Fraud Scoring
Fraud Scoring#
Bouncer includes a fraud scoring engine that evaluates every WooCommerce order against 9 configurable rules. Each rule assigns a weighted risk score. The total determines whether an order proceeds normally, gets flagged, held, or cancelled.
How it works#
The scoring engine hooks into both Classic and Block Checkout via woocommerce_checkout_order_processed and woocommerce_store_api_checkout_order_processed. When an order comes through, here’s what happens:
- Each enabled rule evaluates the order and returns a risk score.
- Scores are multiplied by their configurable weights.
- The weighted scores add up to a total between 0 and 100.
- That total maps to a risk level:
- Low: 0—25
- Medium: 26—50
- High: 51—75
- Very High: 76—100
- Results are saved as HPOS-compatible order meta:
_cfwc_fraud_score,_cfwc_fraud_level, and_cfwc_fraud_details.
Enabling fraud scoring#
- Go to WooCommerce > Settings > Bouncer > Fraud.
- Enable Fraud scoring.
- Pick which rules are active and adjust their weights.
That’s it. Scoring runs automatically on every new order.
The 9 fraud rules#
1. Disposable email domain#
| Field | Value |
|---|---|
| Rule ID | disposable_email |
| Default weight | 30 |
Checks the billing email against 780+ known disposable domains like mailinator.com, guerrillamail.com, and similar throwaway services. The domain list ships with the plugin at data/disposable-domains.txt.
2. Custom email blacklist#
| Field | Value |
|---|---|
| Rule ID | email_blacklist |
| Default weight | 35 |
Matches the billing email against user-defined wildcard patterns from your settings. Supports fnmatch() patterns:
*@tempmail.*spam*@**@*.xyz
3. IP/billing country mismatch#
| Field | Value |
|---|---|
| Rule ID | geo_mismatch |
| Default weight | 25 |
Compares the visitor’s IP country with the billing country on the order. Fires when they don’t match. Uses WC_Geolocation first, then falls back to ip-api.com if needed.
4. Order velocity#
| Field | Value |
|---|---|
| Rule ID | velocity |
| Default weight | 20 |
Checks for multiple orders from the same email or IP within a configurable time window. The default threshold is 3 orders. Uses wc_get_orders() with HPOS support.
5. High order amount#
| Field | Value |
|---|---|
| Rule ID | high_amount |
| Default weight | 15 |
Flags orders above a configurable dollar threshold. Default is $500.
6. First-time customer#
| Field | Value |
|---|---|
| Rule ID | first_order |
| Default weight | 10 |
Flags customers with no previous completed orders for the billing email address.
7. Billing/shipping country mismatch#
| Field | Value |
|---|---|
| Rule ID | address_mismatch |
| Default weight | 10 |
Compares the billing country with the shipping country. Fires when they differ.
8. Free email on high-value order#
| Field | Value |
|---|---|
| Rule ID | free_email_domain |
| Default weight | 5 |
Flags orders placed with Gmail, Yahoo, Outlook, or other free email providers when the order total exceeds a configurable threshold. Default is $200.
9. Proxy/VPN detected#
| Field | Value |
|---|---|
| Rule ID | proxy_vpn |
| Default weight | 30 |
Queries the proxycheck.io API to determine if the customer’s IP belongs to a proxy or VPN. Requires an API key. Results are cached for 24 hours per IP. The free tier covers 1,000 lookups per day.
Risk levels and automatic actions#
| Score | Level | Default action |
|---|---|---|
| 0—25 | Low | No action |
| 26—50 | Medium | Flag with order note |
| 51—75 | High | Hold order |
| 76—100 | Very High | Cancel order |
The score thresholds are configurable. So are the actions for each level. You can set any level to hold, cancel, or flag depending on how aggressive you want the system to be.
Returning customer bypass#
Trusted customers shouldn’t get caught in fraud checks every time they order. If you enable the returning customer bypass, customers with a configurable number of completed orders (default 3) skip fraud scoring entirely.
Per-order fraud breakdown#
On the admin order edit screen, a Fraud Score meta box appears in the sidebar. This works on both HPOS and legacy order screens. It shows:
- A color-coded risk badge (green, yellow, orange, red)
- The score out of 100
- A table of each rule that fired, with the rule label, risk contribution, weight, and weighted score
- CAPTCHA verification status for the order
This gives you a clear picture of why an order was flagged without digging through logs.
Disposable email detection (standalone)#
Beyond the fraud scoring rule, disposable emails can also be blocked at checkout independently. Three actions are available:
- Block: Prevent the order with an error message.
- Warn: Show a WooCommerce notice but allow the order to go through.
- Flag: Silently add an order note.
Configure this at WooCommerce > Settings > Bouncer > Fraud > Disposable email handling.
Custom email blacklist (standalone)#
The email blacklist also runs independently of fraud scoring. You define patterns in a settings textarea, one per line. The same three actions apply: block, warn, or flag.
This means you can block known bad patterns outright while still using the fraud scoring system for everything else.
Proxy/VPN detection#
Bouncer integrates with proxycheck.io for proxy and VPN detection.
- Sign up for a free API key at proxycheck.io.
- Enter the key at WooCommerce > Settings > Bouncer > Fraud.
- Results are cached in transients for 24 hours per IP, so repeat visitors don’t trigger extra API calls.
- The free tier covers 1,000 queries per day.
Proxy detection feeds into the fraud scoring engine as one of the 9 rules. It can also serve as a standalone signal if you want to act on VPN usage independently.
Developer hooks#
Two filters let you extend the scoring system:
cfwc_fraud_rules — Register custom fraud rules. Your rule class must implement Rule_Interface.
add_filter( 'cfwc_fraud_rules', function ( $rules ) {
$rules[] = new My_Custom_Fraud_Rule();
return $rules;
} );cfwc_fraud_score_result — Modify the final score, level, or details array before it’s saved to the order.
add_filter( 'cfwc_fraud_score_result', function ( $result, $order ) {
// $result contains 'score', 'level', and 'details'
return $result;
}, 10, 2 );Privacy note#
When fraud scoring features are enabled, the plugin makes the following external calls:
- GeoIP: Uses
WC_Geolocation(local MaxMind database when configured). Falls back to ip-api.com, sending only the IP address. - Proxy detection: Sends the IP address to proxycheck.io when an API key is configured.
- Disposable email check: Runs entirely locally against the bundled domain list. No external calls.
Related docs#
- Settings for the full configuration reference
- Geo Protection for country-based features
- Developer Guide for all available hooks