Checkout spam protection
Introduction
Checkout spam protection helps reduce automated bot submissions and abusive checkout attempts. When enabled, BodyCommerce can:
- Honeypot: Add a hidden field that real customers never see; bots often fill it and are blocked.
- Minimum time: Require customers to spend a minimum time on the checkout page before placing an order.
- Rate limiting: Limit how many checkout attempts a visitor can make in a time window.
- Temporary lockout: Block further attempts for a set period after the rate limit is exceeded.
- Optional logging: Log blocked attempts to the database and view them in an admin log viewer (with filters, CSV export, and clear logs).
All checks run only during WooCommerce checkout; they do not affect other pages.
Where to configure
Go to Divi Engine > BodyCommerce > Cart/Checkout Mods and find the Checkout spam protection section. Enable Enable checkout spam protection, then configure the options below as needed.
Settings
| Setting | Type | Default | Notes |
|---|---|---|---|
| Enable checkout spam protection | Checkbox | Off | Master switch for honeypot, minimum time, rate limiting, and lockout. |
| Enable honeypot field | Checkbox | On | Hidden field that bots typically fill; real customers leave it empty. |
| Enforce minimum time on page | Checkbox | On | Require a minimum time on checkout before submitting. |
| Minimum checkout time (seconds) | Number | 1 | Minimum seconds the customer must be on the checkout page (0–300). |
| Enable rate limiting | Checkbox | On | Limit checkout attempts per visitor in a time window. |
| Rate limit: max attempts | Number | 5 | Max attempts allowed within the rate limit window (1–50). |
| Rate limit: window (seconds) | Number | 300 | Time window for counting attempts (e.g. 300 = 5 minutes). |
| Lockout duration (minutes) | Number | 15 | How long to block further attempts after exceeding the rate limit. |
| Blocked message | Textarea | (default message) | Message shown when a customer is temporarily blocked. |
| Enable spam logging | Checkbox | Off | Log blocked attempts to the database for review in the admin log viewer. |
Viewing spam logs
When Enable spam logging is on, a Checkout spam logs submenu appears under Divi Engine in the WordPress admin. Use it to:
- See a summary of blocked attempts in the last 24 hours.
- Filter logs by type (lockout, rate_limited, nonce, honeypot, min_time), IP, email, or date range.
- Export CSV to download filtered logs.
- Clear logs to remove all log entries (after confirming).
Log types indicate why the attempt was blocked: honeypot filled, minimum time not met, invalid nonce, rate limit exceeded, or active lockout.
What's next
- Step 13: Build the checkout page – Set up your checkout layout.
- Custom checkout fields – Add custom fields to checkout.