How to Properly Configure BotBlocker Protection for Your WooCommerce Store

Introduction

BotBlocker is a powerful security plugin for WordPress that protects your site from bots and malicious traffic. However, when working with WooCommerce, improper configuration can block legitimate customers during checkout or interfere with third-party integrations. This guide will show you how to properly set up BotBlocker to maintain maximum security while ensuring your store operates smoothly.

Part 1: Basic WooCommerce Configuration

Why WooCommerce Requires Special Rules

WooCommerce uses dynamic paths for the checkout process, cart management, and AJAX requests. If these paths are blocked, customers won’t be able to complete their purchases, and your store will lose sales.

Step 1: Add Essential Paths

Navigate to BotBlocker → Rules → Paths and add the following paths with “Allow” status:

For standard WooCommerce:

• /checkout/ — checkout page
• /cart/ — shopping cart
• /my-account/ — customer account
• /?wc-ajax= — AJAX requests

For WooCommerce Blocks (modern checkout):

• /wp-json/wc/store/ — Store API for blocks

Step 2: Enable the Rules

Important: After adding paths, make sure they are active. Inactive rules are highlighted in red. Click on each rule to enable it — active rules will turn green.

Step 3: Update the Plugin

Install BotBlocker version 1.6.8 or later, which fixes cookie-related issues that could cause checkout problems.

Security Note

Allowing these paths does not compromise your site’s security. BotBlocker only permits verified users to access them, ensuring that sessions, cookies, and order processing work correctly.

Part 2: Configuring REST API Protection for Integrations

The Problem

Many WooCommerce stores integrate with external services: shipping companies, inventory management systems, CRM platforms, and mobile apps. These services use the WooCommerce REST API. By default, BotBlocker may block these requests, breaking your integrations.

The Solution: Smart Whitelisting

BotBlocker offers a flexible whitelisting system that allows you to grant API access only to specific trusted services without exposing the API publicly.

Step-by-Step API Configuration

Step 1: Temporarily Allow the API Path

Go to BotBlocker → Rules → Paths and add:

• /wp-json/wc/v3/ (or the version your integration uses)

Mark this path as Allowed.

Step 2: Generate Real Traffic

Trigger a real API request from your integration:

• For shipping services: print a test shipping label
• For other integrations: perform a test action that calls the API
• Alternatively, place a test order

This creates log entries that BotBlocker can analyze.

Step 3: Analyze the Full Log

Navigate to BotBlocker → Full Log and find requests to the API path you allowed.

Look for identifying characteristics of your integration:

User-Agent (most reliable):

Example: "ShipStation/1.0" or "MyShippingApp/2.5"

PTR/Reverse DNS (very reliable for major providers):

Example: "mail.fedex.com" or "api.shipstation.com"

IP Address (less reliable, use only as a last resort):

Example: "192.168.1.100"
Note: IPs can change, check if your provider uses a static IP or IP range

Step 4: Create a Permanent Allow Rule

From the log entry, create a rule that identifies your integration:

Best option — by User-Agent:

• Click on the User-Agent value in the log
• Create a rule: “Allow requests with this User-Agent”
• Set expiration to +10 years (effectively permanent)

Alternative — by PTR:

• Use if the provider has a stable reverse DNS
• More reliable than IP addresses

Last resort — by IP:

• Only if the provider guarantees a static IP
• Less reliable due to potential IP changes

Step 5: Remove the Open API Path

After your permanent rule is active and tested:

1. Verify that the integration still works
2. Disable or delete the open API path (/wp-json/wc/v3/)
3. Test the integration again

Result

✅ WooCommerce REST API remains fully protected
✅ Only your trusted integration can access it
✅ No public or anonymous API access
✅ Order status updates and tracking emails work correctly
✅ Maximum security with zero functionality loss

Common Issues and Solutions

Problem: Checkout Still Not Working

Solution:

1. Clear your browser cache and cookies
2. Verify that all rules are enabled (green status)
3. Check that the plugin is updated to version 1.6.8+
4. Temporarily disable other security plugins to rule out conflicts

Problem: Mobile App Can’t Connect to API

Solution:

1. Follow the API whitelisting process above
2. Check that your app sends a consistent User-Agent
3. If the app uses multiple IP addresses, consider whitelisting by User-Agent instead

Problem: Some AJAX Requests Are Blocked

Solution: Add the specific AJAX action to allowed paths:

/?wc-ajax=action_name

Best Practices

1. Always test after changes — place a test order to verify checkout works
2. Use User-Agent for whitelisting whenever possible — it’s the most reliable method
3. Monitor the Full Log regularly — check for blocked legitimate traffic
4. Keep the plugin updated — new versions fix bugs and improve compatibility
5. Document your rules — maintain a list of which integrations use which rules

Future Improvements

In upcoming BotBlocker versions, the plugin will automatically create WooCommerce-specific rules during installation, making initial setup even easier.

Conclusion

Proper BotBlocker configuration provides robust protection against malicious traffic while ensuring your WooCommerce store operates smoothly. By following this guide, you’ll maintain maximum security without sacrificing functionality or user experience.

Remember: security and usability don’t have to be mutually exclusive. With smart configuration, you can have both.