ActiveLayer Blog

WordPress Tutorials, Tips, and Resources to Help Grow Your Business

ActiveLayer for WooCommerce launch graphic: dark green hero card with the headline Native Spam Protection for WooCommerce and badges for server-side detection, reviews + registration coverage, and free tier

Introducing ActiveLayer for WooCommerce

Updated on Written By: ActiveLayer Team

Every WooCommerce store has two kinds of garbage piling up. Spam reviews on product pages, and fake accounts that sign up and never buy a thing.

Neither looks urgent. Both cost you. Spam reviews push your real reviews down the page and weaken trust on the products you’ve worked hardest to rank. Fake account registrations fill your CRM with names you’ll never sell to, and they’re often the warm-up to a carding attack: a wave of bot signups today, stolen card numbers tested against your gateway tomorrow.

The standard fix is to add a CAPTCHA to every form. We think that solves the wrong problem. CAPTCHAs cut form completions by up to 40%, and the worst place to absorb that hit is the form your highest-intent visitors are already nervous about filling out.

So we built a different answer.

Today, ActiveLayer ships native protection for WooCommerce. One plugin, one API key, two toggles. AI-powered detection that runs server-side and finishes faster than your database query. No puzzles. No checkboxes.

Get Spam-Free WooCommerce →

What ActiveLayer protects on your WooCommerce store

1. Product reviews

Spam reviews are both an SEO problem and a trust problem. Google’s product structured data depends on real reviews; one spam review with a sketchy outbound link can poison the rich result for that product page. On your storefront, your real reviewers fight for visibility with junk.

ActiveLayer scores every WooCommerce product review as it comes in. Submissions sit in moderation while we evaluate content patterns, behavioral signals, and sender reputation. Spam goes to your WordPress spam folder. If you’d rather not see it at all, you can have it silently deleted when our confidence is high; the threshold is configurable and defaults to a spam score of 95+.

A few details we cared about:

  • Verified product owners can skip the check. If your reviewer already bought the product, the review goes straight through. We’ve been burned by false positives on real customers, and didn’t want to do that to you.
  • Logged-in reviewers can be exempted too, which helps stores where review-leaving is a community thing.
  • While a review is pending verdict, WordPress won’t email you to moderate it. We don’t think you need to be paged about a comment we haven’t decided on yet.

You keep everything WooCommerce already gives you: star ratings, photo uploads, the verified-owner badge. We just take the spam out.

WordPress Comments spam folder showing a product review flagged as spam by ActiveLayer

2. Customer registration

Fake accounts are a slow-moving cost. They land in your customer count, in your email lists, in your loyalty program. Sometimes, when an attacker is testing stolen card numbers, they land right before checkout. Most stores notice the registrations only after the carding starts.

ActiveLayer scores every WooCommerce registration submission before the account is created. The detection signal is the same one our customers already trust on contact forms, recalibrated for the registration context. A spam verdict returns inline. The customer sees a clear error, and the account is never written to your database.

The protection runs everywhere WooCommerce lets a customer sign up:

  • the My Account page, your standalone registration form
  • classic checkout, when the customer ticks “create an account?” before paying
  • block-based checkout, the new Cart/Checkout Blocks (WooCommerce 8.3 and up)

All three flows hit the same protection layer. We gate them at woocommerce_register_post, the canonical hook WooCommerce fires no matter where the form actually lives. The classic flows render the full client-signal kit (browser fingerprints, behavioral signals, honeypots). Block-based checkout currently reaches the gate with the core fields only: email, IP, user-agent, honeypot. Full block-flow signal coverage is on our short roadmap. Either way, the spam gate is unified.

WooCommerce My Account page showing an inline error blocking a fake registration attempt

Why we built this without CAPTCHAs

Every CAPTCHA you remove is some percentage of completions back in your pocket. reCAPTCHA cuts form completions by up to 40%, and the worst place to take that hit is a high-intent moment like account creation. Especially mid-checkout, when your customer is already mid-keystroke on their card details.

ActiveLayer is entirely server-side. No challenge renders in your visitor’s browser. No third-party JavaScript loads on your registration or checkout form. The protection happens when a form is submitted: your site posts the payload to the ActiveLayer API, we score it in milliseconds, and your site decides what to do with the verdict.

Three properties matter for a store:

  • Verdicts return faster than most database queries. The form feels instant to your customer.
  • If our API is unreachable, times out, or returns an error, submissions pass through. Reviews fall back to WordPress’s native moderation; registrations proceed inline. We will never block a real customer because we had a bad afternoon.
  • Every verdict carries a confidence score, the signals it triggered, and a detection ID. You can see exactly why a submission was flagged, and override us when you need to.

The part most spam tools quietly get wrong is that they optimize for “block more spam” and accept blocking more humans as the cost. We start from the other direction. Never block a customer. Catch the spam on the way.

Spam-free WooCommerce in three steps

Setup is the same shape as every other ActiveLayer install. Install the plugin, add your key, flip the toggle.

1. Install the ActiveLayer plugin. Free in the WordPress plugin directory. Activate it on your store.

2. Paste your API key. Sign up at app.activelayer.com for 1,000 free checks (no credit card). Paste the key into the plugin settings.

3. Toggle the WooCommerce surfaces you want to protect. Reviews and customer registration each have their own switch. Inside the reviews panel you can also fine-tune the verified-owner bypass, the logged-in-user bypass, the auto-delete threshold, and the auto-approve behavior.

That’s the whole setup. Most stores have it running in under two minutes.

A note for agencies

If you build or maintain WooCommerce stores for clients, one ActiveLayer account covers all of them. Every plan (Free, Pro, Enterprise) includes unlimited sites. You’re billed by spam-check volume across your portfolio, not by store count.

That’s the part our agency customers asked us to keep simple. We did.

Pricing

Same plans as everywhere else. Nothing new for WooCommerce.

  • Free: 1,000 spam checks (one-time), unlimited sites, full API access, no credit card.
  • Pro: from $5/month for 5,000 checks, scaling up to 250,000. Unlimited sites. Email support.
  • Enterprise: from $149/month for 500,000+ checks, custom SLA, SSO, dedicated support.

For most small and mid-sized WooCommerce stores, Pro is the right starting tier. Review submissions and registration submissions together rarely exceed a few thousand a month, and the monthly fee is less than the processing cost of a single chargeback.

See Full Pricing →

Get started

Install ActiveLayer, enable the WooCommerce surfaces, and stop paying the spam tax. Without paying the CAPTCHA tax to do it.

Get Spam-Free WooCommerce →

Already running ActiveLayer on your contact forms? You’re two toggles away from protecting the rest of your store. The integration is in your plugin today. Open the ActiveLayer settings, find the WooCommerce section under Integrations, and pick the surfaces you want.

Questions about your store’s specific setup? Reach out. We read every message, and our team will help you get this running.

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.