Bulk cart add (Robo)

Hi @thiagorangel

I hope you’re well today!

Defender doesn’t have any feature designed specifically for monitoring abandoned carts but there are some things you could set to limit that:

1. If you are only selling to Brazil and you actually don’t really need visitors from other countries, you can use “Locations” option to block requests/visits from selected countries or form all countries except selected.

In this case I think I’d go for blocking all except Brazil and USA.

You can set it up on “Defender -> Firewall -> IP Banning” page under the “Locations” label.

2. I’d also suggest using “User Agent Banning” option, which you’ll find on the “Defender -> Firewall -> User Agent Banning” page. You would need to identify bots first and that usually can be done by examining site’s stats/analytics or server’s access log

3. You can also add reCaptcha to the checkout; that makes user experience a bit more “unfriendly” but should further limit bots access too; reCaptcha can be enabled via teh “Defender -> Tools -> reCaptcha” page and if you’re using WooCommerce, you can enable “reCaptcha for WooCommerce” on that page and check the checkbox for “Checkout” to add it there.

Best regards,
Adam

Hello! All good?

I blocked all countries and allowed only Brazil.
It worked, I had no more problems with robots, but I had other problems.

At first I identified two problems:

1o I use Jetpack only to connect with the Woocommerce Android App. After blocking all countries, Jetpack disconnected and would not connect anymore.

2nd The products that were sent for analysis in the Google Merchant Center were all rejected because the Google Merchant Center could not access the products. The error message is that the product links did not exist.

I had to allow all other countries again to resolve these two issues.

Doesn’t there exist a robo lock when it executes the same task several times? Example: If that same user enters the site 15 consecutive times and adds ! product in the cart, it will be blocked permanently.

Thanks!

Hi @thiagorangel

If such issues – as described – happen, then alternative to allowing all countries would be to allow specific IPs if you have a way to get such IPs. Unfortunately, not all services disclose all IPs used and some are not even using a “fixed” set/range of IPs.

So if it’s not possible to allow “by IP”, then yes – you either need to allow countries back or at least unlock countries these services do requests from.

There is no such “automated lock” for just adding products to the cart. If there are repetitive requests for 404 (non-existing) pages or repetitive login attempts – those can be blocked. Simply visiting a page numer of times, is not something that would be considered a security threat.

What you can possibly try would be to use “404 Detection” blocklist feature for such automated block. In “Defender -> Firewall -> 404 Detection” you have an option to define URLs (additionally to standard 404) that should be monitored. Those can be existing URLs so it can e.g. be your cart/checkout URL.

Then you need to carefully set the Threshold and Duration options. You can set them e.g. “if 20 hits in 300 seconds (5 minutes) – block temporarily for 24 hours” or similar way.

The URLs added to the “Blocklist” – even if they are existing URLs – will then be monitored and blocked according to these rules.

However, this option was not designed for this kind of protection of perfectly valid and available URLs so you need to be aware that it may in some cases “blow back” and affect legitimate users/visitors – so I’d suggest carefully testing it.

Other than this, the other two solutions – blocking identified (based on stats/server’s “access log”) bots using User Agent Blocking and adding reCaptcha to checkout – should help too.

Kind regards,
Adam

Thank you very much for your attention and support. I’ll just keep the user agent lock.