How to prevent card testing on WooCommerce sites

How to prevent card testing attacks on WooCommerce sites

Over the past few months, the scourge of card testing attacks has plagued online stores, causing a great deal of inconvenience and stress for website owners. These attacks are not only bothersome and time-consuming, but they can also result in significant losses for businesses. In this article, we will discuss the measures you can take to safeguard your WooCommerce store from such fraudulent activities. It's worth noting that there is no foolproof solution, and each method has its pros and cons. Nevertheless, we will explore several techniques that can help you minimize the risk of card testing on your store. All methods outlined in this article are low-cost that won't break the bank.

What are card testing attacks?

Card testing is a type of fraudulent activity in which cybercriminals attempt to identify active credit card information. They process thousands of credit card numbers in an attempt to process a successful transaction. The attackers use automated scripts or bots to make small transactions or pre-authorization requests on an eCommerce store's payment gateway. The transactions will usually consist of low-priced products to try to avoid suspicion detection.

Once the attackers confirm that a stolen credit card is still valid, they can use it to make larger purchases or sell the information on the dark web. Card testing attacks can result in merchant chargebacks, financial losses, and reputational damage for eCommerce store owners.

Are some stores more at risk?

Yes. Online stores that are deemed to have inadequate security or those that sell certain types of products are at a higher risk of being targeted. If your WooCommerce store has any of the following characteristics, you may be more susceptible to such attacks.

  • No use of captchas
  • You sell pay-what-you-want or donation products
  • No email verification at checkout
  • Guest checkout

How do I detect a card testing attack in WooCommerce?

It is important to know there are two main ways that cyber criminals conduct card testing attacks on WooCommerce stores.

  1. Repeat orders through the checkout page
  2. Repeat payment processor attempts on a single order

For repeat orders, the signs of a card testing attack are very clear. You will receive many failed order emails and you will be able to see each order in the backend of your website under WooCommerce orders.

It can be challenging to detect repeated payment attempts on a single order unless you are actively monitoring for card testing attacks. The perpetrators behind these attacks typically utilize an automated bot that repeatedly tests stolen card details using the 'Order Pay' WooCommerce endpoint. 

If this method of attack occurs, you will generally receive a single failed order email. This might not signal alarm bells but on a closer inspection of the order admin notes, you will see a comprehensive picture of the attack. These notes contain valuable information about each payment attempt, which can help you to identify patterns and determine the scope of the attack. It is important to note that most businesses don't look carefully at order notes, which could delay the detection and mitigation of the attack. Therefore, it's important to remain vigilant and monitor your orders and payment records regularly to spot any suspicious activity as early as possible.

Depending on your provider, in both scenarios, you may find your payment processor will notify you via email if they detect an influx of fraudulent activity on your website.

Do card testing attacks occur on other eCommerce platforms?

Yes. Card testing attacks are not strictly a WooCommerce issue. Any website utilizing a payment gateway (regardless of the platform) is susceptible to card testing attacks. It doesn't matter if you are using Shopify, WordPress, Thrivecart or something completely different, eventually, cybercriminals will find you.

Do credit card providers protect against fraud?

The security of card processing systems is paramount in protecting cardholders from fraudulent activity. Each card processor has varying levels of security measures and systems in place to safeguard against potential threats. However, despite their best efforts, these systems are not foolproof, and there is always a risk of fraudulent transactions slipping through the cracks.

Banks play a crucial role in this process, as they can detect suspicious activity and promptly block transactions they deem to be fraudulent. This early detection is vital in preventing fraudsters from gaining access to cardholders' sensitive information and making unauthorized purchases. Despite these advanced systems and protocols, there is still the possibility of fraudulent transactions going unnoticed, highlighting the importance of vigilance and caution when using cards online or in person.

Payment processors such as Stripe also provide security systems and protocols to determine card fraud when someone or something attempts to make purchases.

How do I prevent card testing attacks on WooCommerce websites?

To mitigate the risk of card testing attacks, there are various effective measures one can take. It's important to note that not all automated attacks are equal in their level of sophistication, and as such, some preventative strategies may be more effective against certain attacks than others. Therefore, a multi-faceted approach may be necessary to combat card testing fraud effectively.

