Saturday, May 21st, 2022

Managing Fraudulent Orders in WooCommerce

One morning I woke up to find 20,000 new fraud orders on a WooCommerce site that I manage. Most of them were in a failed state, but some had completed successfully. We quickly determined it was a card test attack, where a fraudster was able to iterate through a vast amount of stolen credit card numbers to check on our site and determine which were still valid. was using an automated system.

The biggest concern with this type of attack is that fraud concerns may cause your credit card processor to stop processing payments from your site entirely, which means that until you can find a new payment processor, By then the business is over.

As soon as we noticed fraud, we alerted our payment processors and told them we were taking steps to prevent the attack and return fraudulent orders – which I believe will keep our account in good standing. It was helpful to keep

Steps for managing the attack

There are several ways to help prevent this type of attack.


The method suggested by our payment processor was to add a captcha to the account creation page and checkout page. This makes it more difficult for fraudsters to use automated tools to test cards. I’ve heard it’s very effective and a lot of sites use it, but it wasn’t our first choice because we wanted to avoid any extra friction at checkout for legitimate customers.

cloudflare firewall

Cloudflare is a service that sits in front of a web server and manages incoming requests. We mainly use it as a caching layer and CDN to help improve website performance, but it is also a great defensive layer to block malicious traffic. Their $20/month Pro plan is one of the best prices you can find for an ecommerce business (full disclosure, I’ve since bought “net” stock and fully expect they’ll raise prices 10x at some point) ).

As the attack was underway, the first step we took was to block the IP addresses that accounted for most of the malicious traffic in Cloudflare. It was pretty clear which IP addresses needed to be blocked because they were sending 1000x more traffic than anything else. (However, it may not always be obvious that an attacker is spoofing an IP address.)

Then the next thing we did was “Configure Super Bot Fight Mode”, which does exactly what it sounds like.

We blocked all “definitely automatic” bad bot traffic, which immediately disabled the rest of the attack and. It also blocked some of the cool bots we rely on for third-party services, so when we noticed they started to fail we added their IPs or user agents back to a permission list, allowing All their traffic was allowed to pass.

Since whenever we disable this super both fight mode rule the attacks intensify, we now have it turned on permanently.

cloudflare rate limited

Cloudflare has rate limiting rules to limit certain types of actions on specific pages. As a further step to prevent fraud, we now offer a challenge if a specific IP address tries to load the account page or checkout page more than 10 times in a minute (which for a typical customer). will be difficult).

Steps for cleaning up fraudulent orders

Once the attack was stopped, we still had 20k+ failed orders, customer accounts, and subscriptions to deal with. We decided to delete everything except ~5 commands that were completed and then returned (so that we have a record of it).

Since the fraudster only used about 20 IP addresses to create all these commands, we wrote a script that would identify and then delete based on the IP address used. But clearly if you have this issue, the attacker will have rotated IP addresses and you will need to use some other way to identify the fraudulent commands.

It can take a long time to delete 20k orders, subscriptions, accounts and all related meta in WooCommerce. We wrote a script to do this and basically left it running all day. If this script might be useful to you, you can find it here.


If you are running a WooCommerce business, you should definitely be aware of such attacks. I highly recommend installing Cloudflare now so that you have everything you need when you need it as well as some basic fraud prevention rules already in place.

Source link