How to Stop Card Testing Attacks on Your WooCommerce Store

Have you ever opened your WooCommerce dashboard to find dozens or even hundreds of strange, failed orders, often with bizarre names and foreign IP addresses? If so, you may have been the target of a card-testing attack.

These attacks can quietly cost your business hundreds, even thousands, in fees, stress, and time.

The worst part? They often occur in legitimate stores that are doing everything “by the book.”

In this post, I’ll break down what card testing is, why WooCommerce is a common target, and, most importantly, how to protect your store using server-side CAPTCHA, Stripe Radar rules, and some smart configuration.

What is Card Testing?

Card testing is a type of fraud where bots attempt to use hundreds or thousands of stolen credit card numbers on a real checkout page to determine which ones are valid. They tend to target:

  • Low-cost digital products
  • Sites without rate-limiting or bot protection

Payment gateways like Stripe or PayPal Standard

If even a few of these transactions go through, you’re left refunding fraud charges and eating the transaction fees.

How Bots Bypass WooCommerce Checkouts

 Even if you’ve installed a CAPTCHA plugin, bots can still bypass it. Here’s how:

  1. Direct POST Requests: Bots skip the front-end form and submit directly to /checkout or ?wc-ajax=checkout.
  2. CAPTCHA Not Enforced Server-Side: Most CAPTCHA plugins only show on the front end; the server doesn’t actually check if it’s solved.
  3. Stripe Token Abuse: Bots use your live Stripe publishable key to generate card tokens and submit them to WooCommerce.
  4. REST API Enabled: WooCommerce REST API is on by default and can be abused for order creation.

The Store API and Checkout Block: A New Target

Recent versions of WooCommerce introduced the Store API (/wc/store/v1/checkout) to power the Checkout Block. Unfortunately, attackers now use this endpoint directly to run card testing attacks, bypassing your checkout page entirely.

Here are key updates you should be aware of:

  • Rate limiting (WooCommerce 9.6+): Built-in controls exist to slow down repeated checkout requests, but they’re disabled by default. Make sure you enable them in your WooCommerce settings.
  • Fingerprinting (WooCommerce 9.8+): Instead of blocking by IP alone, you can combine IP, user agent, and accept-language headers. This makes it significantly harder for bots to rotate IP addresses and evade detection.
  • Proxy mode: If your site runs behind Cloudflare or a load balancer, ensure that proxy mode is enabled in WooCommerce so that it logs the real visitor’s IP, not the proxy’s. Without it, rate limiting can fail.
  • Updated CAPTCHA plugins: WooCommerce has identified that older versions of popular CAPTCHA plugins do not protect the Store API or Checkout Block. Ensure you’re running a patched version (e.g. Google reCAPTCHA by Koala Apps 1.4.1+, I13 Solutions reCAPTCHA 2.57+, Cloudflare Turnstile 1.28.0+).

These changes underscore the importance of relying solely on front-end protections as insufficient. Modern bots go straight to the API, so you need to harden WooCommerce itself.

👉 For step-by-step instructions, sample code, and printable checklists, download the WooCommerce Card Testing Protection Pack.

Signs You’re Under Attack

  • A surge of failed orders with strange names
  • Payments from unexpected countries
  • Dozens of small, low-value transactions in quick succession
  • Sudden Stripe or PayPal chargeback fees with no matching customer activity
Symptoms of a Card Testing Attack

How to Protect Your WooCommerce Store

1. Enforce Server-Side CAPTCHA

Add PHP server-side validation for reCAPTCHA or Cloudflare Turnstile. Here’s a simple example using Turnstile:

add_action('woocommerce_checkout_process', 'verify_turnstile_server_side');
function verify_turnstile_server_side() {
    $secret_key = 'YOUR_CLOUDFLARE_SECRET_KEY';
    $cf_response = isset($_POST['cf-turnstile-response']) ? sanitize_text_field($_POST['cf-turnstile-response']) : '';

    if (empty($cf_response)) {
        wc_add_notice(__('Please complete the CAPTCHA before checking out.'), 'error');
        return;
    }

    $verify = wp_remote_post('https://challenges.cloudflare.com/turnstile/v0/siteverify', [
        'body' => [
            'secret'   => $secret_key,
            'response' => $cf_response,
            'remoteip' => $_SERVER['REMOTE_ADDR'],
        ]
    ]);

    $body = wp_remote_retrieve_body($verify);
    $result = json_decode($body, true);

    if (empty($result['success']) || !$result['success']) {
        wc_add_notice(__('CAPTCHA verification failed. Please try again.'), 'error');
    }
}

2. Configure Stripe Radar Rules

Use Stripe’s built-in Radar feature to block suspicious activity.

Suggested Radar Rules:

charge.amount < 200 AND !ip_country:AU → block
card_country != ip_country → block
request_count > 3 for :ip within '1 minute' → block
payment_method.card.checks.cvc_check == 'fail' → block
account.funding == 'prepaid' AND charge.amount < 500 → block

3. Rate Limit with Cloudflare

Set up a rate-limiting rule in Cloudflare to guard your checkout and API endpoints.

A good starting point is 5–10 POST requests per IP per minute for your checkout path (e.g.,/wp-admin/admin-ajax.php or WooCommerce’s Store API). If you see more than that from one IP, block or use JS/challenge for 5–10 minutes.

Use Cloudflare’s “Best Practices for Rate Limiting Rules” guide to tailor thresholds that match your traffic.

