If you login to your WoocCommerce back end, view recent orders and notice many with failed status, you may be getting hit with credit card testing bot spam. Credit card testing attacks involve bots that try credit card validity using your WooCommerce checkout page. The scammer will run hundreds, if not thousands of credit card number combinations in an attempt to guess the right pin and card number combination.
Credit Card Testing Bots
Scammers will use bots in an attempt to purchase low priced products on your website using various stolen credit card details. They usually attack the same <$20.00 product over and over until they find a valid combination of credit card information. Its not unusual for the same bot to hit a website 1,000 times in a single day for the same product.
How Credit Card Testing Bots Cause Harm
Credit card bot attacks not only take up valuable site resources, but they also clog up your order page with failed attempts and pose a risk financially. Every time the bot tries a new credit card number combination a failed order is created in WooCommerce and an email notification is sent.
In the event the scammer or bot succeed with valid credit card credentials you as the site owner are obligated to issue a refund or face charge-backs. This is well managed if only a small number of credit card credentials are successful, but larger numbers could pose a significant financial burden. An excessive amount of charge backs could also get you blacklisted by payment processors.
Digging through several message boards, its very apparent that credit card testing bot spam is a growing problem. Even more frustrating, WooCommerce hasn’t come out with an in house solution to complete resolve this issue.
Blocking Credit Card Testing Bot
IP Address – Credit card bot spam usually involves the same scammer trying credentials repeatedly until successful. The logical solution would seem to be blocking the users IP address with a security plugin like Wordfence. Unfortunately, scammers just change IP addresses and continue the attacks.
Email – Blocking by email domain doesn’t work either as it blocks legitimate accounts and orders. An example email address might look something like “deannahaneyfvyzex9d@outlook(dot)com” . You can block a specific email service, but doing so also blocks legitimate orders. The scammers can also change their email or make dummy accounts.
Recaptcha – A logical method to block card testing bots is installing recaptcha below the payment details on your checkout page. This method seems to have limited success, as bots have grown increasingly intelligent. It also doesn’t stop physical users from simply clicking the checkbox.
Disable Guest Checkout – Another option may be to simply disable guest checkouts, but this doesn’t come without drawbacks. Guest checkouts are a huge convenience to many online shoppers. Many users don’t want to take the time creating an account, confirming email and personal details.
Disabling guest checkouts has proven to decrease sales conversion rates.Bots can also just create hundreds of site accounts, further clogging up your WC backend and email account.
Enabling Rate Limit Checkout In WooCommerce
WooCommerce released a feature called “Rate limit Checkout” in its recent plugin update. To access this setting go to WooCommerce>Settings>Advanced>Features>Rate Limit Checkout and click the checkbox to enable. This enables rate limiting for Checkout place order and Store API /checkout endpoints.
WooCommerce provides Rate limit checkout documentation with settings that can be customized through the Options Filter.
- 3 requests within a 60 second time frame
- 25 requests within a 10-second time frame
Bypassing Woocommerce Checkout Using API/REST
Credit card bot attacks might not actually be coming through WooCommerce account, card and checkout pages. Bots can instead attack via the WP REST API via /wp-json/wc/. They can query the product catalog, searching for and ordering the cheapest product offered.
WooCommerce wrote their own article addressing this issue: Card Testing Attacks and the Store API
I write tutorials about wordpress, speed, SEO and marketing, With over a decade of experience I’ve learned a lot and I’d like to share my knowledge with you.