How We Potentially Stopped Automated Fraud Attempts in WooCommerce

/ WooCommerce / By

In recent weeks, many WooCommerce store owners have reported a sudden rise in failed orders, often appearing every few minutes with:

  • Random customer names
  • Small, identical order values (e.g., £9.95)
  • “Payment provider declined” messages
  • “Origin: Unknown” order sources

At first glance this can look like a broken payment gateway or malfunctioning checkout.
However, this pattern is a tell-tale sign of a card-testing attack.

Below, we explain what happened, why WooCommerce is targeted, and exactly how we resolved the issue.

What Is a Card-Testing Attack?

Card-testing is when fraudsters or automated bots try to confirm whether stolen or generated credit card numbers are valid. They do this by sending rapid-fire payment attempts through online checkout forms.

WooCommerce’s checkout endpoint — especially the newer “Store API” (/wp-json/wc/store/v1/checkout) — is a common target because:

  • It’s publicly accessible
  • It handles payments
  • Bots can submit data without loading the full website

If the payment provider declines the charge, WooCommerce creates a Failed Order, often filling the website admin with dozens or hundreds of entries.

Symptoms We Saw in This Case

Our client’s store began showing:

  • Failed WooCommerce orders every 10–20 minutes
  • Fake customer names and email addresses
  • Repeated attempts for the same order value
  • Logs showing “Payment provider declined the payment”
  • No matching payment logs from the gateway
  • No real customer activity at those times

These are all strong indicators of automated checkout abuse.

How We Identified the Attack

We reviewed:

  • WooCommerce order notes
  • Checkout behaviour
  • REST API requests
  • Wordfence Live Traffic logs
  • Payment gateway logs
  • Server activity

This revealed direct POST requests being made to the WooCommerce Store API with no user-agent, no referrer, and no legitimate session data — a classic bot signature.

How We Resolved the Issue

We implemented a multi-layered security approach to block malicious checkout submissions while keeping the checkout smooth for real customers.

✔ 1. Installed a Checkout CAPTCHA

We added the Cloudways CAPTCHA plugin, which places a lightweight CAPTCHA challenge on the checkout page.

This:

  • Prevents bots from submitting the checkout form
  • Ensures only real humans complete payment
  • Works invisibly for most customers

CAPTCHA alone stops a large chunk of automated attacks.

✔ 2. Enabled Wordfence Firewall Protection

We tuned Wordfence to act as a strong first line of defence:

A. Blocked bots sending POST requests with no browser headers

We activated the rule:

“Block IPs who send POST requests with blank User-Agent and Referer.”

Bots typically do this; real customers never do.

This rule effectively blocks:

  • Card-testing bots
  • API-based attacks
  • CURL / Python / Node scripts
  • Direct hits to /wp-json/wc/store/v1/checkout

B. Added page-view and rate-limit thresholds

We configured safe limits that stop bots without affecting humans:

  • Limit visitors loading pages too quickly
  • Block “fake” crawlers
  • Block anyone hitting too many “page not found” URLs
  • Slow down suspicious behaviour

This stops bots that attempt to overload the site or scan for vulnerabilities.

✔ 3. Verified Customer Checkout Remained Unaffected

We tested:

  • Adding items to cart
  • Viewing checkout
  • Submitting orders
  • Logging into accounts
  • Payment gateway processing

All behaved normally for real customers.

Result: Fake Failed Orders Stopped Completely

After applying these protections:

  • The fake failed orders stopped
  • Checkout performance improved
  • Payment gateway logs returned to normal
  • No further suspicious activity was detected

The store is now protected against this type of attack going forward.

Why This Matters for WooCommerce Stores

Card-testing attacks can:

  • Damage payment gateway reputation
  • Trigger account reviews from Stripe/PayPal
  • Lead to fee increases
  • Slow down the website
  • Fill the admin panel with noise
  • Cause confusion for store owners

Securing the checkout is essential for any WooCommerce store.

How to Protect Your Store

We recommend that every WooCommerce site owner take these steps:

  • Add CAPTCHA to checkout
  • Use a modern security plugin such as Wordfence
  • Limit access to WooCommerce API endpoints
  • Monitor for spikes in failed payments
  • Enable fraud tools in Stripe/PayPal/WooPayments

Preventing abuse is far easier than cleaning up after it.