WooCommerce Protection with ShieldPRO

ShieldPRO provides advanced protection for WooCommerce stores by integrating with all user forms to prevent bots, spam, fake orders, and fraudulent activity. Using silentCAPTCHA, ShieldPRO’s invisible antibot technology, it blocks automated attacks while distinguishing between bots and legitimate users. Combined with optional Two-Factor Authentication (2FA), this keeps your store secure without affecting customer experience.

How silentCAPTCHA Protects WooCommerce

Once the WooCommerce integration is enabled and the relevant forms are selected, silentCAPTCHA protects your store, including checkout, login, registration, lost password, and social login forms. It helps:

  • Block bots from automating checkout orders and fake purchases
  • Prevent automated spam registrations and fake accounts
  • Stop automated login attempts
  • Stop automated lost password requests
  • Protect WooCommerce social login forms

Learn more about SilentCAPTCHA here.

How To Start Protecting WooCommerce

To get started, you'll need to enable the integration first by following the below steps.

  1. Navigate to ShieldPRO main menu > Tools > Integrations section
  2. Select "WooCommerce" under the "3rd Party User Forms Bot Checking" tab, as shown in the screenshot below.
  3. Click to save settings

Enable WooCommerce integration

Once enabled, ShieldPRO applies silentCAPTCHA to your WooCommerce forms.

For full protection, select the user forms you want to protect in the Login Zone, including login, registration, lost password, and checkout (checkout is included by default).

How To Protect WooCommerce User Forms

To do this, please follow these steps:

  1. Go to the main Security Zones navigation menu > select Login Zone.
  2. Click a gear icon next to "Limit Attempts: Login, Register & Lost Password Forms" component.
  3. Select Brute Force Protection tab.
  4. Select user forms from the Protected Forms list.
  5. Click to save settings

    (see the screenshot below)

Note: We highly recommend selecting the all forms: login/registration/lost password. This will also protect your WooCommerce checkout form, as silentCAPTCHA is automatically applied to all ShieldPRO sites.

Protect WooCommerce forms

For detailed instructions, you can visit the Protection Locations Forms guide here.

Protecting these forms helps prevent automated login attempts, fake registrations, spam password resets, and fraudulent checkout orders.

Once integration is enabled and the user forms are selected (checkout included), Shield’s silentCAPTCHA antibot system will monitor and keep your store protected from bots and fake orders while letting legitimate customers browse and use your store normally.

How To Monitor WooCommerce Protection

You can monitor and confirm ShieldPRO's silentCAPTCHA is protecting your WooCommerce forms by using your WP Activity Log.

Note: Please ensure that the Activity Log "Info" logging level is enabled under the Shield's main navigation menu > click a gear icon next to "Activity Logs" section > WordPress Activity tab, as shown in the screenshot below.

WP Activity Log "Info" level

Example: When someone attempts to log in through your WooCommerce login form, silentCAPTCHA evaluates the request and the WP Activity Log logs it. You may see entries like:

AntiBot Pass

Request passed the AntiBot Test with a Visitor Score of "100" (minimum score: 40).

User Bot Check Pass

"WooCommerce" submission for form "woocommerce-login" with username "unknown" passed Bot check.

(see also the screenshot below)

Or, if it's a bot, then you'll see something like:

AntiBot Fail

Request failed the AntiBot Test with a Visitor Score of "0" (minimum score: 40).

User Bot Check Fail

"WooCommerce" submission for form "woocommerce-login" with username "unknown" failed Bot check.

To determine if an IP belongs to a bot or legitimate customer, use the IP Address filter box at the top of the activity log table to filter logs by that IP. This will display all activities associated with that IP.

(see an example screenshot below)

WP Activity Log: Filter by IP address

Next,

  1. Within the Activity Log table, click on the IP to open the analysis dialog.
  2. Under the Bot Signals tab, review details about that IP, including the Total Reputation Score and Bad Bot Probability, which indicate whether it is likely a human or a bot.

You can refer to the example screenshot below for illustration.

IP Analysis: Bot Signals

In this example, bot signals show:

Total Reputation Score: 475 / Bad Bot Probability: 0%

This indicates that the user is likely a human rather than a bad bot.

If you are unsure whether an activity is legitimate, you can contact us and send along the screenshots of the WP Activity Log and Bot Signals for that IP and I'll gladly take a look and make suggestions what you need to do.

Further WooCommerce Login Protection

To improve WooCommerce login security, you can enable Email-based 2FA, which can be enforced for specific user roles. You may also allow customers to opt in via the Allow Any User option.

Additional optional 2FA methods include:

  • Google Authenticator
  • YubiKey
  • Passkeys (WebAuthn)

When 2FA is enabled:

  • Users provide a second verification step during login.
  • Accounts remain secure even if credentials are compromised.

All 2FA settings can be located under the main Security Zones menu > click a gear icon next to Login Zone, as displayed in the screenshot below.

Login Zone: 2FA method settings

For more details, please see the Login Zone – 2FA methods settings here.

Additional WooCommerce Tips and Resources

To support a secure and smoothly running WooCommerce store, we’ve compiled a selection of blog articles you may find valuable: