Attacks On WooCommerce Checkouts And How To Defend Yourself

Over the last year I’ve seen an increase in credit card attacks targeting my customer’s WooCommerce checkouts. These attacks do not appear limited to a certain type of website. I’ve seen it happen to customers ranging from very low traffic websites with around 500 monthly visitors, to very high traffic websites with 100,000+ monthly visitors. These hackers have one goal: Find a valid credit card through brute force purchase attempts.

They work by flooding a checkout system with random credit card information. When the attacks are underway a WooCommerce site can receive thousands of failed WordPress orders within an hour. You can imagine this causes all sorts of issues for the store owners.

Email from Kinsta disabling email and automatically blocking attack from a certain IP address.

These attacks can be costly.

Depending on your payment provider, these attacks have the potential to incur fees for each failed attempt. I typically recommend using Stripe as they are very tolerant of such activity. However, even Stripe has their limits. If you have too many failed payment attempts then Stripe’s recommended solution is to pay for their Stripe Radar service. I have personally used Stripe Radar and it appears to be the easiest option to protect against fraud attempts. It’s an all-in-one solution on the payment side. Just activate Stripe Radar and that’s it. Of course, not all of my customers use Stripe.

Preventing fraud attempts with WooCommerce Anti-Fraud and Maxmind’s minFraud

A better plan would be to prevent bad WooCommerce order attempts from hitting the payment gateway. I tried a few different combinations of plugins and anti-spam techniques before I settled with the WooCommerce Anti-Fraud plugin combined with Maxmind minFraud. The main thing I was looking for was a solution that handled these fraud checks in the background vs a painful human check during the checkout process. Seriously, who wants to do a robot check in order to buy something?

WooCommerce Anti-Fraud was recently added as an official WooCommerce plugin so it’s safe to assume it will be around for a number of years. Alone it can provide a basic set of protection, such as blocking the number of times the same user or IP can make order attempts, or creating a set of rules that apply to guests vs former customers.

While the default set of rules helps, sophisticated attacks require extra protection. That’s where Maxmind’s minFraud service comes in. The minFraud service is a paid API that integrates with the WooCommerce Anti-Fraud plugin. It will examine each order detail and give it a fraud ranking based on its intelligent database. In my experience, minFraud significantly increased WooCommerce Anti-Fraud accuracy. To the point where every bad order was being stopped before the payment. So, a huge success.

WooCommerce Anti-Fraud settings

Preventative measures will be increasingly necessary.

Unfortunately, I don’t see these sophisticated attacks going away anytime soon. Much like spam, the tactics and techniques are always changing. In fact, it’s the incentives for these malicious attacks are more enticing than just sending spam emails. The reward for email spam is that you can trick someone into doing something they shouldn’t, which can be dangerous. The reward for checkout attacks is real money they can just steal. All it takes is for them to find one valid credit card and they can continue to fund their operation making it a worse experience for all WooCommerce store owners.

Luckily, the above few extra steps can stop their attacks completely. If they can’t get their credit card through the checkout process then your website provides them with no meaningful information. In my opinion, every WooCommerce website should have these preventative anti-fraud systems deployed. Anyone whose experienced one of these attacks leaves the experience feeling like WooCommerce has failed you. I agree with you.

If you work for WooCommerce then please consider bundling in these core checks for all WooCommerce websites and all payment gateways. I suppose that’s why WooCommerce now offers its own WooCommerce Payments which does bundle in fraud checks via a partnership with Stripe Radar. However, I don’t think the solution should be to change to one payment gateway over another. We just need better protection for everyone, no matter which payment method you decide to use for your website.