Skip to content
WPPoland Documentation

How it works

Recover captures carts shoppers leave behind and emails a secure one-click link to bring them back to checkout. Everything runs on your own site. This page covers the lifecycle, the admin view, and the security and privacy model.

The lifecycle

Section titled “The lifecycle”
  1. Snapshot. As soon as a shopper has items in the cart, Recover saves a private snapshot, updating it whenever the cart changes.
  2. Capture the email. For logged-in customers the email is known automatically. For guests, the checkout email field is captured — but only after they tick the consent checkbox.
  3. Abandon. If checkout is not completed within your abandonment window, the cart is marked abandoned.
  4. Email. On the next cron run, Recover sends a recovery email containing a secure, tokenised restore link, respecting your first-email delay, emails per cart and resend interval.
  5. Restore. One click on the link repopulates the cart and sends the shopper back to checkout.
  6. Recover. If they complete the order, the cart is marked recovered and your recovery rate updates.

The cron worker

Section titled “The cron worker”

Recovery runs on a WordPress cron schedule (hourly by default). Each run does two things: it marks carts that have been inactive past your window as abandoned, then it emails a recovery link to any abandoned cart that is due. Emails go through your own wp_mail. The worker is idempotent, so a re-run (or an overlapping run) never double-sends.

The cart list and recovery rate

Section titled “The cart list and recovery rate”

Under WooCommerce → Recover Carts you get the full picture:

  • a list of carts with pending, abandoned and recovered counts,
  • a recovery-rate summary, and
  • a status filter to focus on one state at a time.

This is where you see how much revenue the plugin is bringing back.

Section titled “The restore link”

Each cart has a 64-character cryptographically random token. The restore link contains only that token — no customer id, no email, nothing personal. Without the exact token a cart cannot be restored, so there is no enumeration or IDOR risk.

Security model

Section titled “Security model”
  • All output is escaped and all input sanitised.
  • Every admin form and AJAX call is nonce-protected.
  • Admin pages require the manage_woocommerce capability.
  • A tiny vanilla-JavaScript snippet (no jQuery) handles early email capture on checkout, loaded deferred.

Privacy model

Section titled “Privacy model”
  • Self-hosted. Emails go through wp_mail; cart data lives in your own database. Nothing is sent to any external service.
  • Consent-gated. Guest email capture only happens after the shopper ticks the consent checkbox.
  • Data wipe. From WooCommerce → Recover Carts you can erase all stored cart data for any email address in one click.

You remain responsible for your store’s privacy policy.

Storage and clean uninstall

Section titled “Storage and clean uninstall”

Cart data lives in a single version-tracked {prefix}_recover_carts table. Deleting the plugin runs the uninstall routine, which drops the table, removes the recover_settings and recover_db_version options, and clears the scheduled recovery task — leaving nothing behind.

Compatibility

Section titled “Compatibility”

Recover is compatible with WooCommerce HPOS (Custom Order Tables) and the Cart/Checkout Blocks.