Onar Alili
Engineer
13 minutes to read
5 ways to stop spam orders and registrations in WooCommerce
WooCommerce is a go-to e-commerce plugin for WordPress. It supports different payment methods including Paypal, Stripe via add-ons, and standard payments like credit cards even cash & check payments. WooCommerce comes with a lot of features for free. You can start selling your products and offer a subscription with multiple currencies out of the box. No surprise WooCommerce is a leading e-commerce solution with %36.68 market share.
- Why do spammers create fake orders?
- OOPSpam WordPress plugin
- Configure user registration
- Block countries
- Honeypot
- reCAPTCHA & hCAPTCHA
- Final thoughts
As your store grows, it will attract spammers too. You may already have this issue as this is pretty common to have fake orders. Especially for the stores with high traffic.
Why do spammers create fake orders?
To stop spam orders first we need to understand why spammers decide to create a bunch of fake orders that going to be declined anyway. What benefit do they get from it?
There are so many reasons why bots (and spammers behind them) would attack your website. One of the most common reasons for spam orders is the card testing attack that we talked about in GiveWP Donation Form article. The card testing attack is a way to check if a stolen credit card is valid or not. This attack can be automated or manual and they tend to target donation forms where there are fewer steps to take to test a stolen card. For this reason, your WooCommerce store needs to at least require user registration to purchase a product.
Sometimes vulnerability scanners look for a specific security bug in WooCommerce. The spam bots create an order to test certain behavior in the checkout process and hope to discover a bug they are looking for. Before WooCommerce version 4.6.2, a user reported failed orders in WooCommerce support where an attacker was able to create an account without registration even though “Allow customers to create an account during checkout” setting is enabled. They announced the bug publicly and released a fix. This is a great example of why you may see many false orders. It’s important to keep your WordPress plugins including WooCommerce up-to-date.
Besides the above reasons, sometimes fake orders can be simply malicious targeted attacks to harm your business. Usually, spam orders cause chargeback issues, a bad reputation with the payment processors, lost sales (putting a lot of orders and making an item out of stock), and many others.
No matter the motive, you need to protect your WooCommerce store before it gets hit by hundred of spam orders. We’re going to look into some of the steps you can take to protect yourself from these attacks.
OOPSpam WordPress plugin
OOPSpam WordPress plugin (that’s us 👋) is one way to stop fake orders and spam registrations on your WooCommerce stores. The plugin works with OOPSpam API that protects over 3.5M websites daily. While most of the alternatives above are free, OOPSPam API is a paid service. But it does come with free 40/month spam checks for you to test and see the difference.
It’s likely you have already tried the below options, and they didn’t work for you. It could be a slow website from reCAPTCHA or overwhelming spam you are still getting despite implementing the below alternatives. These are benefits OOPSpam has over other alternative:
- Doesn’t slow down your website
- Keeps your site accessible to all users
- Stops both human spammers and bots
On the plugin’s settings page, you could also adjust how sensitive you want your spam filter to be. Even keeping the default Sensitivity level setting will help you cut down spam to zero.
In addition, the plugin allows you to set up a filter to accept orders only from certain countries and languages (for WooCommerce reviews). Country blocking is similar to WooCommerce’s Selling location(s) settings, however, OOPSpam applies this restriction across the website including product reviews, registration, and orders. As additional protection, the OOPSpam WordPress plugin also adds a honeypot field to all forms so you don’t have to install another plugin.
✨ Since then, we have also added the Block messages from these countries feature.
Unlike other premium solutions, OOPSpam is privacy-friendly. We don’t store, share your data, or use cookies. All the rejected spam logs are stored in your local WordPress database and can be viewed under Form Spam Entires settings.
Here are a few steps to activate spam protection for the WooCommerce-based store:
-
Subscribe to get an API key then copy-paste the API key to the plugin’s appropriate field under Settings->OOPSpam Anti-Spam on your WordPress Admin Dashboard.
ℹ️ Make sure to select OOPSpam Dashboard on the setting page
-
If you have WooCommerce installed then a special section will appear on the OOPSpam Anti-Spam plugin’s settings page.
- On this page, you need to activate the spam filter for WooCommerce by checking the Activate Spam Protection checkbox. You don’t have to do anything on your form. Once you activate spam protection on the OOPSpam plugin settings, you are good to go.
- Don’t forget to enter a short message to display when a spam order or registration is detected.
