How to protect the “Order Pay” endpoint with Simple Cloudflare Turnstile

I have found a post for your re-captcha plugin (here – “https://www.ads-software.com/support/topic/woocommerce-credit-card-failed-order-checkout-attack/”) that suggests it did have an option for this, but I couldn’t find that option on the re-captcha version of your plugin or this Turnstile plugin.

Thanks again.

Sorry, the correct link to the other post is:
https://www.ads-software.com/support/topic/woocommerce-credit-card-failed-order-checkout-attack/

Al

Hi,

Thanks for the info, I will take a look into this!

Thanks Elliot.

Some further info on my specific case.

After looking at the SSL access logs, the card testing attack is using calls to /?wc-ajax=checkout. So, from how I understand it, a human sets up the order all the way through to checkout by filling all order details and placing an order (that fails with card declined) but, the CAPTCHA passes. From there they start a script on the /checkout page that continuously tries credit card numbers using /?wc-ajax=checkout. These subsequent attempts are not intercepted by CAPTCHA.

I have installed a plugin called bh-wc-checkout-rate-limiter that looks like it, along with your Simple CloudFlare Turnstile plugin will hopefully limit the attack.

I do still believe that the original issue of the order-pay URL not being protected stands, however, unless your plugin can also protect /?wc-ajax=checkout, both checkout endpoints are susceptible to the style of attack that I’m seeing.

Thanks again. Your plugin and the time you spend on maintaining it are very much appreciated.

Al

Hi,

Just to let you know this will hopefully be fixed in the next plugin update (1.17.0) with an option to enable Turnstile on the “Pay for Order” page/form.

Hi,

Please could you try updating to the latest version (1.17.0). There should now be an option to enable Turnstile on the “Pay for Order” page/form.