Skip to main content

Limit Orders Per IP

Category: Security  ·  Min plan: Free  ·  Slug: limit-orders-per-ip

Cap how many successful orders one IP address can place on your store within a chosen time window. Helps prevent flooding and fake orders.

Features

  • Per-store IP rate limiting on orders
  • Configurable max orders and time window
  • Default: 3 orders per 12 hours
  • Counts only successful orders
  • Cloudflare-aware client IP detection
  • Fail-open if cache layer is unavailable

Why use it

Common abuse patterns on Algerian COD stores:

  • A competitor places 50 fake orders to waste your call-confirm staff's time.
  • A single household IP places repeat genuine orders, but you want to cap COD risk per address.
  • A scraper iterates through your catalog by submitting orders.

This add-on enforces a hard cap: "at most N successful orders from one IP within H hours". Excess attempts get rejected with a generic error.

How to activate

  1. Open Dashboard → Add-ons at /dashboard/addons.
  2. Find Limit Orders Per IP under Security.
  3. Click Activate (Free plan).
  4. The settings panel exposes:
    • Max successful orders per IP — default 3, range 1-100.
    • Time window in hours — default 12, range 1-720.

How it counts

  • Only successful orders count toward the limit. A rejected, fraud-flagged, or invalid order doesn't burn the IP's quota.
  • The window is rolling — once 12 hours pass since the first counted order, that order rolls off the IP's count.
  • The IP detection is Cloudflare-aware: it reads the real client IP from CF-Connecting-IP rather than the proxy address, so the limit applies to the actual customer.

Failure modes

  • Cache layer down: the add-on fails open — orders go through normally rather than blocking real customers because of a backend issue.
  • Shared IPs: a shared corporate or carrier-grade NAT IP can hit the limit even with multiple distinct customers. If your traffic is heavily mobile-carrier-NAT (some Algerian ISPs), set the cap higher (e.g. 10 / 12h).

Tips

  • Keep the default 3 / 12h for new stores running cold paid traffic — most customers don't legitimately reorder within the same day.
  • Combine with Captcha Protection for layered defense — captcha catches headless browsers, this catches IP-bound spam.
  • Combine with Advanced Order Management — orders rejected for IP-cap don't appear in the order list at all, which keeps your call-confirm queue clean.
  • For B2B stores where one buyer legitimately reorders many times per day, raise the cap to ~20.