Blocking orders from Unknown origin in Woo
If you have origin tracking enabled, you can use OOPSpam to block all orders with an unknown origin attribute. This will effectively stop spam you receive from bots with just one click. In the plugin settings, enable the Block orders from unknown origin setting. That is all.
Configure user registration
As pointed out above, spammers are more likely to spam your store if allow they to buy without registration and leave anonymize reviews. WordPress and WooCommerce plugins come with a built-in configuration that allows you to prevent visitors from buying your product without registration. Both WordPress and WooCommerce have registration flow and they are separated. Disable WordPress registration if you don’t need it. Disabling it will NOT affect your WooCommerce account registration.
In your WordPress dashboard visit Settings -> General -> Membership and uncheck Anyone can register. This will effectively prevent spam WP user registration.
Time to require registration for the store purchases so that bots cannot create spam orders without registration. This allows us to track who created fake orders and block them. Visit WooCommerce -> Settings -> Guess Checkout and uncheck Allow customers to place orders without an account and check Allow customers to log into an existing account during checkout.
This is a basic configuration you could to prevent some bots. However, many bots can create accounts during the checkout because all it takes is to fill the email field in the checkout form. The main goal here is to capture and track the spammers’ email addresses and block them.
Block countries
This is perhaps the easiest way to prevent spam orders. WooCommerce comes with two powerful features that allow you to block countries. These are Selling location(s) and Shipping location(s) settings.
These features are a great fit for the store that serves a certain area. In the above example, we choose to sell only in US and Canada and ship only to these selected countries. Using just these two settings you could eliminate most of your fake orders. Besides the Selling to specific countries option, Selling location(s) setting has Sell to all countries, except for … which is another useful way to open your store to all countries but only block the spammers’ location. Once you start getting fraudulent orders, check the source countries of bots and add them under this setting.
Honeypot
We wrote extensively about the honeypot technique and how it works. While it’s not as effective as it used to be, it still prevents some bots from spamming your store. Unfortunately, WooCommerce doesn’t support honeypot, so you need to use a third-party plugin. There is a free plugin; WooCommerce Honey Pot Anti Spam that adds the honeypot field to your WooCommerce Login and Registration forms. If you haven’t heard about the honeypot field, it is a simple hidden field in your form. As it’s hidden from regular users, they will not able to fill it but this isn’t true for bots. Some bots fill every possible field in the registration/login form regardless hidden or visible. The honeypot technic relays on the fact that only bots will fill the hidden field and this is how it catches bots.
Using the honeypot method with the WooCommerce store is effective, especially when you just started getting spammed. It’s better to use this with another method for maximum protection.
reCAPTCHA & hCAPTCHA
Just like the honeypot, WooCommerce doesn’t support reCAPTCHA. Surprisingly, WooCommerce doesn’t offer these free spam protection measurements. However, you can add reCAPTCHA to your store through WooCommerce extension store. There are a couple of reCAPTCHA solutions available. reCaptcha for WooCommerce seems to be the most popular extension. While reCAPTCHA itself is a free solution, the extension isn’t. As of now, it’s $29/year. The extension supports both reCAPTCHA versions 2 and 3.
Should I set up v2 or v3?
v3 came after many people complained about accessibility and usability issues with v2. v2 asks visitors to solve a challenge before submitting a form. To address this issue, Google removed the “challenge” part of reCAPTCHA. As a result, with v3, users don’t solve any challenges. Instead, it tracks the user’s behavior on your website and scores the user from 0 (bot) to 1 (human). It is up to the website owner to determine the threshold.
hCAPTCHA
If you are looking for a free and privacy-friendly alternative to reCAPTCHA then hCAPTCHA is your solution. There is a free hCaptcha for WordPress plugin that supports WooCommerce too.
Many people are happy with reCAPTCHA and hCAPTCHA. They are effective against simple bots, however, advanced bots can still bypass CAPTCHA solutions. There are also “captcha farms” (e.g 2Captcha) where people get paid to solve reCAPTCHA and hCAPTCHA as low as 0.25 cents. It may also slow down your website as it loads extra js files into your website.
Final thoughts
All websites eventually get hit by spammers. As a store grows and gets more traffic it attracts more serious spammers with advanced bots. Both honeypot and CAPTCHA solutions will protect your website to a certain degree but they are not enough for targeted spam attacks, manual spam, and sophisticated bots. I hope this article helped you find a solution to your spam problem.
That is all! Go on and create your forms.
Happy spam-free day!