=== Bikram COD Order Verification for WooCommerce ===
Contributors: bikram_sth
Tags: woocommerce, cod, otp, verification, checkout
Requires at least: 5.8
Tested up to: 7.0
Requires PHP: 7.4
WC requires at least: 6.0
WC tested up to: 10.9
Stable tag: 1.0.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Reduce fake and RTO Cash on Delivery orders by requiring customers to verify their email or phone with an OTP before checkout.

== Description ==

**Bikram COD Order Verification for WooCommerce** adds a simple, no-cost verification step to your store's Cash on Delivery (COD) checkout flow. Before a customer can place a COD order, they must confirm a one-time password (OTP) sent to their email or phone number. This helps reduce fake orders, prank orders, and Return to Origin (RTO) losses that are especially common with COD in emerging markets.

= Key Features =

* Works with **both** the Classic (shortcode) checkout and the modern **WooCommerce Blocks** checkout.
* Verification by **Email** (via the site's own `wp_mail()`) or **SMS** (via Twilio or your own custom HTTP API).
* Customizable OTP length (4-6 digits) and expiry time.
* Customizable email subject/message templates.
* Server-side enforcement - verification cannot be bypassed by disabling JavaScript or editing hidden form fields.
* Brute-force protection: OTP guesses are capped, and codes are single-use.
* Lightweight dashboard widget showing OTPs sent, verified, and orders blocked.
* Full HPOS (High-Performance Order Storage) compatibility.
* No bloat: verification only appears when Cash on Delivery is the selected payment method.

= How it works =

1. The customer fills in their details and selects Cash on Delivery at checkout.
2. A small verification box appears, asking for their email or phone number.
3. The customer requests a code and enters it to confirm their identity.
4. Only once verified can they successfully place the order - this is enforced on the server, not just in the browser.

== External services ==

This plugin can, depending on how you configure it, send data to external services in order to deliver the OTP code to your customers:

* **Email delivery** uses your WordPress installation's own `wp_mail()` function to send the OTP. No third-party service is contacted for this by default; delivery depends on your site's own mail configuration (e.g. an SMTP plugin, if you use one).

* **SMS delivery (optional, only if you choose SMS as the verification method)**:
    * **Twilio** - if you select Twilio as your SMS gateway and enter your Twilio credentials, the OTP code and the customer's phone number are sent to Twilio's API (`https://api.twilio.com`) in order to deliver the SMS. This is only used when you have explicitly configured Twilio credentials in the plugin's settings. See [Twilio's Terms of Service](https://www.twilio.com/legal/tos) and [Privacy Policy](https://www.twilio.com/legal/privacy).
    * **Custom API** - if you select "Custom API" and provide your own SMS provider's endpoint URL, the OTP code and the customer's phone number are sent to the URL you configure. No default third-party endpoint is used - this only happens if you actively configure it.

No data is sent to any external service unless you actively choose and configure SMS as your verification method. If you use Email verification (the default), no third-party service is contacted by this plugin.

== Installation ==

1. Upload the plugin files to the `/wp-content/plugins/bikram-cod-order-verification` directory, or install the plugin directly through the WordPress Plugins screen.
2. Activate the plugin through the 'Plugins' screen in WordPress.
3. Go to **WooCommerce > Settings > COD OTP Verification** to configure verification method, OTP length/expiry, and (if using SMS) your gateway credentials.
4. That's it - the verification box will automatically appear at checkout whenever a customer selects Cash on Delivery.

== Frequently Asked Questions ==

= Does this work with the new WooCommerce Blocks checkout? =

Yes. The plugin supports both the Classic (shortcode-based) checkout and the block-based Checkout introduced in recent WooCommerce versions.

= Can I use SMS instead of email? =

Yes. Go to the plugin's settings and switch the verification method to SMS. You'll need either a Twilio account or your own custom SMS API endpoint.

= Is verification enforced even if someone disables JavaScript? =

Yes. Verification is checked again on the server before the order is allowed to be placed, regardless of what happens in the browser.

= What happens if someone enters the wrong code too many times? =

After 5 incorrect attempts, that code is locked and the customer must request a new one.

= Does this store the OTP codes permanently? =

No. OTP codes are stored only as short-lived WordPress transients (a few minutes at most) and are deleted immediately after a successful verification. They are never written to the database permanently.

== Screenshots ==

1. OTP verification box (Email) on the Classic checkout.
2. OTP verification box (SMS) on the Classic checkout.
3. OTP verification box (Email) on the Blocks checkout.
4. OTP verification box (SMS) on the Blocks checkout.
5. Plugin settings page under WooCommerce > Settings.
6. Plugin settings page under WooCommerce > Settings.

== Changelog ==

= 1.0.1 =
* Renamed plugin (per WordPress.org Plugin Review Team feedback) from "Free COD OTP Verification for WooCommerce" to "Bikram COD Order Verification for WooCommerce".
* Moved dashboard widget's inline `<style>` block to a properly enqueued stylesheet.

= 1.0.0 =
* Initial release.

== Upgrade Notice ==

= 1.0.0 =
Initial release.