Why Those Numbers

  • 5–10 POST requests per minute is usually low enough to stop bots that hammer checkout endpoints multiple times quickly, but high enough not to break normal customer behaviour.
  • Blocking / JS-Challenge for 5–10 minutes gives breathing room, stops brute decision-making, and reduces load.

Cloudflare’s documentation confirms you can base rate limits on multiple characteristics (IP, path, headers) and set “mitigation timeout” durations to control what happens when a rule is tripped.

4. Disable REST API Order Access (Optional)

Use this custom PHP code block:

add_filter( 'woocommerce_rest_check_permissions', function( $permission, $context, $object_id, $post_type ) {
    if ( $post_type === 'shop_order' ) {
        return current_user_can( 'manage_woocommerce' );
    }
    return $permission;
}, 10, 4 );
Card Testing Protection Plan

What About PayPal’s Fraud Protection?

If your store uses PayPal (Standard, Advanced, or via Braintree), you do have fraud protection tools, though they work a bit differently:

  • PayPal’s Fraud Protection / Fraud Protection Advanced lets you use filters, risk scoring, and review or block suspicious transactions. See PayPal developer docs.
  • There is also chargeback protection in some PayPal plans, which helps protect you financially in the event of disputes resulting from fraud. See PayPal developer docs.

The key difference is that PayPal’s protections often depend on your plan or merchant tier, may not stop API-based attacks, and usually offer less flexibility than Stripe Radar.

If you use PayPal, make sure to:

  • Check whether Fraud Protection is active in your PayPal Business Tools / Risk Tools.
  • See whether you can configure custom filters or risk thresholds.
  • Monitor your PayPal transaction dashboard for suspicious or unusual patterns.
  • Compare whether the costs of those tools (fees or plan upgrades) are worth it vs the loss from fraud.

Your Emergency Response Steps

So you suspect that you’re WooCommerce store is under attack from card testing fraud – what do you do?

Step 1. Disable Payments. 

Navigate to WooCommerce > Settings > Payments and then either toggle the “Enabled” switch for the specific gateway or use the three-dot menu to disable it.

Step 2. Security Scan Your Site

I recommend that all WordPress websites run a security plugin like Wordfence.  Even the free version is better than nothing.

After a suspected attack of any nature, run a security scan to test your site for any uploaded malware or suspicious registrations.

Navigate to Wordfence > Scan and click on the Start New Scan button. Review the scan options beforehand to ensure that everything is being examined.

Step 3. Contact Your Payment Provider and Web Host

If you are running payments through Stripe, for example, raise a support ticket within the Stripe dashboard and tell them what you suspect is happening. The sooner you notify the payment provider, the better position they are in to help you.

When this happened to me a few years back, the Stripe support person was excellent in helping me get through the process of stopping the attack and helping with refunds.

It may also be helpful to notify your web host about the issue – they may be able to enable additional security features, such as country IP blocking.

Step 4. Notify Your Customers

It’s always good practice to notify your customers about issues your online shop is facing.  Even if there has been no breach of security or leaked information, your customers may be wondering why they can’t purchase or access any of your products.

Trust is a tremendous value that customers need to have to purchase from you, so let them know what is happening and what steps you are taking to remedy the situation.  A simple email will work wonders here.

Step 5. Refund Payments Immediately

Don’t wait until angry cardholders start calling and emailing you, asking why your shop’s name appears on their card statement.  Be proactive and refund the money immediately – it’s not yours.

I received a call from an irate person when they noticed my website shop name was associated with a bank transaction they hadn’t made.  They started with a barrage of swear words and wishes to see me locked up and worse. 

Once I managed to get a few words in and explained to them their card details had been stolen, and it may be best if they immediately called their bank and put a stop to the card, he calmed down and started listening.

Emergecy response steps if your WooCommerce site is under attacck

Are You Using PayPal Standard or WooPayments?

  • PayPal Standard is vulnerable because it creates orders before redirecting users to PayPal, thereby skipping any verification checks.
  • WooPayments is safer (built on Stripe Elements) but still needs server-side CAPTCHA and Radar to stop bot submissions.

Final Thoughts

Card testing fraud is a growing concern for e-commerce store owners, particularly small businesses that sell digital or low-value items. However, with the right combination of server-side validation, Stripe Radar rules, and innovative security measures, you can stay one step ahead of the bots and fraudsters.

Get the Full Protection Guide

Want all of this in a handy downloadable format, including a checklist, Radar rules, and code snippets?

👉 Download the Free WooCommerce Card Testing Protection Pack

Inside you’ll get:

  • The must-have WooCommerce security checklist: So you don’t miss critical gaps.
  • Fraud-blocking Stripe Radar rules: Cut down fake transactions instantly.
  • Copy-and-paste CAPTCHA enforcement code: Close the loopholes bots exploit.
  • Clear, non-technical guidance: Empower your team to take immediate action.

Stay protected and keep your store focused on serving real customers.

Was this article helpful?
YesNo

Leave a Reply

Your email address will not be published. Required fields are marked *

Picture of Wil

Wil

Wil is a dad, WordPress consultant, WordPress developer, business coach and mentor. He co-organizes the WordPress Sydney meetup group and has been on the organising committee for WordCamp Sydney since 2014. He speaks at many special events and contributes to the WordPress open source project. His likes are chillies, craft beer and electrogravitics.