Every WooCommerce store owner knows that not all customers are good customers. Some buyers might repeatedly attempt fraudulent transactions, file false chargebacks, or simply abuse your policies. Blocking such buyers can be essential to maintaining the health of your store. While many plugins offer blocking functionalities, you can effectively block bad buyers in WooCommerce without adding extra bloat to your site by using custom solutions.
In this guide, we’ll explore how to block bad buyers in WooCommerce based on their IP address, email address, full name, or physical address — all without relying on a plugin. As always, we recommend making changes within a child theme to keep your customisations safe from theme updates.
Why Block Bad Buyers?
Blocking bad buyers can help protect your WooCommerce store by:
- Preventing Fraud: Block buyers who repeatedly attempt fraudulent transactions or use stolen credit cards.
- Reducing Chargebacks: Prevent buyers who file excessive chargebacks from placing further orders.
- Preventing Abuse: Some buyers may repeatedly abuse return policies or attempt to exploit promotions.
Methods to Block Bad Buyers Without a Plugin
Step 1: Blocking Buyers by IP Address
Blocking buyers by IP address is a common method of preventing unwanted traffic from accessing your site. This can be done by adding specific rules to your .htaccess file, which stops requests from certain IP addresses before they even reach your WooCommerce store.
You can manually block IP addresses or generate a customised .htaccess file using our Ultimate Free WordPress .htaccess File Generator.
Here’s an example of how to block an IP address:
# Block specific IP addresses
<Limit GET POST>
order allow,deny
deny from 123.456.789.123
deny from 192.168.1.1
allow from all
</Limit>
You can also block them on the checkout page using a function. Add the following code to your theme’s functions.php file or in a child theme:
/*
* Snippet: How to Block Bad Buyers in WooCommerce Without a Plugin – 2026
* Author: John Cook
* URL: https://wcsuccessacademy.com/?p=1568
* Tested with WooCommerce 10.7.0
* "This function blocks buyers based on their IP address"
*/
add_action( 'woocommerce_checkout_process', 'wcsuccess_block_checkout_by_ip' );
function wcsuccess_block_checkout_by_ip() {
// Array of blocked IP addresses
$blocked_ips = array(
'123.456.789.000', // Add your blocked IPs here
'111.222.333.444',
'555.666.777.888'
);
// Get the current user's IP address
$user_ip = $_SERVER['REMOTE_ADDR'];
// Check if the user's IP is in the blocked list
if ( in_array( $user_ip, $blocked_ips ) ) {
// If the user's IP is blocked, add an error notice and prevent checkout
wc_add_notice( __( 'Your IP address is blocked from making purchases.', 'woocommerce' ), 'error' );
}
}Step 2: Blocking Buyers by Email Address
You can prevent orders from certain email addresses by adding a custom function to your WooCommerce checkout process. This method ensures that buyers with blacklisted email addresses cannot complete a purchase.
Add the following code to your theme’s functions.php file or in a child theme:
/*
* Snippet: How to Block Bad Buyers in WooCommerce Without a Plugin – 2026
* Author: John Cook
* URL: https://wcsuccessacademy.com/?p=1568
* Tested with WooCommerce 10.7.0
* "This function blocks buyers based on their email address"
*/
function wcsuccess_block_bad_email_addresses( $data, $errors ) {
// List of blocked email addresses
$blocked_emails = array( 'badbuyer@example.com', 'spam@domain.com' );
if ( in_array( strtolower( $data['billing_email'] ), $blocked_emails ) ) {
$errors->add( 'validation', __( 'Sorry, we cannot process your order. Please contact support for further assistance.', 'woocommerce' ) );
}
}
add_action( 'woocommerce_after_checkout_validation', 'wcsuccess_block_bad_email_addresses', 10, 2 );
How the Email Block Works
- Blocked Emails List: This function checks the email address entered at checkout against a list of blocked addresses. If there’s a match, the checkout process is halted, and an error message is shown.
- Case-Insensitive Matching: The
strtolower()function ensures that the email matching is case-insensitive, so “BADBUYER@EXAMPLE.COM” is treated the same as “badbuyer@example.com.”
Step 3: Blocking Buyers by Full Name
Sometimes, it’s necessary to block buyers by their full name, especially if they frequently change email addresses to avoid detection. Here’s how you can prevent certain individuals from making purchases based on their name.
