Direct answer
To add a safe WooCommerce thank-you message, append bounded content through the native woocommerce_thankyou action after WooCommerce has loaded a valid order. Render nothing for a missing, malformed, failed, cancelled, or refunded order. Do not redirect checkout, copy the template, expose customer data, change order status, empty a cart, send an email, or add tracking code.
StoreFixKit's Thank You Message for WooCommerce follows that message-only boundary. Free supplies one store-wide next-step message. Pro can choose a different message by product, category, or payment method while Free remains independent of billing.
A thank-you message is not a thank-you page builder
After checkout, WooCommerce owns several systems:
- order validation and access;
- the order-received endpoint and order key;
- payment success or failure;
- order status;
- native order details and payment instructions;
- customer and administrator emails;
- the cart and session;
- the confirmation template and actions.
A message plugin should not become a second implementation of those systems.
WooCommerce's current thankyou.php template renders failed orders differently, prints native order details for other valid orders, then fires payment-method and general thank-you actions. The checkout handler also performs known-shopper and guest verification before showing protected order details.
The focused design is therefore to accept only the valid order ID WooCommerce passes into the native action, load that same order, check a safe status, and append one message.
Why merchants end up in templates and redirects
A beginner usually wants to say something simple:
- We are preparing your order.
- Bank transfer instructions are below.
- Download details arrive by email.
- Bring your order number when collecting.
- Our team will contact you within one business day.
Yet public support requests often lead to much larger tools. One merchant asked to edit the page after trying plugins that did not work and was directed toward template code or a page builder. Another request about the default page received plugin recommendations or a redirect snippet. A merchant who needed different text by payment method was told the feature was not available by default and required code or a plugin.
Those reports show a useful wedge: not every merchant needs page ownership. Many need one trustworthy message inside the existing confirmation.
Preserve payment truth
A success-style message must not contradict WooCommerce's order state.
StoreFixKit permits output for these order statuses:
- Pending payment;
- On hold;
- Processing;
- Completed.
It renders nothing for Failed, Cancelled, or Refunded. It also renders nothing when the order ID is missing, invalid, or does not resolve to the same order.
That conservative rule prevents a generic “Payment received” message from appearing after a declined transaction. Merchants should still write status-neutral wording unless a Pro rule and payment workflow have been tested carefully.
Allow useful formatting without active content
A next-step message benefits from a small safe HTML set:
- paragraphs and line breaks;
- bold and italic emphasis;
- ordered and unordered lists;
- normal links.
It does not need scripts, forms, iframes, images, inline styles, tracking pixels, shortcodes, embedded checkout fields, or remote content. Limit the visible text to 1,000 characters and sanitize both when saving and immediately before output.
This double boundary matters because Pro filters can replace the Free message. Every final message must pass the same allowlist before it reaches the page.
Do not put private order data in saved content
The plugin's settings are reusable merchant content. They should not contain:
- a customer's name or email;
- an order key;
- a payment token;
- a bank account unique to one customer;
- a private download URL;
- a coupon generated for one order.
Dynamic personalization would require a separate token specification, escaping rules, privacy review, and cache analysis. This release deliberately avoids it.
Test the real checkout path
Typing an order-received URL is not a substitute for checkout. Use disposable orders and test:
| Order case | Expected result |
|---|---|
| Logged-in successful order | Native details and the saved message appear |
| Guest successful order | WooCommerce access checks remain in control |
| Pending or on-hold order | Message can appear without claiming payment success |
| Failed order | StoreFixKit message is absent |
| Cancelled or refunded order | StoreFixKit message is absent |
| Missing or invalid order ID | No StoreFixKit output |
| Empty or rejected message | No empty wrapper is printed |
Then confirm payment instructions, order status, stock reduction, emails, My account, cart behavior, and repeated page views remain WooCommerce behavior.
Classic checkout, Checkout Block, and custom confirmations
The reliable contract is not a visual page name. It is the native woocommerce_thankyou action with a valid order ID.
A checkout or confirmation system may:
- fire that action in its server-rendered order confirmation;
- redirect to another WordPress page;
- render a client-side app;
- use a headless storefront;
- replace the template and omit native actions.
Only the first case is automatically inside the plugin's contract. A custom destination that bypasses the action remains unchanged.
Do not force compatibility with JavaScript that waits for an order number in the DOM. That can expose or duplicate content, run before payment state settles, and break when markup changes. Do not redirect the customer solely to add a paragraph; a redirect takes ownership of access control, order details, payment instructions, analytics, and failure behavior.
Make Pro precedence deterministic
Free solves the common case with one store-wide message. Pro adds three bounded local conditions:
- a selected product in the order;
- a selected product category;
- the order's payment method;
- the Free message as fallback.
The first matching nonempty valid message wins. Product and category selection is limited to 50 IDs. Order processing reads no more than the first 50 line items. Category lookup is bounded and runs only on the order confirmation request.
This is intentionally not a general rule engine. It does not compare totals, addresses, customer history, coupons, shipping methods, or arbitrary metadata.
Resource and failure boundary
The native action already supplies the order ID. Free needs one option read and one local order lookup. Pro may read the order's line items, product categories, and payment method within fixed limits.
It needs no:
- frontend stylesheet or JavaScript;
- custom table;
- cron or Action Scheduler job;
- background email;
- order or customer write;
- analytics event;
- customer cookie;
- redirect;
- StoreFixKit request from the confirmation page.
Missing WooCommerce, an invalid order, an excluded status, malformed content, inactive Pro, an expired license, or an unavailable license service produces no extra message. It does not interfere with WooCommerce's confirmation.
The Thank You Message documentation includes real screenshots, exact setup, compatibility limits, troubleshooting, rollback, uninstall ownership, and privacy-safe support evidence.
Beginner launch checklist
Write one useful next step
Tell the customer what happens next. Do not repeat the order number or promise payment success unless the message is valid for every allowed order status.
Test every payment method
Use each enabled gateway's sandbox or test mode where available. Confirm its native instructions remain visible and accurate.
Test failure paths
Create a failed or cancelled disposable order. The custom message must remain absent.
Check email separately
This plugin changes the confirmation page only. Verify WooCommerce emails independently and do not expect the saved page message to appear in email.
Test the off and rollback paths
Disable the setting, deactivate Free, install the previous package, and restore the current package. Native confirmation must remain usable at every step.
Security and support evidence
Only a user allowed to manage WooCommerce should save Free or Pro settings. Every write needs a nonce, capability check, bounded sanitization, and late allowlist escaping. WordPress's data validation guidance recommends validating early, sanitizing untrusted data, and escaping at output.
Useful support evidence includes a disposable order ID, status, payment method ID, selected product or category IDs, expected message, actual result, Free and Pro versions, WooCommerce version, confirmation-page owner, cache/CDN, and screenshots. Remove names, addresses, emails, order keys, credentials, payment information, and full license keys.
FAQ
Does this replace the WooCommerce thank-you page?
No. It appends one message through WooCommerce's native action.
Can it redirect customers to another page?
No. Redirect ownership is deliberately outside this product.
Why is the message absent on a failed order?
That is intentional so the message cannot contradict WooCommerce's payment result.
Does it send the message by email?
No. WooCommerce email behavior remains separate and unchanged.
What happens when Pro expires?
The Free store-wide message continues locally. Product, category, and payment-method rules require an active product-bound license.
Focused plugin
Use the one-job implementation.
Append one safe next-step message to WooCommerce's native order-received page without replacing checkout, redirecting the buyer, or changing an order.