Dealing with Card Testing or Carding Attacks on your WooCommerce Store (Fraudulent Charges)

Content Error or Suggest an Edit

Notice a grammatical error or technical inaccuracy? Let us know, we will give you credit!

What’s card testing or carding?

Card Testing or sometimes referred to as Carding is the act of testing stolen credit card information against a payment processor to verify the stolen information is valid. The targets of card testing or carding are usually online stores that allow for small purchases and have low security.

Preventing Card Testing in WordPress, WooCommerce and More

I’ve compiled a list of options for preventing card testing or carding in WooCommerce. The options provided are suggestions, and any referenced plugin and service is simply a match and not a general endorsement. Do your own research!

There are multiple plugins that will capture a credit card. WooCommerce, LearnDash, and others. This guide will apply to some but not all.

1. Enable 3D Secure

If your payment gateway or payment processor supports 3D Secure, then you should enable this feature. You will need to ensure that the WordPress WooCommerce plugin you’re using supports 3D Secure.

2. Add a Captcha (Easiest and Best Method)

This might be counterintuitive as the checkout experience is supposed to be quick and easy. This will help if you require customers to create an account and they have an option to save their billing details. Anything that makes it easier for the customer will make it easier for the attackers. You can add a captcha to the WooCommerce login, registration, and forgot your password pages. There is also an option to add a captcha on the checkout, however, it’s an effective method.

Here are some WordPress captcha-based plugins in no official order.

3. Block Countries with a WordPress Plugin

If your store only services a handful of countries, then you can block all countries that it doesn’t service from checking out. This can be done easily with a plugin and typically an IP to a country database like Maxmind. This type of database maps internet IP addresses to countries and is fairly accurate. You can download their database or use their API. They have a free and paid plan.

Here are some WordPress plugins that allow you to block specific countries in no official order.

4. Block Countries with your Web Server


You can block countries using Nginx’s GeoIP module and some configurations. Here’s an example guide


You can block countries using Litespeed’s GeoLocation support which allows you to use Maxmind or IP2Location databases. You can read more on their website

Cloudflare Rules Country Block

You can set up a firewall rule to block specific countries from accessing your sites. Or require captcha verification. You can check our sister site for the rules required.

Here’s a couple of examples. You can add these to the edit expression portion of the firewall rule versus using the dropdowns.


Cloudflare Block Specific Countries


Cloudflare Block all Countries Execpt


You can go a step further and lock your entire site down using Cloudflare easily. This is the ultimate protection from automated attacks resulting in wasted resources and carding attacks.

5. Cloudflare Bot Fight Mode

There isn’t a specific feature of Cloudflare that tackles card testing directly. There are however some important settings you should consider enabling or configuring. One of them is Bot fight mode which can help if your site is being card tested by bots versus humans.


Bot fight mode will block Zapier and WordPress URL based manual cron URL’s. As well as external services that require accessing your site via a URL. Furthermore, Bot Fight Mode may block indexers or crawlers.

When you enable Bot Fight Mode, it will sometimes block external services that are trying to pull data or trigger an event. Two popular examples would be a third-party service like Zapier or a manual WP-Cron that uses curl and the wp-cron.php URL ( See: Replacing WordPress WP Cron with Manual Cron (URL and PHP Method))

I had two clients that had Bot Fight Mode turned on, and the following happened.

Cloudflare Bot Fight Mode Issue #1 – Zapier

One client was using the WooCommerce Zapier plugin by OM4. Unfortunately, a Zap had failed and the client tried to confirm that the Zapier connection was working. This was blocked and resulted in other issues. If you’re using Zapier with WooCommerce, always set up appropriate Zaps to monitor failed zaps and when zaps are turned off.

Cloudflare Bot Fight Mode Issuer #2 – WP-Cron

Another client was using GridPane for their site and had GP-Cron enabled. Unfortunately, the GP-Cron uses the URL method and will reach out to the client’s site using the URL

Since is pointed at Cloudflare, the request goes through Cloudflare first and then gets blocked by Bot Fight Mode. Even though the request is coming from the original server. This ended up causing issues with WooCommerces Subscriptions not firing correctly.

You can whitelist Cloudflare’s Bot Fight Mode, but not by the user agent or request URL. You can only whitelist the origin server’s IP. And if you move your site around, you have to remember to change this IP Addres.

6. Throttling Requests

Throttling WooCommerce orders is another option that will not stop card testing completely but will definitely make it harder for automated attacks to occur.

Nexcess Limit Orders Plugin

There is a plugin by Nexcess that limits WooCommerce orders overall and not by a specific customer or other variables such as IP Address. You can learn more about the plugin on the WordPress plugin directory

YITH WooCommerce Anti-Fraud Plugin

Another plugin by YITH called YITH WooCommerce Anti Fraud does have a setting “Attempt count check” which will only allow a certain amount of orders to occur within a certain time period based on IP Address. This is very useful, but some attackers will use different IP addresses. You can read more about the plugin on the YITH website.

Cloudflare Rate Limiting

I don’t have experience with this feature, you can set up Rate Limiting rules on paid Cloudflare plans. This would allow you to rate limit IPs and only allow a specific number of connections per IP’s in a given time frame.

7. Email or SMS Account Verification

Requiring users to verify their emails before ordering is another means to slow down automated card testing attacks. However, this presents a delay in a customer checking out. Especially if the verification email or SMS doesn’t arrive in time or is marked as spam.

8. Fraud Detection Plugins

There are a couple of Fraud Detection or Anti Fraud plugins available. Some are simply there to let you know that an order is likely to be fraudulent, some will block orders.

Here’s a list of Fraud Detection and Anti Fraud Plugins in no specific order.


There are multiple methods and solutions to block card testing or carding. However, each store is different and some will be able to get by with simple and free solutions, while others might need more protection. Make sure you do your own research on the above-linked plugins.

Other Options

There are a number of other options that I haven’t detailed in this article, please let me know if I’ve missed anything and I will update this article.

Content Updates

  • 08/27/2021 – Added more details about Cloudflare Bot Fight Mode and how it will block WP-Cron and Zapier.
  • 07/08/2021 – Added FAQ about Cloudflare Bot Fight Mode.
  • 10/26/2021 – Added information on using Cloudflare to block countries.
  • 02/08/2021 – Added Cloudflare Rate Limiting
  • 03/23/2022 – Updated link to Nexcess Order Limiting
  • 09/20/2022 – Added more information about Cloudflare and random updates.

You May Also Like

GridPane Releases Limited API

GridPane API Documentation GridPane released an API, with limited functionality. You can review the API document here.…