Documentation
The StorePack companion plugin
Free, open-source (GPL-2.0), HMAC-signed, read-only by default. Install it when you want to unlock storefront features the WooCommerce REST API can't reach on its own.
What works without the plugin vs. what needs it
| Feature | REST API only | With plugin |
|---|---|---|
| Orders, refunds, customers, products | ||
| Coupons CRUD | ||
| Bulk product editing + exports | ||
| Profit tracker + cohort analytics | ||
| Product reviews import (existing reviews) | ||
| Mobile app — full data access | ||
| Abandoned-cart recoveryCaptures cart contents + email at checkout | ||
| Visitor tracking + on-site search insightsAnonymous, consent-gated | ||
| Announcement bars on storefrontShadow DOM, can’t break theme | ||
| Post-purchase “you may also like” cardGrowth+ | ||
| On-site review widget + post-purchase email | ||
| Core Web Vitals reportingLCP, CLS, INP captured natively | ||
| Site-health snapshotPHP / WP / WC versions, cron lag |
Installing the plugin
- In WordPress admin, go to Plugins → Add new and search for StorePack. Install and activate.
- A new top-level StorePack menu appears in the sidebar. Open it and click Generate pair code.
- In the StorePack dashboard, open Settings → Plugins → Pair and paste the code. The two sides exchange a one-time bearer, encrypt it with libsodium, and store it at rest on both ends.
- Done. WooCommerce webhooks are registered automatically; cart capture, visitor tracking, and announcement-bar rendering go live immediately.
Prefer not to use the WordPress directory? You can also download the .zip from your StorePack workspace and upload it via Plugins → Add new → Upload plugin. The source is published under GPL-2.0 — audit it before you install if you like.
Security model
- Read-only by default. Plugin management (activate / deactivate / update / delete) is off until you explicitly opt in from the settings page. Every management action is written to a rolling audit log capped at 100 entries. StorePack cannot deactivate or delete itself.
- HMAC-SHA256 signs every outbound payload with a per-store secret that's encrypted at rest using libsodium (
sodium_crypto_secretbox), keyed bywp_salt('auth')plus a per-install nonce. - Origin-locked. The StorePack endpoint URL is fixed at pair time and re-validated on every outbound request. A compromised SaaS clone cannot hijack a paired site.
- Consent-aware. When a WP Consent API plugin is active (CookieYes, Complianz, Cookiebot), the plugin only sends cart and analytics events for visitors who've granted statistics consent. Browser Do-Not-Track is honoured by default. No tracking cookies, no third-party CDN, no visitor IP stored.
- No theme bleed. Announcement bars render inside a Shadow DOM so theme CSS can never override their styling — and they can't leak styles into the storefront either.
Disconnecting and uninstalling
Disconnect: from StorePack → Settings → Advanced → Disconnect. The pairing token is revoked, encrypted credentials are wiped, and any WooCommerce webhooks the plugin created are unregistered. Your historical data in the StorePack dashboard remains intact.
Uninstall: deleting the plugin from WordPress runs uninstall.php which wipes every option, transient, audit log entry, throttle counter, and KDF salt the plugin created. Nothing of it remains in your database.
Requirements
- WordPress 6.5 or newer
- WooCommerce 8.0 or newer (HPOS and Cart/Checkout Blocks compatible)
- PHP 8.0 or newer with the
sodiumextension enabled (default on most hosts)
Haven't connected the WooCommerce REST API yet?
Start with the REST API setup