open API, zero quota

WooCommerce exposes orders and customers over REST — bots abuse it.

Card testing, customer enumeration, catalog scraping: your host sees thousands of POSTs on `/wc/v3/orders` before chargeback alerts.

  • WooCommerce core: REST auth, but no built-in rate limiting
  • Cloud WAF: perimeter-effective, often blind to per-route WC nuance
  • Custom mu-plugins: fragile, unmaintained, no usable log
  • Disabling REST: breaks headless, mobile apps and legit integrations
  • Generic security plugins: do not target `/wc/v3/` with e-commerce presets

The WC API Rate Limiter answer

WooCommerce-native REST quotas — lightweight, logged, agency-ready.

A Volade plugin that limits per IP and sliding window, logs 429s and ships four business presets — no account for essentials.

  • Card testing preset: REST + Store API checkout, hybrid fingerprint, WC native sync
  • Card testing MAX: 15 req/min POST-only, pure fingerprint, connected auto-ban
  • Scopes: card shield, sensitive, Store API, all WC, orders or customers
  • Block log with IP, route, method and count/limit ratio
  • Free JSON export — CSV and IP allowlist with Volade account
  • X-RateLimit-Remaining headers for headless integrations
  • wp warl status | export | clear — Site Health and WP-CLI

5 presets, zero guesswork

Card testing, Card testing MAX, standard, agency or API keys — REST + Store API.

Recommended🛡️

Card testing shield

REST + Store API, hybrid fingerprint, WooCommerce sync — first line of defense.

Recommended
🚨

Card testing MAX

15 req/min POST-only, pure fingerprint, auto-ban — active rotating-IP attacks.

Urgent
🛒

WooCommerce standard

120 req/min on all `/wc/` routes — solid production default.

Live store
🏢

Agency multi-store

300 req/min with logging — staging imports without false positives.

Agency
🔑

API keys only

500 req/min authenticated, anonymous capped at 60.

Headless

4 protection scopes

From sensitive checkout to all `/wc/` — choose what bots can hit.

Sensitive

Orders, customers, coupons, payment gateways — card testing target.

All WC

Full `/wc/` prefix — broad catalog and settings protection.

Orders

Only `/wc/v3/orders` — checkout and order creation.

Customers

Only `/wc/v3/customers` — enumeration and account creation.

Start with wc_sensitive in production — widen only if integrations require it.

Real scenarios

What merchants see after enabling.

B2C card testing

Before: 200 POST/min on orders from 3 IPs — chargebacks 48h later

After: 429 at 30 req/min, IPs logged, JSON export to host

Fewer chargebacks

Agency headless + Woo

Before: Staging overloads prod via unthrottled API sync

After: Agency preset 300/min + office IP allowlist

Stable sync

Dokan marketplace

Before: Vendor scraping via customers API

After: Customers scope + 7-day log

Data protected

The API protection WooCommerce never shipped

Native REST quotas inside WordPress — not a cloud WAF, not fragile mu-plugin code.

Per-IP quotas

Configurable sliding window — WordPress transients, no Redis required.

4 presets

Card testing, standard, agency, API keys — one click in admin.

429 log

IP, route, method, user agent and count/limit — exportable.

JSON export

Free incident report — CSV and filters with Volade account.

IP allowlist

Office, staging, ERP partner — bypass without disabling the plugin.

Site Health

Direct test in Tools → Site Health — blocked/allowed 24h.

WP-CLI

warl status, export, clear — agency scripts and CI.

Volade SDK

Discover, XP, V+ premium — same charter as other Volade extensions.

Pair with your host WAF — WARL targets WooCommerce REST routes from inside WordPress.

Honest comparison

WARL vs cloud WAF vs bare REST vs custom code.

FeatureWARLCloud WAFWC REST onlyCustom code
Limites sur /wc/v3/orders~~
Presets card testing~
Journal blockings exploitable~~
Export JSON sans compte
Allowlist IP par route~
Store API checkout sync~~~
Fingerprint (rotating IP)~~
Temporary IP auto-ban~~
Sans infra externe
CostFree$$$FreeTemps dev

WARL complements a WAF — it knows WooCommerce routes and card testing presets.

Three tiers, one plugin

Limits, presets and JSON free without account. Volade account and V+ for allowlist, routes and multisite.

Free

No account

  • 4 presets
  • Core limits
  • 100-entry log
  • JSON export
  • Site Health
Connected

Volade account

  • IP allowlist
  • Per-route rules
  • CSV export
  • X-RateLimit headers
  • 1,000-entry log
V+

V+ Premium

  • 10,000-entry log
  • WP-CLI bulk
  • Multisite rollup
  • Premium on full roadmap
  • Priority support

WP-CLI and multisite to audit blocks across every store in the network.

WP-CLI

Automate status and exports over SSH — agency-friendly.

wp warl status
wp warl export --file=blocked.json
wp warl clear --yes

Multisite

V+ centralizes block visibility across every site in the network.

  • Network dashboard (V+)
  • Consolidated export
  • Synced presets
  • API load alerts
Descarga verificada

Download

Install the ZIP, apply Card testing shield — first protection in under two minutes.

ZIP with embedded Volade SDK — enable under Volade → API Rate Limiter (or WooCommerce → API Rate Limiter).

Download v1.0.0wc-api-rate-limiter-by-volade-1.0.0.zip
  1. 1Plugins → Add New → Upload → select ZIP → Activate
  2. 2Volade → API Rate Limiter (or WooCommerce → API Rate Limiter)
  3. 3Apply Card testing shield → watch the log → export JSON if needed

First limit active in under 2 minutes

Escaneo antivirus en curso…

FAQ

WAF, WooCommerce REST, card testing, Volade account and V+.

No — WARL is WooCommerce-native. Keep your WAF; add WARL for `/wc/` routes and business logging.

Free vs V+ Premium

The extension works without an account. V+ unlocks premium on this extension and the full catalog.

FeatureFreeV+
4 préréglages & limites de base
Journal requêtes bloquées & JSON
Site Health & scopes WC REST
Règles par route & allowlist IP
Export CSV & en-têtes X-RateLimit
WP-CLI bulk & rollup multisite

WC API Rate Limiter by Volade

Free download · V+ optional

Download v1.0.0V+
Community

Comunidad

Share your experience with WC API Rate Limiter by Volade and follow the latest releases.

Protect your WooCommerce API

Download WC API Rate Limiter by Volade v1.0.0 — Card testing preset in one click, no signup.

Download v1.0.0

Compte Volade ou V+ Premium ? Optionnel · Tarifs