You can use one of free firewalls of antispam plugins. Personally I recommend WP Cerber. It’s almost certain that your website is attacked in other ways too, so it would be good to have such protection. Please be aware that firewalls usually need configuration to works properly.
Hi there @captaincrank
As I understand, you received many failed order emails from someone apparently using our checkout form to run different credit card numbers.
Just to clarify, the WooCommerce Stripe plugin is a Payment Gateway, and as such it comes with features like SCA/PSD2 (documentation linked here), for ensuring online payments are authenticated.
From what I gather, there is already a security plugin installed on your site.
Furthermore, feel free to check out Jetpack Security & Limit Orders for WooCommerce.
I trust that points you in the right direction, but if you have more questions, let us know. We’re happy to help.
We do have Wordfence Security Premium installed and at best I can rate limit the IP which would also impact mobile users. I can and did ban IPs, and all the attacker does is move onto another IP. For the now $129 yearly fee for Wordfence, it would be nice if they would add some features for us Woocommerce users.
The big concern here are swipe fees. Even though not one transaction was accepted, we will probably get hit with a lot of swipe fees. At $.30 per swipe, times 1,000 failed orders, that’s $300. I’m not sure how Stripe handles this, but I know other processors don’t care and bill the sellers. It would be nice if some protections from carding/credit card testing were built into the Woocommerce Stripe Payment Gateway plugin. Loading up a DB with hundreds or thousands of failed orders, and potentially being socked with huge fees, isn’t something any store owner likes. Heaven forbid some of these tests get accepted and result in chargebacks.
For anyone reading this post with the same problem, look into the free Checkout Rate Limiter plugin. This will limit orders from the same IP with the number of orders and time configurable via plugin. This won’t stop the attacker from attempting to test credit cards, but it will make the attacker burn through a lot of IP addresses in the process – likely forcing them onto another Woocommerce store that isn’t protected. See https://github.com/BrianHenryIE/bh-wc-checkout-rate-limiter
Hello,
I can understand your point.
I’m not sure how Stripe handles this, but I know other processors don’t care and bill the sellers. It would be nice if some protections from carding/credit card testing were built into the Woocommerce Stripe Payment Gateway plugin.
Please be advised, that Stripe is constantly working to provide better security layers to permit only authorized transactions, they implement a lot of mechanisms and certifications regarding security. The fact that the orders are failed is an indication that they did not go through. Which is good because it was an attack.
If you would like to learn more, please check out this Stripe documentation:
https://stripe.com/docs/security
If you are looking to make enhancements on your site regarding anti-fraud, I recommend this premium extension:
https://woocommerce.com/products/woocommerce-anti-fraud/
And this one, in case you are interested in implementing captchas, so that the site will have another line of defense against attacks:
https://woocommerce.com/products/recaptcha-for-woocommerce/
Let us know if there are any questions 🙂
I’ve just received a similar attack. Of 400 + attempted orders. 5 of which went through.
I’ve disabled Stripe as not sure what else to do or why this is happening.
Roxy
(@roxannestoltz)
Hi @mrsdj ,
I am sorry to hear that you are experiencing a similar issue.
If the information provided in this thread has not helped for your situation, would you please start your own topic?
Since you’re not the person who originally started this topic then, per the forum guidelines, you would need to create your own thread.
We’ll be happy to assist you there!
