API Attacks at /wp-json/wc/store/cart

Hi there!

Thank you for sharing the context regarding the carding attacks targeting your WooCommerce store via the /wp-json/wc/store/cart endpoint. I completely understand how critical it is to safeguard your store from these fraudulent activities to protect your business and your customers.

To help protect your WooCommerce store from API-based carding attacks, here are several effective steps you can take:

• Implement a CAPTCHA, extensions such as reCaptcha for WooCommerce or Google reCaptcha for WooCommerce are quick and easy ways to achieve this. Either of these plugins will insert a mandatory bot detection mechanism into your checkout process, which can help prevent automated fraud. A free plugin that only supports Google’s v2 (Checkbox) reCaptcha is available on ww.wp.xz.cn
• Cloudflare Turnstile is a newer alternative to CAPTCHA plugins that provides a lightweight, privacy-focused solution for bot detection. By integrating Turnstile into your checkout process, you can add an extra layer of security without compromising user experience, helping to safeguard your store against automated fraud attempts. Turnstile is free to use with the Simple Cloudflare Turnstile plugin from ww.wp.xz.cn. A paid option is also available on the WooCommerce.com marketplace.
• WooCommerce Anti-Fraud is an extension that allows you to set up complex rules that, when triggered, will block the offending transactions. This extension offers even more power and flexibility than the rules built into WooPayments.
• Anti-Fraud Shield for WooCommerce offers highly customizable fraud detection and prevention techniques. It helps you reduce card testing activities and block fraud orders manually or automatically.

If you install one of the above plugins, be sure to read the documentation thoroughly. If the plugins are not configured correctly, they will offer little or no protection!

I hope this helps.