Table of Contents
- What’s card testing or carding?
- Preventing Card Testing in WordPress, WooCommerce and More
- Other Cloudflare Guides
- Other Options
- Content Updates
Content Error or Suggest an Edit
Notice a grammatical error or technical inaccuracy? Let us know, we will give you credit!
Card Testing or sometimes referred to as Carding is the act of testing stolen credit card information against a payment processor to verify the stolen information is valid. The targets of card testing or carding are usually online stores that allow for small purchases and have low security.
I’ve compiled a list of options for preventing card testing or carding in WooCommerce. The options provided are suggestions, and any referenced plugin and service is simply a match and not a general endorsement. Do your own research!
There are multiple plugins that will capture a credit card. WooCommerce, LearnDash, and others. This guide will apply to some but not all.
If your payment gateway or payment processor supports 3D Secure, then you should enable this feature. You will need to ensure that the WordPress WooCommerce plugin you’re using supports 3D Secure.
This might be counterintuitive as the checkout experience is supposed to be quick and easy. This will help if you require customers to create an account and they have an option to save their billing details. Anything that makes it easier for the customer will make it easier for the attackers. You can add a captcha to the WooCommerce login, registration, and forgot your password pages. There is also an option to add a captcha on the checkout, however, it’s an effective method.
Here are some WordPress captcha-based plugins in no official order.
If your store only services a handful of countries, then you can block all countries that it doesn’t service from checking out. This can be done easily with a plugin and typically an IP to a country database like Maxmind. This type of database maps internet IP addresses to countries and is fairly accurate. You can download their database or use their API. They have a free and paid plan.
Here are some WordPress plugins that allow you to block specific countries in no official order.
You can block countries using Nginx’s GeoIP module and some configurations. Here’s an example guide
You can block countries using Litespeed’s GeoLocation support which allows you to use Maxmind or IP2Location databases. You can read more on their website
You can set up a firewall rule to block specific countries from accessing your sites. Or require captcha verification. You can check our sister site wpguide.io for the rules required.
Here’s a couple of examples. You can add these to the edit expression portion of the firewall rule versus using the dropdowns.
You can go a step further and lock your entire site down using Cloudflare easily. This is the ultimate protection from automated attacks resulting in wasted resources and carding attacks.
- Rant, Cloudflare Bot Fight Mode doesn’t provide firewall bypass or whitelist?
- Using Cloudflare Without Changing your Name Servers
- Cloudflare 520 Errors Explained and Investigated
- Locking Down your WordPress site with Cloudflare WAF Rules
- Protecting the WordPress Admin Login with Cloudflare
- Testing and Reviewing Cloudflare Firewall and WAF Rules
There isn’t a specific feature of Cloudflare that tackles card testing directly. There are however some important settings you should consider enabling or configuring. One of them is Bot fight mode which can help if your site is being card tested by bots versus humans.
When you enable Bot Fight Mode, it will sometimes block external services that are trying to pull data or trigger an event. Two popular examples would be a third-party service like Zapier or a manual WP-Cron that uses curl and the wp-cron.php URL ( See: Replacing WordPress WP Cron with Manual Cron (URL and PHP Method))
I had two clients that had Bot Fight Mode turned on, and the following happened.
One client was using the WooCommerce Zapier plugin by OM4. Unfortunately, a Zap had failed and the client tried to confirm that the Zapier connection was working. This was blocked and resulted in other issues. If you’re using Zapier with WooCommerce, always set up appropriate Zaps to monitor failed zaps and when zaps are turned off.
Another client was using GridPane for their site and had GP-Cron enabled. Unfortunately, the GP-Cron uses the URL method and will reach out to the client’s site using the URL https://domain.com/wp-cron.php?doing_wp_cron
Since domain.com is pointed at Cloudflare, the request goes through Cloudflare first and then gets blocked by Bot Fight Mode. Even though the request is coming from the original server. This ended up causing issues with WooCommerces Subscriptions not firing correctly.
You can whitelist Cloudflare’s Bot Fight Mode, but not by the user agent or request URL. You can only whitelist the origin server’s IP. And if you move your site around, you have to remember to change this IP Addres.
Throttling WooCommerce orders is another option that will not stop card testing completely but will definitely make it harder for automated attacks to occur.
There is a plugin by Nexcess that limits WooCommerce orders overall and not by a specific customer or other variables such as IP Address. You can learn more about the plugin on the WordPress plugin directory
Another plugin by YITH called YITH WooCommerce Anti Fraud does have a setting “Attempt count check” which will only allow a certain amount of orders to occur within a certain time period based on IP Address. This is very useful, but some attackers will use different IP addresses. You can read more about the plugin on the YITH website.
I don’t have experience with this feature, you can set up Rate Limiting rules on paid Cloudflare plans. This would allow you to rate limit IPs and only allow a specific number of connections per IP’s in a given time frame.
Requiring users to verify their emails before ordering is another means to slow down automated card testing attacks. However, this presents a delay in a customer checking out. Especially if the verification email or SMS doesn’t arrive in time or is marked as spam.
There are a couple of Fraud Detection or Anti Fraud plugins available. Some are simply there to let you know that an order is likely to be fraudulent, some will block orders.
Here’s a list of Fraud Detection and Anti Fraud Plugins in no specific order.
There are multiple methods and solutions to block card testing or carding. However, each store is different and some will be able to get by with simple and free solutions, while others might need more protection. Make sure you do your own research on the above-linked plugins.
There are a number of other options that I haven’t detailed in this article, please let me know if I’ve missed anything and I will update this article.