Here are some recommended techniques to consider:

  • Install spam protection captcha
  • Restrict checkout to logged-in users
  • Block suspicious IPs
  • Enforce country blocking using a firewall
  • Rate-limit order processing
  • Provide a JavaScript challenge to ensure traffic is using a web browser

Install Google reCaptcha

A captcha is a type of security measure used on websites to verify that a user is a human and not a computer program trying to perform automated actions (such as card testing attacks).

It usually involves displaying an image containing distorted text or an image puzzle, and the user must correctly enter the text or solve the puzzle to prove they are human. This prevents bots and other automated programs from accessing the website's services and information, helping to keep the site secure and free from unwanted activity.

WooCommerce has some great Google reCaptcha plugins that can be installed on various areas of a website, including the checkout process. Although there are bots that can get around Google reCaptcha and still process fraudulent orders, using a captcha is still an important tool to help stop card testing.

Allow checkout for logged-in users only

E-commerce giants like Amazon and eBay share a common security feature: customers must log in to their accounts before making a purchase. This practice is an effective measure in preventing fraudulent activities. From my experience, card testing attacks rarely originate from registered user accounts. While this configuration may not be suitable for all online stores, it certainly enhances the security of these leading marketplaces.

IP Blocking

Blocking IP addresses is a common tactic used to prevent cyber attacks on websites and networks. However, it's important to note that it's likely the least effective method on this list, as it can provide only limited protection against various types of attacks.

The reason for this is that IP addresses can easily be spoofed or changed, and hackers can use proxies or other techniques to hide their real location and bypass IP blocking measures. In addition, blocking IP addresses can potentially block legitimate users from accessing the site if their IP happens to be in the same range as the blocked addresses.

That being said, blocking IP addresses can still provide some benefits in certain situations. For example, if an attacker is using a known IP address range to launch a DDoS (Distributed Denial of Service) attack, blocking those addresses may help to mitigate the attack and reduce its impact on the targeted site. Similarly, if a site is experiencing a high volume of spam or other unwanted traffic from a specific IP range, blocking those addresses may help to reduce the amount of malicious traffic and alleviate the strain on the site's resources.

Country blocking using a WAF (website application firewall)

County blocking is a security measure that's similar to IP blocking, in which you restrict incoming traffic from certain IP ranges that are associated with specific countries. This technique can significantly reduce unwanted traffic, particularly from locations where your clients don't typically shop from.

For instance, if your business operates solely within a specific country, there may be no need to allow traffic from other countries that could potentially harm your website or test stolen credit card information.

It's important to understand that country blocking should be used sparingly, as it may also restrict legitimate traffic from customers who happen to be travelling or using a virtual private network (VPN) that routes their traffic through a foreign country. It may also block legitimate bot traffic such as search engine crawlers, CRMs or marking/analytical platforms. 

There are a number of methods to implement country blocking. This could mean using a WordPress security plugin or service that allows for the configuration of firewall rules. Notable solutions include:

  • Cloudflare (free plan)
  • WordFence (pro version only)

There are a few other plugins on but I haven't personally tested these.

Rate-limit order processing

Rate-limiting order processing is a technique used by store owners to limit the number of orders that can be processed by the store within a certain period of time. This is done to prevent fraudulent activities where fraudsters use automated bots to place a large number of orders within a short period of time.

By implementing rate-limiting order processing, a store owner can set a limit on the number of orders that can be processed per hour or per day. This helps to prevent the store from being overwhelmed with a large number of orders and allows the store owner to review each order more thoroughly for signs of fraud.

For example, a store owner can limit the number of orders to 10 per hour. If a bot tries to place more than 10 orders within an hour, the bot will be blocked from accessing the store, and the store owner will be alerted to the attempted attack.

Rate-limiting orders can be an effective way to protect your store but it also comes with some significant drawbacks. You could potentially block legitimate customers from buying your products due to you reaching your order threshold.  For this reason, it is best to rate-limit orders by customer billing email or IP address. There are a number of anti-fraud plugins that can achieve this.

Cloudflare JavaScript challenge before the WooCommerce checkout

Cloudflare's JavaScript challenge is widely considered to be the most effective line of defence against fraudulent automated traffic. To utilize this powerful security measure, you'll need to configure your website to use Cloudflare as a DNS provider, which can be easily done by following the steps outlined in a separate article.

By using Cloudflare as a DNS provider, all incoming traffic to your website is first processed by its servers. This provides significant security benefits, including robust DDoS mitigation and an intuitive firewall that's simple to configure.

