Verified emails for WooCommerce
- replaced generic
Exceptionwith WooCommerce-nativeWC_Data_Exceptionin checkout hard stop - retains safe fallback to core
ExceptionifWC_Data_Exceptionis unavailable
- added optional logging of blocked order attempts when
VERIFIED_CUSTOMERS_DEBUGis enabled - logging includes order id, user id, billing email, and ip address with safe fallbacks
- restored
woocommerce_checkout_create_orderas a final hard stop to prevent unverified users from creating orders - consolidated order blocking logic to reuse
verified_customers_checkout_is_unverified()across all checkout layers - enforced true pre-save prevention so fraudulent orders are not created or marked failed
- strengthened multi-layer checkout enforcement:
woocommerce_checkout_processwoocommerce_after_checkout_validationwoocommerce_checkout_create_order
- improved reliability across AJAX and payment gateway checkout flows
- refactored checkout enforcement to use
verified_customers_get_user_id_for_checkout()and resolve identity viabilling_emailwhenget_current_user_id()is unreliable - centralized blocking logic in
verified_customers_checkout_is_unverified()and reused it across checkout hooks - improved WooCommerce AJAX and gateway support via
woocommerce_after_checkout_validation - removed
woocommerce_checkout_create_orderexception-based hard stop - blocked account creation at checkout until verification is completed
- added explicit
get_userdata()validation in verification link handler - simplified and hardened checkout notice and resend logic
- added
woocommerce_after_checkout_validationblock for unverified users during AJAX and gateway checkout flows - added
woocommerce_checkout_create_orderbackstop to stop order creation for unverified users - keeps existing checkout notices while adding stronger enforcement layers for verified email requirements
- improves protection against unverified Stripe and automated checkout attempts
- adds
resend_success=1query flag after resend email verification requests - displays WooCommerce success notice when verification email is resent
- suppresses resend link on My Account page immediately after resend redirect
- ensures rate-limited resend requests use the same redirect and notice behavior
- initial release
- supports PHP 7.0-8.3
- adds mandatory email verification for WooCommerce customer accounts
- automatically sends time-limited verification emails on
user_register - generates 32-character random tokens and stores them hashed using
wp_hash_password() - validates tokens with
wp_check_password()and enforces 24-hour expiration - blocks checkout for logged-in users with unverified email addresses via
woocommerce_checkout_process - displays verification notices on My Account and Checkout using WooCommerce notice API
- adds resend verification link protected by
wp_verify_nonce()with 5-minute rate limiting - stores verification state in user meta using
email_verified,email_verified_at,email_verify_token,email_verify_sent_at, andemail_verify_expires_at - deletes temporary verification metadata after successful confirmation
- uses
wp_safe_redirect()after verification to prevent token replay - no custom database tables created and no options added