Beware of velocity attacks (failed orders) with this plugin

Three years ago, @patrickhs reported that this plugin has “non-existent fraud protection”, and apparently this hasn’t changed.

I manage over 100 WordPress sites, and only three of them get hit with velocity attacks, where scammers will use your site to test stolen credit cards, generating hundreds of failed orders (last attack was over 5,000 attempts). I spent countless hours trying various anti-spam plugins and writing various scripts, until I finally discovered a pattern: These are the only sites using Braintree for WooCommerce Payment Gateway. Clearly this plugin suffers from an unpatched vulnerability because somehow a Guest user had five charges approved for the same order, all different card numbers, preceded by hundreds of failed attempts (each attempt generating an order note, about one second apart). Another order showed a failed attempt after the successful payment. That’s not how WooCommerce works, especially when your Checkout page has a reCAPTCHA. You can’t pass reCAPTCHAs that quickly, and you can’t (successfully) pay for the same order twice; that’d be a new order. So essentially this plugin is an invitation for hackers to bypass the Checkout interface and make order attempts programmatically.

Also, the latest update (3.1.7) destroys the credit card field styling (and, in turn, customers’ trust). I’m glad I noticed that right away.

Combining that with the fact that I reported a bug (“sv-wc-payment-gateway-payment-form.min.css.map error”) over a year ago that could be resolved by adding a single space to a file—and they still haven’t fixed it—I no longer trust Braintree and have begun switching everyone to WooPayments. First impressions of WooPayments are great, setup is a breeze, and my Checkout pages are now more user-friendly in multiple ways.