Not protecting woocommerce checkout page

Preventing card testing involves more than just using recaptcha or Cloudflare’s turnstile. Most of the time fraudsters are using bots to check credit cards on an e-commerce site. So what I found effective is a multi layer approach to keep these bots from getting through.

1 – I put my website behind Cloudflare proxy dns and use Cloudflare’s WAF to block these bots. This way, bots don’t know the actual IP numbers of your site. All requests to your site go to Cloudflare and it forwards them on to your site. It has a number of security features you can use to block illicit traffic. It has a Super Bot Fight Mode, and you can block all definitely automated bots and only allow verified bots. It does block a lot of bot driven credit card fishing requests. You may need to add an exception for some bots so they can get through.

You can also add your own WAF rules. I added some WAF rules of my own to block certain add-to-cart requests, for example when people first access my site, I send a certain cookie. Any add-to-cart requests that do not have this cookie get blocked by a Cloudflare WAF. Most bot requests will not have this cookie. And I block any add-to-cart requests where the url for the request would not exist on my site. For example, most of these bots send a request /?add-to-cart=1721 and nothing else. On a Woocommerce site that would never be a valid request. It would usually have a /product-category/category-name/?add-to-cart=1721 or something like that. So any requests which are nothing but /?add-to-cart=1721 I block with a Cloudflare WAF rule and those requests never reach my WordPress site.

2 – Use velocity controls. I don’t know if Paypal has them, but many credit card processors do. In my case I don’t allow more than 5 credit card requests from the same IP in an hour. And no more than 3 credit card purchases per credit card in an hour. These velocity limits block a lot of malicious credit card requests.

3 – I also have velocity controls in a plugin I wrote, so that if I see an IP sending add-to-cart requests faster than a human would, I empty that cart and block that IP from adding anything to a cart.

4 – I use Wordfence’s Live Traffic option to see what is happening on my site. I can quickly spot any bot that is attempting numerous credit card transactions and block their IP, or even momentarily block the country the requests are coming from.

5 – And there are plugins for detecting fraudulent transactions. You might find one that works well.

Best of luck. This is a vexing problem for e-commerce sites. Plugins like Woocommerce need to do a much better job of detecting these card fishing transactions and blocking them.

This link has helpful suggestions for dealing with card testing attacks.

https://www.commercegurus.com/woocommerce-card-testing-attacks/

• This reply was modified 1 year ago by amanandhishoe.

And another thing you can do by having your site protected by Cloudflare proxy dns is to restrict the number of checkout requests an IP can make. You can have a rate limiting rule so that no IP can call checkout more than 5 times in 10 seconds or a minute. If they do that, you can either block them, or have Cloudflare put up a JS Challenge. It runs for a certain amount of time and if it doesn’t detect that there is a human, it doesn’t allow the request to go through.
These are per IP, so even if a bot changes its IP when it is challenged after 5 times, the delay a JS Challenge forces on the bot will discourage it from trying to test cards on your site.

Thank you @amanandhishoe for the comprehensive reply. This is super helpful. I am now signed up for Cloudflare DNS and learning how to use their WAF. I will also look into velocity controls. Thanks!

Would you be willing to share your WAF rules in a private email? That would be a huge help in trying to protect our site. Let me know how to contact you. Thanks.

You can email me at [email protected]