Introduction to Fraud Prevention
Fraud prevention is a fundamental part of running a successful WooCommerce store. With the rise of online shopping, fraudulent transactions, card attacks, and fake orders have become increasingly common, posing significant risks to both new and established WooCommerce stores.
Implementing a robust WooCommerce fraud prevention plugin is essential for detecting and stopping fraudulent activities before they can impact your business.
These fraud prevention tools help safeguard your online store from threats like credit card fraud, fake account creation, and other forms of WooCommerce fraud.
By proactively addressing these risks, store owners can protect their revenue, maintain customer trust, and ensure a secure shopping environment.
In this section, we’ll explore why fraud prevention is so important and the different types of fraudulent transactions that WooCommerce stores need to watch out for.
WooCommerce Store Hit by Fraudulent Bot Orders
One of our clients recently requested urgent assistance due to a sudden surge in a large number of fraudulent transactions, especially for low value items.
When I checked out her WooCommerce store orders, I noticed lots of random orders with failed status.
Strangely, all orders featured valid names and addresses, seemingly random yet proper Gmail addresses, and originated from different IP addresses.
Solutions I Tried to Tackle Bot Transactions
My customer’s target audience wasn’t very tech-savvy, so she enabled “Guest Checkout” to simplify the ordering process.
At first, it seemed that enabling “Guest Checkout” was the root of the issue, as it allowed bots to easily place orders. To combat this, I installed the Wordfence security plugin, which offers seamless Recaptcha integration for WooCommerce login and registration pages.
After installing and activating Wordfence, I set up Google Recaptcha and enabled the WooCommerce integration feature. To further secure the process, I disabled the Guest Checkout option, requiring users to create accounts or log in before placing an order as a fraud prevention measure.
Surprisingly, this didn’t help. Bot orders kept coming and coming.
So, I searched for fraud prevention plugins that can help with bot transactions and found the Fraud Prevention For WooCommerce and EDD WordPress plugin.
After a straightforward setup, I decided to monitor the situation for a few hours to see if any new fraudulent bot orders would be submitted. Unfortunately, the free version of this plugin had almost no configuration options and didn’t prevent any bot orders to pass through.
Continue reading to find out what was the source of the issue and how I fixed it.
How I Detected and Prevented the Fraudulent Bot Transactions?
In my client’s case, none of the plugins or captcha solutions prevented bot transactions. So, I had to dig deeper for a solution.
I decided to check the raw web server logs to analyze bot activity and found out that the bots were using the WordPress REST API to submit orders. All of a sudden it made sense how they get past the Captcha and all other fraud prevention plugins.
The WordPress REST API is primarily designed for software integration, allowing GET and POST requests. WooCommerce extends WordPress’ REST API with additional functionality, which bots have been exploiting.
Marked lines starting with /wp-json/ in the web server access log show how a bot can browse items in the online shop, programmatically add products to the cart, and complete the checkout.
To disable the WP REST API for non-logged-in users, I added the following code using the popular Code Snippets plugin.
add_filter( 'rest_authentication_errors', function( $result ) {
if ( true === $result || is_wp_error( $result ) ) {
return $result;
}
if ( ! is_user_logged_in() ) {
return new WP_Error(
'rest_not_logged_in',
__( 'You are not currently logged in.' ),
array( 'status' => 401 )
);
}
return $result;
});
Alternatively, you can also add this code to your child theme’s functions.php file using File Manager of your hosting provider, or through FTP. These changes can also be managed directly from the WordPress admin, making it easier to access and configure settings related to WooCommerce and anti-fraud plugins.
I kept monitoring the site for 24 hours as well as raw web access logs. The issue was resolved. My customer didn’t receive any other orders submitted by bots and was super happy with the result!
NOTICE: Some websites might need WordPress REST API for integration purposes. In that case try to disable only the Woocommerce API endpoints or consult your WordPress Developer for additional security measures.
What is a Card Attack?
Digging deeper on this topic, I found out that our client was actually facing a “Card Testing Attack” or “Card Attack“.
Card testing bots are using stolen credit card lists to test which ones work.
They hit your WooCommerce REST API directly, completely bypassing your security measures.
That clearly explains how they were able to bypass the ReCaptcha tests and all the other security measures I tried in the beginning.
If you are also seeing weird activity in your store lately, you might be under same kind of attack.
3 signs your WooCommerce site is facing a card attack
Sign #1: Dozens of small-value orders
- Orders for the cheapest products in your catalog
- Always single items, never bulk purchases
- Failed payments but orders still show up in your system
- Happening 24/7, even at 3am
Sign #2: Suspicious customer patterns
- Email addresses like “firstname.lastname.randomnumber@gmail.com“
- Different credit cards but similar billing details
- Orders marked as “unknown” origin in WooCommerce
- Customer accounts created seconds before ordering
Sign #3: Your server logs tell the story
- Direct API calls to
/wp-json/wc/store/checkout - No referrer data (shows as “-” in logs)
- Requests bypass your actual checkout pages
- VPN IP addresses from around the world
The Hidden Cost of Card Attacks
Even failed transactions can cost you processing fees.