/*
* Snippet: How to Block Bad Buyers in WooCommerce Without a Plugin – 2026
* Author: John Cook
* URL: https://wcsuccessacademy.com/?p=1568
* Tested with WooCommerce 10.7.0
* "This function blocks buyers based on their full name"
*/
function wcsuccess_block_bad_names( $data, $errors ) {
// List of blocked full names
$blocked_names = array( 'John Doe', 'Jane Smith' );
if ( in_array( $data['billing_first_name'] . ' ' . $data['billing_last_name'], $blocked_names ) ) {
$errors->add( 'validation', __( 'Sorry, we cannot process your order. Please contact support for further assistance.', 'woocommerce' ) );
}
}
add_action( 'woocommerce_after_checkout_validation', 'wcsuccess_block_bad_names', 10, 2 );
How the Name Block Works
- Blocked Names List: This function checks the buyer’s first and last name at checkout and compares it to a list of blocked names.
- Stopping Checkout: If a match is found, the checkout process is blocked with a custom error message.
Step 4: Blocking Buyers by Physical Address
Blocking a buyer based on their physical address can be particularly useful if someone repeatedly uses fraudulent shipping addresses. The following code checks the entered address at checkout and prevents the order from going through if it’s blacklisted.
/*
* Snippet: How to Block Bad Buyers in WooCommerce Without a Plugin – 2026
* Author: John Cook
* URL: https://wcsuccessacademy.com/?p=1568
* Tested with WooCommerce 10.7.0
* "This function blocks buyers based on their shipping address"
*/
function wcsuccess_block_bad_shipping_address( $data, $errors ) {
// List of blocked addresses
$blocked_addresses = array( '123 Fake Street', '456 Fraud Avenue' );
if ( in_array( $data['billing_address_1'], $blocked_addresses ) ) {
$errors->add( 'validation', __( 'Sorry, we cannot process your order. Please contact support for further assistance.', 'woocommerce' ) );
}
}
add_action( 'woocommerce_after_checkout_validation', 'wcsuccess_block_bad_shipping_address', 10, 2 );
How the Address Block Works
- Address Check: The function compares the shipping or billing address with a list of blacklisted addresses. If a match is found, the checkout is stopped, and an error message is displayed.
- Customisable: You can expand this to block addresses based on city, postcode, or other address details.
Best Use Cases for Blocking Bad Buyers
- Preventing Fraudulent Orders: Use the IP address, email address, or full name to block known fraudsters from placing orders.
- Stopping Abuse: If customers are abusing your return or refund policies, blocking their email or physical address can prevent future abuse.
- Improving Order Quality: By filtering out bad buyers, you can focus on legitimate customers, reducing the risk of chargebacks and improving your store’s overall performance.
Conclusion
Blocking bad buyers in WooCommerce without a plugin is a simple but effective way to protect your store from fraudulent or abusive customers. Whether it’s by IP address, email, full name, or shipping address, these techniques offer a flexible approach to preventing unwanted buyers from completing orders.
Always test these changes in a staging environment before applying them to your live site, and use a child theme to ensure your customisations aren’t lost during theme updates. For more advanced security and bot management, you can also check out our Ultimate Free WordPress .htaccess File Generator, robots.txt generator, and Bad Bot Blocker Generator for further protection.
I have been working with WordPress and WooCommerce since 2012 and have developed a deep knowledge of the content management system. Since 2012, I have developed several plugins and designed dozens of websites utilising different frameworks, CMS’s and programming languages. I am proficient in PHP, Python, Java, C, C++, R and JavaScript with limited experience in Go, Kotlin and Swift.
Educationally, I have a Master’s degree in cyber security a Bachelor’s (Hons, First Class) in Applied Research and a Graduate Certificate in Data Science. I’m currently undertaking PhD studies investigating IoT cybersecurity. I recently graduated with First Class Honours and Masters of Information Technology, receiving the Executive Dean’s Award for studies undertaken in the 2021 and 2022 academic years. I have worked in the information technology industry for the past 11 years primarily as a software/web developer specific to design, optimisation, network management and security. My research interests are in the areas of Internet of Things (IoT), 5G and Beyond Networks, information security for wireless networks and software development.
Stay In Touch
