Like WordPress itself, we recommend taking extra steps to limit the amount of malicious activity on your WooCommerce website. While we’d love for all stores to simply be busy because customers want their products, unfortunately there’s also malicious uses for shopping carts which can result in severe issues for your business and your payment provider.

One common issue is using your WooCommerce site (via a script) to place fake orders. These orders aren’t placed in order to receive the actual goods but instead to validate which stolen credit cards still work or not (sometimes referred to as a “carding attack” or “card testing“). Orders placed via your website in this manner will need to be refunded and if allowed to continue, your payment gateway provider may block all transactions (including genuine ones) indefinitely.

We have the following recommendations to limit and block fraudulent orders.

Use a CAPTCHA system on your site

This is recommended for all WordPress sites to prevent spam anyway, and has the added benefit of also limiting the ability to place fake orders via WooCommerce. This is because the CAPTCHA (for example, Google has a free reCAPTCHA service) system uses a number of checks to determine if there’s a human making the request or a script. In previous versions of the reCAPTCHA, this used to involve clicking on a checkbox or matching images against names. However, modern systems have an invisible option where there’s no annoyance to the user (unless it suspects they’re a script).

We recommend looking at the following plugins to implement:

There are other plugins available which may also be suitable, the critical part to check is that it protects guest checkouts (many just cover logins and registrations only).

If you need to generate the reCAPTCHA keys, we have a guide on Creating a reCAPTCHA Key via Google available.


Having multiple plugins which integrate CAPTCHA protection on your site may in fact cause all of them to fail. Ensure you check and test the installation of any plugin thoroughly.

Use Fraud Detection

While a CAPTCHA on your site will stop scripts and bots, it won’t stop someone who is manually submitting orders. This may be the case where they’re trying to get products by deception and using stolen credit cards.

These systems work by checking things such as what country the user comes from, if they’re using a VPN, if they’re using a free email system, if it’s a first order / new account and a number of other heuristics to give an overall score. This score can then be treated as a risk, where you can set a threshold to hold orders before they’re processed if it doesn’t meet it.

Here are the two plugins we recommend:

Other security measures

Of course, stopping fraudulent orders is just one part of the puzzle. Keeping your WordPress site (including all plugins and themes) up-to-date is critical to the security of your WooCommerce site. If you’re not on a Managed WordPress Plan, we highly recommend updating your WooCommerce store on a regular basis.

The use of additional security tools such as Wordfence can also assist when you combine with unique, secure passwords.

Was this article helpful?