What’s more dangerous is, successful transactions can trigger $15+ chargeback fees.
The Simple Fix
If you’re not running headless WooCommerce or using checkout blocks, you can add the code snippet below to your child theme’s functions.php file or through Code Snippets plugin to disable checkout via REST API.
function disable_wc_endpoint() {
$current_url = $_SERVER['REQUEST_URI'];
if (strpos($current_url, '/wp-json/wc/store/checkout') !== false) {
wp_redirect(home_url('/404.php'));
exit;
}
}
add_action('rest_api_init', 'disable_wc_endpoint');
Make sure you compare your logs to check which API endpoint the bots are hitting. Some Woocommerce installations have “v1” in the URI path. So, it might look like wp-json/wc/store/v1/checkout in your case.
Alternatively, if you are using Cloudflare, you can add a custom security rule to block or initiate a Managed Challenge in case request path contains /wp-json/wc/store/checkout or /wp-json/wc/store/cart.
Implement reCAPTCHA for WooCommerce Checkout Page
Having prevented bot orders submitted through the WP REST API, I decided to further harden security by implementing Google reCAPTCHA to WooCommerce Checkout page as customer requested to re-activate the “Guest Checkout” method.
There is a fantastic free plugin that provides this functionality, built by Elliot Sowersby. reCAPTCHA for WooCommerce WordPress plugin is very easy to setup. You just need to generate reCaptcha v2 client id and secret keys at Google reCaptcha and whole setup takes only a few minutes.
You can protect both Guest Checkout as well as WooCommerce login and register forms. In my case, I only enabled Guest Checkout, as login and registration pages were protected by Wordfence.
Additional Strategies for WooCommerce Fraud Prevention
Want to add extra security measures to your online store? You may consider the following best practices.
Secure Payment Processing
Choose secure payment gateways with advanced fraud prevention tools and features. These should include fraud detection algorithms and real-time monitoring to block suspicious transactions.
Opt for gateways with two-factor authentication and IP blocking to add security layers. Two-factor authentication requires users to verify their identity with a second method, while IP blocking prevents access from known malicious IP addresses.
Select gateways offering PayPal email verification to avoid fake account creation, ensuring emails are legitimate and verified. Some gateways provide detailed transaction reports and analytics, helping you spot transaction patterns and potential fraud risks.
Risk Scores and Mitigation Policies
Utilize risk scores to evaluate the potential for fraudulent activity. These scores, based on factors like IP address, billing address, and transaction history, help identify suspicious transactions quickly. By analyzing these scores, you can prioritize which transactions need further scrutiny.
Implement mitigation policies to handle high-risk transactions effectively. These are predefined actions your WooCommerce store can take, such as automatically canceling suspicious orders or requiring additional verification. Clear policies help manage fraud efficiently and reduce its impact on your business.
Customizable risk scores and mitigation policies allow you to tailor fraud prevention to your store’s needs. Adjust risk factors and policies to match your store’s characteristics and risk tolerance, ensuring effective protection against fraudulent transactions while minimizing false positives.
Monitor and Analyze Transactions
Monitor and analyze transactions to spot suspicious activity. Regular transaction reviews can reveal patterns indicating fraud, such as repeated attempts from the same IP address or billing discrepancies. Staying vigilant allows for quick responses to potential threats.
The WooCommerce admin panel provides an integrated dashboard for monitoring risk scores, fraud alerts, and suspicious orders, making it easier to track and manage potential threats in one place.
Utilize fraud prevention tools that provide real-time alerts and risk assessments. These tools help identify fraudulent transactions, enabling you to block orders from specific countries or high-risk IP addresses.
Keep Software and Plugins Up-to-Date
Regularly update your WooCommerce software and plugins to maintain security and functionality. Keeping them current protects your store from vulnerabilities that fraudsters might exploit.
This proactive approach minimizes risks and keeps your online store secure against potential threats.
Key Takeaways
- WooCommerce fraud prevention is an essential part of running a successful online store.
- Use a combination of tools and strategies to detect and prevent fraudulent activities.
- Consider using WooCommerce anti-fraud plugins and secure payment gateways to enhance your fraud prevention efforts.
- Use Cloudflare’s Bot Fight Mode and custom security rules to block and challenge malicious bots automatically, helping to reduce fraudulent bot transactions and protect your WooCommerce store from fake orders and suspicious activities.
