New to the community? Start here

WooCommerce generated almost 500 failed orders

Something happened and we got almost 500 fake orders. All the names are different, but they all were trying to send a gift card to the email address afas@gg.com

I’ve been doing WordPress dev work for 20 years and I’ve never seen this happen. Is there a way to block things like this? Do I need to be concerned about hacking? What can we do?

Thu, 5 Sep 2024 12:15:38
  • Amin Nazemi
    • Staff

    Hi Ellis Benus

    I hope you are well and safe and thank you for contacting us.

    Upon reviewing your site I did not notice anything suspicious that shows your site being hacked so it is more like a bot is spamming your orders.

    A simple solution here is to use ReCaptcha for your checkout page, it can be implemented using different plugins but I suggest using Defender Pro as it is already included in your membership package and you can install it from wp-admin -> WPMUDEV -> plugins.
    https://wpmudev.com/docs/wpmu-dev-plugins/defender/#google-recaptcha

    Once you installed the Defender you may try to run a malware scan and do its recommendations, and please note you can find the recaptcha under Defender -> Tools menu.

    If you have any other questions or issues please don’t hesitate to let us know.

    Best Regards
    Amin

  • Daniel Voran
    • Flash Drive

    Sounds like you were hit with a card fishing bot, a bot trying many different credit cards to find out which ones work. What I have found effective in preventing this is to put the store and especially the checkout page behind a challenge that bots can’t pass. One is to install a plugin like Simple Cloudflare Turnstile. It can prevent bots from accessing the sign in, registration, and checkout pages of your site.
    And another is to put the site behind a DNS proxy service like Cloudflare. It does involve moving your DNS records to Cloudflare and having Cloudflare filter requests to your domain before it passes requests on to your site at WPMUDev. It’s a little bit of work but worth it to protect an ecommerce site.
    And if you are using Cloudflare you can block requests to add items to a cart, to register, and to checkout by requiring Cloudflare’s JS challenge before the requests are allowed. This JS challenge requires requests to pass a 200k javascript test which browsers will have no trouble passing but which bots can’t. What users see is a brief message saying “Verifying you are a human” before the page appears. It lasts a second or two and once users pass the test, they won’t see it for another hour.
    Since you say they were sending ecards, you could put the page where users fill out the card details behind the JS challenge. Then bots would not be able to fill out the form.
    Another thing to do if possible is to use your credit card processors velocity controls. Your credit card processor may allow you to limit the number of transactions that can come from a single IP within a certain amount of time, for example no more than 5 transactions from the same IP within 5 minutes, and limit the number of transactions against any card within a certain amount of time. Those can be effective in limiting card fishing attempts.

  • Ellis Benus
    • Site Builder, Child of Zeus

    Thank you for the fantastic information!

    I’m curious, would the defender pro change Amin suggested be enough, or do I need to do that in addition to the other recommendations?

    Also, if I use Defender pro, does it have conflicts with SiteGround’s security plugin?

  • Fida Al Hasan
    • Staff

    Hello Ellis Benus ,

    I hope you are doing well.

    I’m curious, would the defender pro change Amin suggested be enough, or do I need to do that in addition to the other recommendations?

    It will be better if you try that first but that should prevent spam orders by bots.
    Additionally, you can use the Akismet Anti-spam plugin.

    Also, if I use Defender pro, does it have conflicts with SiteGround’s security plugin?

    They may create conflicts. So, it will be better if you use only one plugin. The Defender Pro has lots of features. I suggest you try that while deactivating the SiteGround Security Optimizer plugin.

    Kind Regards,
    Fida Al Hasan