The JavaScript challenge is a sophisticated technique that effectively detects and blocks bot traffic by verifying whether a web browser is being used and if JavaScript is enabled. If the test fails, then the traffic source is blocked. Since most automated traffic for card testing attacks doesn't use a web browser, this security measure can effectively deter such attacks and prevent fraudulent activity. 

The default implementation of the JavaScript challenge may not offer the best user experience as the security check runs when a customer first visits your online store. To enhance user experience, it's advisable to leverage Cloudflare page rules to restrict the challenge to only appear when accessing the checkout page.

However, the free Cloudflare plan will limit your ability to customize the security message. Therefore, upgrading to the next tier will give you complete control over the message's appearance, improving the user experience.

The result is a highly secure online environment that's capable of preventing even the most advanced types of automated attacks. This means that fraudsters will have to resort to manual intervention to process an order, which greatly reduces their chances of success.

Once an attack has been stopped, what do I need to do?

First of all, take a breath and enjoy the moment. You have just been through a stressful ordeal that would have most business owners on edge. Although the battle may be over, the clean-up process has just begun.

There are a few steps that need to take place before you can get back to regular business operations. These include:

  • Validating successful payments
  • Contact your payment processor about the attack
  •  Issuing refunds to cards where processing was successful
  • Cleanup your WooCommerce orders

Validating successful payments

Validating successful payments is a crucial initial step when running an online store. It's essential to confirm that every order processed through your WooCommerce backend has a corresponding record in your payment processor. To do this, you can create a list that matches each order number with its associated transaction ID.

By cross-referencing your payment processor's records with your WooCommerce backend, you can quickly identify any discrepancies and take appropriate action to address them. This helps to ensure that your orders are processed accurately and that you receive payment for each transaction.

Contact your payment processor

Once you have compiled a list of orders and transaction IDs, you should contact your payment processor to inform them of the card testing attack and receive guidance on how to proceed. Depending on the payment processor, they may request a copy of your transaction ID list for their own records.

In most cases, the payment processor will provide recommendations to help prevent future attacks and may advise you to issue refunds on any cards that were charged during the attack. By working closely with your payment processor, you can take appropriate measures to protect your business and ensure the security of your customer's financial information.

Issue refunds for any processed orders

If your payment processor doesn't provide other instructions, it's generally best to issue refunds for each card that was charged during the card testing attack. While this may result in processing fees that you'll need to cover, it's important to prioritize the security and trust of your customers.

Although it's unfortunate that you may incur fees for processing refunds, it's worth noting that most card testing attacks are focused on low-cost products. Therefore, the processing fees associated with refunds are likely to be relatively small.

Cleanup your WooCommerce orders

This part is optional, but generally, I dislike leaving failed orders in the backend of stores as they create unnecessary clutter and confusion. It is best to keep a record of the attacks, so it is recommended that all failed orders due to an attack are exported for archiving.

Once a record has been created, the failed orders will then be deleted from the store. It is always recommended to back up your database before deleting the failed orders, as this process cannot be reversed and the data will be lost forever. 


Suspicious orders are enough to keep any website owner nervous however it is an unavoidable part of running an online store. There is no one size fits all approach when it comes to fraud prevention and carding attacks. Cybercriminals don't need to look hard to gain access to stolen card information and therefore credit card fraud is on the rise. 

As technology continues to evolve, the tools we use to identify card testing attacks are becoming increasingly sophisticated thanks to the integration of machine learning. This means that businesses will have more advanced and accurate methods of detecting and preventing fraud, which will help to safeguard their revenue and reputation.

Moreover, the implementation of Two Factor Authentication (2FA) for credit cards will make it nearly impossible for fraudsters to carry out credit card fraud. While it's unclear when 2FA will become widely adopted, its introduction will improve the overall security of online transactions and enhance the shopping experience for customers.

Dealing with attacks can be a frustrating and time-consuming experience for online store owners. However, it is crucial for them to become familiar with how to handle such situations, as credit card testing attacks are becoming more and more common in the ecommerce industry.

Community Projects

Subscribe to our newsletter

The latest SevenDev news, articles sent straight to your inbox every month.
SevenDev - WordPress Growth Agency

Start generating more business today

Contact SevenDev to see what we can do for you!
Powerful website dashboard
Fully Managed Hosting
Website Design
Product Variations
Online Stores
WordPress Development
Full Site Development
Website Maintenance
WordPress Maintenance
WordPress Themes
Mobile Website Conversions